feat: Rename ldap to lldap

2025-07-28 20:14:35 +05:30
parent 94f9288a88
commit b05f18bac5
3 changed files with 58 additions and 81 deletions
--- a/nixos/mirai/services/lldap.nix
+++ b/nixos/mirai/services/lldap.nix
@@ -1,24 +1,62 @@
-{config, ...}: {
-  sops = {
-    secrets = let
-      user = config.systemd.services.lldap.serviceConfig.User;
-    in {
-      "ldap/aaa".owner = user;
-    };
-  };
-  services = {
-    lldap = {
-      enable = true;
-      settings = {
-        http_host = "/var/run/lldb/lldb.sock";
-        ldap_user_dn = "admin";
-        ldap_base_dn = "dc=darksailor,dc=dev";
+{
+  config,
+  lib,
+  ...
+}: {
+  services.lldap = {
+    enable = true;
+    settings = {
+      # ldap_user_dn = "admin";
+      ldap_base_dn = "dc=darksailor,dc=dev";
+      # ldap_user_email = "admin@darksailor.dev";
+      # http_host = "127.0.0.1";
+      http_port = 5090;
+      ldap_port = 389;
+      # ldap_host = "::";
+      environment = {
+        LLDAP_JWT_SECRET_FILE = config.sops.secrets."lldap/jwt".path;
+        LLDAP_KEY_SEED_FILE = config.sops.secrets."lldap/seed".path;
+        # LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin".path;
+        LLDAP_LDAP_USER_PASS = "foobar123";
      };
    };
-    caddy = {
-      virtualHosts."ldap.darksailor.dev".extraConfig = ''
-        reverse_proxy unix//var/run/lldb/lldb.sock
-      '';
+  };
+  services.caddy = {
+    virtualHosts."console.darksailor.dev".extraConfig = ''
+      reverse_proxy localhost:5090
+    '';
+  };
+  users.users.lldap = {
+    name = "lldap";
+    group = "lldap";
+    description = "LDAP Server User";
+    isSystemUser = true;
+  };
+  users.groups.lldap = {};
+
+  # systemd.services.sops-install-secrets = {
+  #   after = ["lldap.service"];
+  # };
+
+  systemd.services.lldap = {
+    # wants = ["sops-install-secrets.service"];
+    serviceConfig = {
+      AmbientCapabilities = "CAP_NET_BIND_SERVICE";
+      DynamicUser = lib.mkForce false;
+    };
+  };
+  sops = {
+    secrets = let
+      owner = config.systemd.services.lldap.serviceConfig.User;
+      group = config.systemd.services.lldap.serviceConfig.Group;
+      restartUnits = ["lldap.service"];
+      cfg = {
+        inherit owner group restartUnits;
+      };
+    in {
+      "lldap/jwt" = cfg;
+      "lldap/seed" = cfg;
+      "lldap/admin" = cfg;
    };
  };
 }