diff --git a/flake.lock b/flake.lock index 3d6d35c..36c62c7 100644 --- a/flake.lock +++ b/flake.lock @@ -188,11 +188,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1752624097, - "narHash": "sha256-mQCof2VccFzF7cmXy43n3GCwSN2+m8TVhZpGLx9sxVc=", + "lastModified": 1752817886, + "narHash": "sha256-ixiHcBqWAubQYbXEXeEnqhwEj9Bz7GoLL904bZ+Autc=", "owner": "nixos", "repo": "nixpkgs", - "rev": "d7c8095791ce3aafe97d9c16c1dc2f4e3d69a3ba", + "rev": "3ee71bd9a139787964bc89c67989fda8ccc599e6", "type": "github" }, "original": { diff --git a/machines/auth/lldap.nix b/machines/auth/lldap.nix index bea3d14..c37c5dd 100644 --- a/machines/auth/lldap.nix +++ b/machines/auth/lldap.nix @@ -15,6 +15,10 @@ in { "lldap/admin_password".owner = "lldap"; }; + sops.templates."lldap_config.toml".content = '' + LLDAP_SMTP_OPTIONS__PASSWORD=${config.sops.placeholder."lldap/admin_password"} + ''; + networking.firewall.allowedTCPPorts = [ cfg.settings.http_port cfg.settings.ldap_port @@ -25,8 +29,11 @@ in { services.lldap = { enable = true; settings = { + verbose = true; ldap_base_dn = "dc=procopius,dc=dk"; ldap_user_email = "admin@procopius.dk"; + http_url = "https://lldap.procopius.dk"; + enable_password_reset = true; database_url = "postgresql://lldap@localhost/lldap?host=/run/postgresql"; }; @@ -34,7 +41,16 @@ in { LLDAP_JWT_SECRET_FILE = config.sops.secrets."lldap/jwt_secret".path; LLDAP_KEY_SEED_FILE = config.sops.secrets."lldap/key_seed".path; LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin_password".path; + + LLDAP_SMTP_OPTIONS__ENABLE_PASSWORD_RESET = "true"; + LLDAP_SMTP_OPTIONS__SERVER = "mail.procopius.dk"; + LLDAP_SMTP_OPTIONS__PORT = "465"; + LLDAP_SMTP_OPTIONS__SMTP_ENCRYPTION = "TLS"; + LLDAP_SMTP_OPTIONS__USER = "admin@procopius.dk"; + LLDAP_SMTP_OPTIONS__FROM = "LLDAP Admin "; + LLDAP_SMTP_OPTIONS__REPLY_TO = "Do not reply "; }; + environmentFile = config.sops.templates."lldap_config.toml".path; }; systemd.services.lldap = let