diff --git a/nixos/mirai/services/default.nix b/nixos/mirai/services/default.nix index 323c64e7..af9c51a4 100644 --- a/nixos/mirai/services/default.nix +++ b/nixos/mirai/services/default.nix @@ -14,7 +14,7 @@ ./flaresolverr.nix ./searxng.nix ./immich.nix - ./ldap.nix + ./lldap.nix # ./home-assistant.nix # ./jellyfin.nix diff --git a/nixos/mirai/services/ldap.nix b/nixos/mirai/services/ldap.nix deleted file mode 100644 index 1bcf9cdc..00000000 --- a/nixos/mirai/services/ldap.nix +++ /dev/null @@ -1,61 +0,0 @@ -{ - config, - lib, - ... -}: { - services.lldap = { - enable = true; - settings = { - ldap_user_dn = "admin"; - ldap_base_dn = "dc=darksailor,dc=dev"; - ldap_user_email = "admin@darksailor.dev"; - http_host = "127.0.0.1"; - http_port = 5090; - ldap_port = 389; - ldap_host = "::"; - environment = { - LLDAP_JWT_SECRET_FILE = config.sops.secrets."lldap/jwt".path; - LLDAP_KEY_SEED_FILE = config.sops.secrets."lldap/seed".path; - LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin".path; - }; - }; - }; - services.caddy = { - virtualHosts."console.darksailor.dev".extraConfig = '' - reverse_proxy localhost:5090 - ''; - }; - users.users.lldap = { - name = "lldap"; - group = "lldap"; - description = "LDAP Server User"; - isSystemUser = true; - }; - users.groups.lldap = {}; - - # systemd.services.sops-install-secrets = { - # after = ["lldap.service"]; - # }; - - systemd.services.lldap = { - # wants = ["sops-install-secrets.service"]; - serviceConfig = { - AmbientCapabilities = "CAP_NET_BIND_SERVICE"; - DynamicUser = lib.mkForce false; - }; - }; - sops = { - secrets = let - owner = config.systemd.services.lldap.serviceConfig.User; - group = config.systemd.services.lldap.serviceConfig.Group; - restartUnits = ["lldap.service"]; - cfg = { - inherit owner group restartUnits; - }; - in { - "lldap/jwt" = cfg; - "lldap/seed" = cfg; - "lldap/admin" = cfg; - }; - }; -} diff --git a/nixos/mirai/services/lldap.nix b/nixos/mirai/services/lldap.nix index 0c91b25e..e302de41 100644 --- a/nixos/mirai/services/lldap.nix +++ b/nixos/mirai/services/lldap.nix @@ -1,24 +1,62 @@ -{config, ...}: { - sops = { - secrets = let - user = config.systemd.services.lldap.serviceConfig.User; - in { - "ldap/aaa".owner = user; - }; - }; - services = { - lldap = { - enable = true; - settings = { - http_host = "/var/run/lldb/lldb.sock"; - ldap_user_dn = "admin"; - ldap_base_dn = "dc=darksailor,dc=dev"; +{ + config, + lib, + ... +}: { + services.lldap = { + enable = true; + settings = { + # ldap_user_dn = "admin"; + ldap_base_dn = "dc=darksailor,dc=dev"; + # ldap_user_email = "admin@darksailor.dev"; + # http_host = "127.0.0.1"; + http_port = 5090; + ldap_port = 389; + # ldap_host = "::"; + environment = { + LLDAP_JWT_SECRET_FILE = config.sops.secrets."lldap/jwt".path; + LLDAP_KEY_SEED_FILE = config.sops.secrets."lldap/seed".path; + # LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin".path; + LLDAP_LDAP_USER_PASS = "foobar123"; }; }; - caddy = { - virtualHosts."ldap.darksailor.dev".extraConfig = '' - reverse_proxy unix//var/run/lldb/lldb.sock - ''; + }; + services.caddy = { + virtualHosts."console.darksailor.dev".extraConfig = '' + reverse_proxy localhost:5090 + ''; + }; + users.users.lldap = { + name = "lldap"; + group = "lldap"; + description = "LDAP Server User"; + isSystemUser = true; + }; + users.groups.lldap = {}; + + # systemd.services.sops-install-secrets = { + # after = ["lldap.service"]; + # }; + + systemd.services.lldap = { + # wants = ["sops-install-secrets.service"]; + serviceConfig = { + AmbientCapabilities = "CAP_NET_BIND_SERVICE"; + DynamicUser = lib.mkForce false; + }; + }; + sops = { + secrets = let + owner = config.systemd.services.lldap.serviceConfig.User; + group = config.systemd.services.lldap.serviceConfig.Group; + restartUnits = ["lldap.service"]; + cfg = { + inherit owner group restartUnits; + }; + in { + "lldap/jwt" = cfg; + "lldap/seed" = cfg; + "lldap/admin" = cfg; }; }; }