lorenzo/servers
1
0
Fork 0
Code Pull requests Packages Activity

Add lldap service.

Browse source
This commit is contained in:
Lorenzo Good 2025-12-31 20:22:58 -06:00
parent b0657027e6
commit 7b7e5cb1cf
Signed by: lorenzo
GPG key ID: 7FCD64BD81180ED0
5 changed files with 91 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

75
common/services/lldap.nix Normal file
View file

@ -0,0 +1,75 @@
{
config,
lib,
pkgs,
...
}: let
inherit (lib) mkEnableOption types mkIf mkOption;
cfg = config.foehammer.services.lldap;
in {
options.foehammer.services.lldap = {
enable = mkEnableOption "Enable LLDAP Server";
url = mkOption {
type = types.str;
};
port = mkOption {
type = lib.types.port;
default = 8226;
description = ''
What external port to serve over.
'';
};
environmentFile = mkOption {
type = types.nullOr types.path;
default = null;
};
jwtSecretFile = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Path to your JWT secret used during identity verificaton.
'';
};
adminUserPasswordFile = mkOption {
type = types.nullOr types.path;
default = null;
};
base_dn = mkOption {
type = types.str;
example = "dc=example,dc=com";
};
};
config = mkIf cfg.enable {
services.lldap = {
enable = true;
environmentFile = cfg.environmentFile;
settings = {
# Base setup.
http_port = cfg.port;
http_url = cfg.url;
ldap_base_dn = cfg.base_dn;
jwt_secret_file = cfg.jwtSecretFile;
# Reproducable admin password.
force_ldap_user_pass_reset = "always";
ldap_user_pass_file = cfg.adminUserPasswordFile;
};
};
users.users.lldap = {
isSystemUser = true;
createHome = true;
group = "lldap";
};
users.groups.lldap = {};
};
}

8
machines/lebesgue/config/configuration.nix
View file

@ -33,6 +33,14 @@
storageEncryptionKeyFile = config.sops.secrets.authelia-storage-encryption.path; storageEncryptionKeyFile = config.sops.secrets.authelia-storage-encryption.path;
}; };
services.lldap = {
enable = true;
url = "https://lldap.foehammer.me";
base_dn = "dc=foehammer,dc=me";
adminUserPasswordFile = config.sops.secrets.lldap-admin-password.path;
};
services.vaultwarden = { services.vaultwarden = {
enable = true; enable = true;
domain = "https://passwords.foehammer.me"; domain = "https://passwords.foehammer.me";

2
machines/lebesgue/config/secrets.nix
View file

@ -18,6 +18,8 @@
restic-password = {owner = "restic";}; restic-password = {owner = "restic";};
restic-repository = {owner = "restic";}; restic-repository = {owner = "restic";};
lldap-admin-password.owner = "lldap";
authelia-jwtsecret = autheliaSecret; authelia-jwtsecret = autheliaSecret;
authelia-oidc-privkey = autheliaSecret; authelia-oidc-privkey = autheliaSecret;
authelia-oidc-hmac = autheliaSecret; authelia-oidc-hmac = autheliaSecret;

2
machines/lebesgue/config/state.nix
View file

@ -13,6 +13,8 @@
"/var/lib/authelia-main" "/var/lib/authelia-main"
"/var/lib/caddy/.local/share/caddy" "/var/lib/caddy/.local/share/caddy"
"/var/lib/vaultwarden" "/var/lib/vaultwarden"
{ directory = "/var/lib/private/lldap"; user = "lldap"; group = "lldap"; mode = "0700"; }
]; ];
files = [ files = [

