auth machine

machines/auth/lldap.nix

@@ -0,0 +1,61 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.services.lldap;
+in {
+  imports = [
+    ./bootstrap/lldap-bootstrap.nix
+  ];
+
+  sops.secrets = {
+    "lldap/jwt_secret".owner = "lldap";
+    "lldap/key_seed".owner = "lldap";
+    "lldap/admin_password".owner = "lldap";
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    cfg.settings.http_port
+    cfg.settings.ldap_port
+  ];
+
+  services.lldapBootstrap.enable = true;
+
+  services.lldap = {
+    enable = true;
+    settings = {
+      ldap_base_dn = "dc=procopius,dc=dk";
+      ldap_user_email = "admin@procopius.dk";
+
+      database_url = "postgresql://lldap@localhost/lldap?host=/run/postgresql";
+    };
+    environment = {
+      LLDAP_JWT_SECRET_FILE = config.sops.secrets."lldap/jwt_secret".path;
+      LLDAP_KEY_SEED_FILE = config.sops.secrets."lldap/key_seed".path;
+      LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin_password".path;
+    };
+  };
+
+  systemd.services.lldap = let
+    dependencies = [
+      "postgresql.service"
+    ];
+  in {
+    # LLDAP requires PostgreSQL to be running
+    after = dependencies;
+    requires = dependencies;
+    # DynamicUser screws up sops-nix ownership because
+    # the user doesn't exist outside of runtime.
+    serviceConfig.DynamicUser = lib.mkForce false;
+  };
+
+  # Setup a user and group for LLDAP
+  users = {
+    users.lldap = {
+      group = "lldap";
+      isSystemUser = true;
+    };
+    groups.lldap = {};
+  };
+}