nixcfg/machines/manager/ldap.nix

{ lib, config, ... }:

with lib;

let
  baseDN = concatMapStringsSep ","
    (part: "dc=${part}")
    (splitString "." config.networking.domain);
in
{
  services.openldap = {
    enable = true;
    settings = {
      children = {
        "cn=schema".includes = [
          "${config.services.openldap.package}/etc/schema/core.ldif"
          "${config.services.openldap.package}/etc/schema/cosine.ldif"
          "${config.services.openldap.package}/etc/schema/inetorgperson.ldif"
          "${config.services.openldap.package}/etc/schema/nis.ldif"
        ];
        "olcDatabase={1}mdb" = {
          attrs = {
            objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];

            olcDatabase = "{1}mdb";
            olcDbDirectory = "/var/lib/openldap/db";

            olcSuffix = baseDN;

            olcRootDN = "cn=root,${baseDN}";
            olcRootPW.path = config.sops.secrets."ldap/root/password".path;

            olcAccess = [
              # Custom access rules for userPassword attributes
              ''{0}to attrs=userPassword
                  by self write
                  by anonymous auth
                  by * none''

              # Allow read on anything else
              ''{1}to *
                  by * read''
            ];
          };
        };
      };
    };
  };

  sops.secrets."ldap/root/password" = {
    owner = "openldap";
  };
}