refactor: add hosting-01 to colmena

Signed-off-by: Lander Van den Bulcke <landervandenbulcke@gmail.com>
2025-10-21 13:34:45 +02:00 · 2025-10-21 13:34:45 +02:00 · 440e1a6541
commit 440e1a6541
parent f1f8662e98
11 changed files with 155 additions and 223 deletions
--- a/hosts/servers/auth/lldap.nix
+++ b/hosts/servers/auth/lldap.nix
@ -0,0 +1,49 @@
+{ config, ... }:
+{
+  services = {
+    lldap = {
+      enable = true;
+      settings = {
+        ldap_base_dn = "dc=escapeangle,dc=com";
+        ldap_user_email = "lander@escapeangle.com";
+        database_url = "postgresql://lldap@db-01.tailnet.escapeangle.com/lldap";
+      };
+      environment = {
+        LLDAP_JWT_SECRET_FILE = config.sops.secrets."lldap/jwt_secret".path;
+        LLDAP_KEY_SEED_FILE = config.sops.secrets."lldap/key_seed".path;
+        LLDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin_password".path;
+      };
+    };
+  };
+
+  services.nginx.virtualHosts."users.escapeangle.com" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://localhost:${toString config.services.lldap.settings.http_port}";
+    };
+  };
+
+  users = {
+    users.lldap = {
+      group = "lldap";
+      isSystemUser = true;
+    };
+    groups.lldap = { };
+  };
+
+  sops = {
+    defaultSopsFile = ../hosting-01.yaml;
+    secrets = {
+      "lldap/jwt_secret" = {
+        owner = "lldap";
+      };
+      "lldap/key_seed" = {
+        owner = "lldap";
+      };
+      "lldap/admin_password" = {
+        owner = "lldap";
+      };
+    };
+  };
+}