auth machine

machines/auth/bootstrap/default.nix

@@ -0,0 +1,39 @@
+{
+  pkgs,
+  config,
+  ...
+}: {
+  systemd.services.lldap-bootstrap = {
+    description = "Bootstraps LLDAP users";
+    requires = ["lldap.service"];
+    serviceConfig = {
+      DynamicUser = true;
+      Type = "oneshot";
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      PrivateUsers = true;
+      PrivateTmp = true;
+      LoadCredential = "inadyn.conf:${config.sops.templates."inadyn.conf".path}";
+      CacheDirectory = "inadyn";
+      ExecStart = ''
+        export LLDAP_URL=http://localhost:8080
+        export LLDAP_ADMIN_USERNAME=admin
+        export LLDAP_ADMIN_PASSWORD=changeme
+        export USER_CONFIGS_DIR="$(realpath ./configs/user)"
+        export GROUP_CONFIGS_DIR="$(realpath ./configs/group)"
+        export USER_SCHEMAS_DIR="$(realpath ./configs/user-schema)"
+        export GROUP_SCHEMAS_DIR="$(realpath ./configs/group-schema)"
+        export LLDAP_SET_PASSWORD_PATH="$(realpath ./lldap_set_password)"
+        export DO_CLEANUP=false
+        ./bootstrap.sh
+
+        ${pkgs.inadyn}/bin/inadyn \
+          --foreground \
+          --syslog \
+          --once \
+          --cache-dir ''${CACHE_DIRECTORY} \
+          --config ''${CREDENTIALS_DIRECTORY}/inadyn.conf
+      '';
+    };
+  };
+}