{ config, pkgs, lib, ... }: let inherit (config.serverConfig) vhosts; inherit (config.networking) domain; inherit (lib) remove concatStringsSep; in { age.secrets.openldap_admin = let inherit (config.services.openldap) user group; in { file = ../secrets/openldap_admin.age; inherit group; owner = user; mode = "0444"; }; age.secrets.keycloak_db_pass = { file = ../secrets/keycloak_db_pass.age; group = "keycloak"; owner = "keycloak"; mode = "0444"; }; users.users.keycloak = { isSystemUser = true; group = "keycloak"; }; users.groups.keycloak = { }; services.postgresql = let inherit (config.services.keycloak.database) name username; in { enable = true; ensureDatabases = [ name ]; ensureUsers = [ { name = username; passFile = config.age.secrets.keycloak_db_pass.path; ensureDBOwnership = true; } ]; }; services.keycloak = { enable = true; database = { type = "postgresql"; createLocally = false; username = "keycloak"; passwordFile = config.age.secrets.keycloak_db_pass.path; }; settings = { hostname = vhosts.auth_host.host; http-host = "127.0.0.1"; http-port = vhosts.auth_host.port; proxy = "edge"; # passthrough"; }; }; services.openldap = let localDc = concatStringsSep "," (map (s: "dc=${s}") (remove [ ] (builtins.split "\\." domain))); in { enable = true; urlList = [ "ldap:///" "ldapi:///" ]; # declarativeContents = { # "${localDc}" = import ./ldapConf.nix { inherit localDc; }; # }; settings = { attrs = { olcLogLevel = "conns config"; }; children = { "cn=schema".includes = [ "${pkgs.openldap}/etc/schema/core.ldif" "${pkgs.openldap}/etc/schema/cosine.ldif" "${pkgs.openldap}/etc/schema/inetorgperson.ldif" ]; "olcDatabase={1}mdb".attrs = { objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; olcDatabase = "{1}mdb"; olcDbDirectory = "/var/lib/openldap/data"; olcSuffix = localDc; olcRootDN = "cn=admin,${localDc}"; # olcRootPW.path = config.age.secrets.openldap_admin.path; olcRootPW = "{SSHA}D1U1E6Xz07DGYLjke1YcCsVF6ddSLyLr"; olcAccess = [ # custom access rules for userPassword attributes '' {0}to attrs=userPassword by self write by anonymous auth by * none'' # allow read on anything else '' {1}to * by * read'' ]; }; }; }; }; }