7
machines/lebesgue/secrets/main.yaml
View file

@ -4,6 +4,7 @@ vaultwarden-env: ENC[AES256_GCM,data:A1iRHxFxgI5P8DtsXQa1KvEKKnF+qZY7LVuJba00CLj
restic-password: ENC[AES256_GCM,data:Ympe5/hJxOzJp7IeJy5mZy0fMIrnV+3cWJo1uKwbHHDJ0G4TNivMNrHEdff6CjVnAbkVgjkR90z1FJOpExd+KQ==,iv:CRJaA3fTG8B/qBDkwctgma4DaGDjoyk4eX6/SynIcLE=,tag:pJW45ijV+wVTR+4IRnLcsw==,type:str] restic-password: ENC[AES256_GCM,data:Ympe5/hJxOzJp7IeJy5mZy0fMIrnV+3cWJo1uKwbHHDJ0G4TNivMNrHEdff6CjVnAbkVgjkR90z1FJOpExd+KQ==,iv:CRJaA3fTG8B/qBDkwctgma4DaGDjoyk4eX6/SynIcLE=,tag:pJW45ijV+wVTR+4IRnLcsw==,type:str]
restic-repository: ENC[AES256_GCM,data:KkFaam8iltY9nz89sVxk4u0xZ46Sq+7UsOY/9wieASD5A2FRruou7BiudX9X4hRA2RMTctO8aqYkrg==,iv:mIZ9z7BJV9s+wSiVMnzYAWM1/zsa6C+RCK1UhSiJVxI=,tag:S7tedxcfd/UaQ5hMEYfBVQ==,type:str] restic-repository: ENC[AES256_GCM,data:KkFaam8iltY9nz89sVxk4u0xZ46Sq+7UsOY/9wieASD5A2FRruou7BiudX9X4hRA2RMTctO8aqYkrg==,iv:mIZ9z7BJV9s+wSiVMnzYAWM1/zsa6C+RCK1UhSiJVxI=,tag:S7tedxcfd/UaQ5hMEYfBVQ==,type:str]
restic-env: ENC[AES256_GCM,data:KW9ma36zmHJF3xBStpoStDRQqg34wlMJMVSYfbLSnWq26R6e6eGf3+kTVkobhn/bqL6ZYi8ctlyvDS8IOz8VveYogsqxZ7/LK62mA0d9I3xEZMG7eNQ8M1PdeZ9RqAUgFJU=,iv:RxwvZ2vNuwmUc3haK2Ub8vHk9UQhjepLCwsfIcSJg9s=,tag:Tvq2RDh8mJ3jGhmpL1uuCA==,type:str] restic-env: ENC[AES256_GCM,data:KW9ma36zmHJF3xBStpoStDRQqg34wlMJMVSYfbLSnWq26R6e6eGf3+kTVkobhn/bqL6ZYi8ctlyvDS8IOz8VveYogsqxZ7/LK62mA0d9I3xEZMG7eNQ8M1PdeZ9RqAUgFJU=,iv:RxwvZ2vNuwmUc3haK2Ub8vHk9UQhjepLCwsfIcSJg9s=,tag:Tvq2RDh8mJ3jGhmpL1uuCA==,type:str]
lldap-admin-password: ENC[AES256_GCM,data:eOGBP/fPr71X6nrN3nr3UVvIkfWaS5Xbxi8TsS5XDVQ6N50r+iHuZFsXqxg=,iv:MAwu+eixrbZbNiwVpMwlhAFFcQkZ+WJFwz3DMPxrN3Q=,tag:nUz4asvzIjvrsy0ELQ/u3w==,type:str]
sops: sops:
age: age:
- recipient: age1kjy9wym6cmz6wqmewws4ledsne47c0e4sr0ksmm66rff3u2f6u3qxvnyg9 - recipient: age1kjy9wym6cmz6wqmewws4ledsne47c0e4sr0ksmm66rff3u2f6u3qxvnyg9
@ -15,8 +16,8 @@ sops:
L2VhMXV4WityYUFDZytxVTJHOXZGVVkKgbKR56dsru6U7I4KpnxfxQsswFwJsTM7 L2VhMXV4WityYUFDZytxVTJHOXZGVVkKgbKR56dsru6U7I4KpnxfxQsswFwJsTM7
8dzAaFl30mdRwFIH9kzdY3XxyYsJ0Yr0x3xwJ8mI4rjgpI8S9ihJFw== 8dzAaFl30mdRwFIH9kzdY3XxyYsJ0Yr0x3xwJ8mI4rjgpI8S9ihJFw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-06-04T21:04:47Z" lastmodified: "2026-01-01T01:49:34Z"
mac: ENC[AES256_GCM,data:fGTVTDhqVNLQJaZyBFhBEauW/Cnb/V57aHOcaeODNeA9g1oZiC3IzUkpRVnEC+gPx4KLDrBwuCk7Au/TarVpFVK+nyqcwrDgr2RsWtVDP0UQH/+8G8PkASxnMnTp/oQnvEKGAbySfGelqEQkDhbMiR7GaP99lJcIoIQ/wG87peA=,iv:+NJnPQmh6VYzDu/UoGv1YHVGfMocKMdX5XxZG6FmS90=,tag:vnHzhvOQOw0U7BwNJKA0kw==,type:str] mac: ENC[AES256_GCM,data:OvG46MUwmJLTO16WJJf1E/tdtc24BjlIJ7097t2qs1KVffDk/qK4cqe1y8epSkg1U48/Gdlwy7vnpgF5fvai2TkAWWQ81hVVO4saKDXtuGaEKa3r6NNl2N455dt9E+okuny1muyhJs5ROTEyLVYXyf8P+RVt6jfXeq2l9YoPyrE=,iv:0ogSSGnkB8Hcl/2rayuQZ63H7qF1HK5V19cjE4sF3e8=,tag:6tetQw9ELkTS+3ylKb+AiQ==,type:str]
pgp: pgp:
- created_at: "2025-02-03T18:58:54Z" - created_at: "2025-02-03T18:58:54Z"
enc: |- enc: |-
@ -30,4 +31,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: A972C2063F4F2554 fp: A972C2063F4F2554
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.10.2 version: 3.11.0