feat: add lldap

Signed-off-by: Lander Van den Bulcke <landervandenbulcke@gmail.com>
2025-07-06 20:29:43 +02:00 · 2025-07-06 20:29:43 +02:00 · a7f742b6c8
commit a7f742b6c8
parent 26a9d7e3c3
5 changed files with 94 additions and 0 deletions
--- a/hosts/hosting-01/auth/lldap.nix
+++ b/hosts/hosting-01/auth/lldap.nix
@ -0,0 +1,49 @@
+{ config, ... }:
+{
+  services = {
+    lldap = {
+      enable = true;
+      settings = {
+        ldap_base_dn = "dc=escapeangle,dc=com";
+        ldap_user_email = "lander@escapeangle.com";
+        database_url = "postgresql://lldap@db-01.tailnet.escapeangle.com/lldap";
+      };
+      environment = {
+        LLDAP_JWT_SECRET_FILE = config.sops.secrets."lldap/jwt_secret".path;
+        LLDAP_KEY_SEED_FILE = config.sops.secrets."lldap/key_seed".path;
+        LLDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin_password".path;
+      };
+    };
+  };
+
+  services.nginx.virtualHosts."users.escapeangle.com" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://localhost:${toString config.services.lldap.settings.http_port}";
+    };
+  };
+
+  users = {
+    users.lldap = {
+      group = "lldap";
+      isSystemUser = true;
+    };
+    groups.lldap = { };
+  };
+
+  sops.secrets = {
+    "lldap/jwt_secret" = {
+      owner = "lldap";
+      sopsFile = ../secrets.yaml;
+    };
+    "lldap/key_seed" = {
+      owner = "lldap";
+      sopsFile = ../secrets.yaml;
+    };
+    "lldap/admin_password" = {
+      owner = "lldap";
+      sopsFile = ../secrets.yaml;
+    };
+  };
+}