lander/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: add lldap

Browse source 
Signed-off-by: Lander Van den Bulcke <landervandenbulcke@gmail.com>
This commit is contained in:
Lander Van den Bulcke 2025-07-06 20:29:43 +02:00
parent 26a9d7e3c3
commit a7f742b6c8
Signed by: lander
GPG key ID: 0142722B4B0C536F
5 changed files with 94 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
.sops.yaml
View file

@ -26,6 +26,12 @@ creation_rules:
- *mail-01
pgp:
- *lander
- path_regex: hosts/hosting-01/secrets.yam?l$
key_groups:
- age:
- *hosting-01
pgp:
- *lander
- path_regex: hosts/mail-01/secrets.yam?l$
key_groups:
- age:

6
hosts/hosting-01/auth/default.nix Normal file
View file

@ -0,0 +1,6 @@
{ ... }:
{
imports = [
./lldap.nix
];
}

49
hosts/hosting-01/auth/lldap.nix Normal file
View file

@ -0,0 +1,49 @@
{ config, ... }:
{
services = {
lldap = {
enable = true;
settings = {
ldap_base_dn = "dc=escapeangle,dc=com";
ldap_user_email = "lander@escapeangle.com";
database_url = "postgresql://lldap@db-01.tailnet.escapeangle.com/lldap";
};
environment = {
LLDAP_JWT_SECRET_FILE = config.sops.secrets."lldap/jwt_secret".path;
LLDAP_KEY_SEED_FILE = config.sops.secrets."lldap/key_seed".path;
LLDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin_password".path;
};
};
};
services.nginx.virtualHosts."users.escapeangle.com" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.lldap.settings.http_port}";
};
};
users = {
users.lldap = {
group = "lldap";
isSystemUser = true;
};
groups.lldap = { };
};
sops.secrets = {
"lldap/jwt_secret" = {
owner = "lldap";
sopsFile = ../secrets.yaml;
};
"lldap/key_seed" = {
owner = "lldap";
sopsFile = ../secrets.yaml;
};
"lldap/admin_password" = {
owner = "lldap";
sopsFile = ../secrets.yaml;
};
};
}

2
hosts/hosting-01/default.nix
View file

@ -26,6 +26,8 @@ in
inputs.headplane.nixosModules.headplane
../common/servers
./auth
];
time.timeZone = "Europe/Berlin";

31
hosts/hosting-01/secrets.yaml Normal file
View file

@ -0,0 +1,31 @@
lldap:
jwt_secret: ENC[AES256_GCM,data:9h7XljbIrLxK3ekcAP8dZTAwlx8u/2eLqdfRHhHn+Lwj/sav3QNmqgfee9pyHhaoLvgZKWwKr7I+ijLZtOpIgQ==,iv:+VZUqDTy9EOm65ATJ6fPGeyA6aR043VmvXTzVmeMH+o=,tag:8nyYCrwoZADmt05EgldymA==,type:str]
key_seed: ENC[AES256_GCM,data:gt3jgAk4upREudd1HYXCSsqg6E3Vuq0WbiDSTjYZF+QJXa7cdq0Ke8XrjJVCAokbp7ZZsf1MMo/wEkr47HXggg==,iv:7xrMZrWNpsAtBoOx4p3RjaEJru9jXrdXkR/Z8rA4vwI=,tag:oLbli5vAw8X00eiD87sSCA==,type:str]
admin_password: ENC[AES256_GCM,data:RBibqepGrtX8hKVzdcAtTbsVZg==,iv:RLu3JkhtmCfXVwZA8EX/dVgqqu7hWURIWNSywlW/8ew=,tag:jQXYo2a+Idh1AIfr1687gg==,type:str]
sops:
age:
- recipient: age18g4z53ykxzq35dsjq3a2np4f88xwat0kwtax229l3zn0ykhlpvqqy8fgtv
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFcjltUDdJL2lrMEZvRk5Q
TFErTFYrYTlvbTc3OHd0SWZEQTNuQzFIZ2dJClNhcWRmWkh4MXlaeklJdEh0K3lp
MG9hMHU1OWcybUhKM1QrclBBeGpOaWcKLS0tIEZMYVNKN1ZxQmxHcFRUQ1BVUUtq
NW9CUkJQbis1NmpyU0xrb3J4UVNKTDgKsPFnlQBa8LGm6s8uZsUXq9RIt4WzzROc
mz9dEVq/R54xvjMRltgzZyu54BWWOQYgkZUEhOnDoqwVnA7XwGGYtA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-06T18:36:06Z"
mac: ENC[AES256_GCM,data:WoRdw4Vv8aHFz3dlyu28e/KSu+bKCKiNRV2JYLGZDxgl/fV0CLunhY3/jc+zddAJOd8Q8pO750mvAmgQ6wzTd90N8hQg4kP5Uqjajoi4iUTbWiPr6CGWwhqcl6HZ1M4Ei35MyQ/NXOECk4Ma9mMG9TyDxkd2jEQwpL2Wpus3uBg=,iv:N5UYoT1Zqznwgyrf3L4YESnX7/iLAXDuBW6+k39VHMc=,tag:nlBlAnoU3fFTU4Nf0njpLA==,type:str]
pgp:
- created_at: "2025-07-06T18:28:35Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DARdpY4woM6wSAQdAzqZHVo7/A+jPwSx63zOXGJ9tCF7qYDvu/Eg7HxCxhFYw
P277CjIB3imnRHCms18b+ze9Bv3A2wNdBGlbqhG/Z1R10NPx3nJydnYCUdZtbKFk
0lwBTahORz3Ha2RqKTiuUGhncNtz+4U5i08sbLCzp/1Vc32RAwEGtfbMFosS4Uf2
qCFsnEICj2MuXgBtub5Mw2zpDIFkjaIRGLPohiJy+Yrp9J14hWuZmC79lwGRgQ==
=umk4
-----END PGP MESSAGE-----
fp: 4BE1257015580BAB9F4B9D5FCA5B1C34E649BF92
unencrypted_suffix: _unencrypted
version: 3.10.2