auth machine

machines/auth/bootstrap/lldap-bootstrap.nix

@@ -0,0 +1,103 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  cfg = config.services.lldapBootstrap;
+in {
+  imports = [
+    ./user-configs.nix
+    ./group-configs.nix
+  ];
+
+  options.services.lldapBootstrap = {
+    enable = lib.mkEnableOption "LLDAP bootstrapping service.";
+
+    host = lib.mkOption {
+      type = lib.types.str;
+      default = "http://localhost:17170";
+      description = "The LLDAP host and port (e.g., 'localhost:17170').";
+    };
+
+    adminUsername = lib.mkOption {
+      type = lib.types.str;
+      default = "admin";
+      description = "The LLDAP admin username.";
+    };
+
+    adminPasswordFile = lib.mkOption {
+      type = lib.types.path;
+      description = "Path to the sops secret file containing the LLDAP admin password.";
+      default = "/run/secrets/lldap/admin_password";
+      example = "/run/secrets/lldap/admin_password";
+    };
+
+    # Add any other environment variables your bootstrap script might need
+    extraEnv = lib.mkOption {
+      type = lib.types.attrsOf lib.types.str;
+      default = {};
+      description = "Additional environment variables to pass to the bootstrap script.";
+    };
+
+    # Option to control when the bootstrap service runs (e.g., OnUnitActive)
+    # Be careful with this, as you generally only want it to run once.
+    # We'll default to OneShot and disable unless specifically enabled and configured.
+    runOnce = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "If true, the service will run once and then disable itself on success.";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    environment.etc."bootstrap/bootstrap.sh" = {
+      source = ./bootstrap.sh;
+      user = "lldap";
+      group = "lldap";
+      mode = "0770";
+    };
+
+    environment.systemPackages = with pkgs; [
+      curl
+      jq
+      jo
+    ];
+
+    systemd.services.lldap-bootstrap = {
+      description = "LLDAP Bootstrap Service";
+      # type = "oneshot";
+      after = ["network.target" "lldap.service"]; # Assuming your LLDAP service is called 'lldap.service'
+      wantedBy = ["multi-user.target"];
+
+      # Environment variables. Secrets will be read directly from the sops-nix managed paths.
+      environment =
+        {
+          LLDAP_URL = cfg.host;
+          LLDAP_ADMIN_USERNAME = cfg.adminUsername;
+          LLDAP_ADMIN_PASSWORD_FILE = cfg.adminPasswordFile;
+          LLDAP_SET_PASSWORD_PATH = "${pkgs.lldap}/bin/lldap_set_password";
+        }
+        // cfg.extraEnv; # Merge with any extra environment variables
+
+      # The command to execute. Ensure your script is executable.
+      # We use pkgs.writeScriptBin to embed the script directly into the Nix store
+      # This makes the service self-contained and ensures the script path is valid.
+      # script = ''
+      #   /etc/bootstrap/bootstrap.sh
+      # '';
+
+      path = [pkgs.bash pkgs.curl pkgs.jq pkgs.jo];
+      # Optional: Control service behavior after successful run.
+      # If runOnce is true, disable the service after it successfully completes.
+      # This prevents it from running on every reboot if the bootstrap is a one-time operation.
+      serviceConfig = lib.mkIf cfg.runOnce {
+        Type = "oneshot";
+        User = "lldap";
+        Group = "lldap";
+        DynamicUser = false;
+        ExecStart = "/etc/bootstrap/bootstrap.sh";
+      };
+    };
+  };
+}