plasmagoat/homelab
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions
homelab/machines/auth/bootstrap/lldap-bootstrap.nix
plasmagoat 032072374b
Some checks failed
Test / tests (push) Has been cancelled
Details
moved mail
2025-07-17 00:35:44 +02:00

104 lines
3.3 KiB
Nix
Raw Blame History

{
config,
lib,
pkgs,
...
}: let
cfg = config.services.lldapBootstrap;
in {
imports = [
./service-accounts.nix
./user-configs.nix
./group-configs.nix
];
options.services.lldapBootstrap = {
enable = lib.mkEnableOption "LLDAP bootstrapping service.";
host = lib.mkOption {
type = lib.types.str;
default = "http://localhost:17170";
description = "The LLDAP host and port (e.g., 'localhost:17170').";
};
adminUsername = lib.mkOption {
type = lib.types.str;
default = "admin";
description = "The LLDAP admin username.";
};
adminPasswordFile = lib.mkOption {
type = lib.types.path;
description = "Path to the sops secret file containing the LLDAP admin password.";
default = "/run/secrets/lldap/admin_password";
example = "/run/secrets/lldap/admin_password";
};
# Add any other environment variables your bootstrap script might need
extraEnv = lib.mkOption {
type = lib.types.attrsOf lib.types.str;
default = {};
description = "Additional environment variables to pass to the bootstrap script.";
};
# Option to control when the bootstrap service runs (e.g., OnUnitActive)
# Be careful with this, as you generally only want it to run once.
# We'll default to OneShot and disable unless specifically enabled and configured.
runOnce = lib.mkOption {
type = lib.types.bool;
default = true;
description = "If true, the service will run once and then disable itself on success.";
};
};
config = lib.mkIf cfg.enable {
environment.etc."bootstrap/bootstrap.sh" = {
source = ./bootstrap.sh;
user = "lldap";
group = "lldap";
mode = "0770";
};
environment.systemPackages = with pkgs; [
curl
jq
jo
];
systemd.services.lldap-bootstrap = {
description = "LLDAP Bootstrap Service";
# type = "oneshot";
after = ["network.target" "lldap.service"]; # Assuming your LLDAP service is called 'lldap.service'
wantedBy = ["multi-user.target"];
# Environment variables. Secrets will be read directly from the sops-nix managed paths.
environment =
{
LLDAP_URL = cfg.host;
LLDAP_ADMIN_USERNAME = cfg.adminUsername;
LLDAP_ADMIN_PASSWORD_FILE = cfg.adminPasswordFile;
LLDAP_SET_PASSWORD_PATH = "${pkgs.lldap}/bin/lldap_set_password";
}
// cfg.extraEnv; # Merge with any extra environment variables
# The command to execute. Ensure your script is executable.
# We use pkgs.writeScriptBin to embed the script directly into the Nix store
# This makes the service self-contained and ensures the script path is valid.
# script = ''
# /etc/bootstrap/bootstrap.sh
# '';
path = [pkgs.bash pkgs.curl pkgs.jq pkgs.jo];
# Optional: Control service behavior after successful run.
# If runOnce is true, disable the service after it successfully completes.
# This prevents it from running on every reboot if the bootstrap is a one-time operation.
serviceConfig = lib.mkIf cfg.runOnce {
Type = "oneshot";
User = "lldap";
Group = "lldap";
DynamicUser = false;
ExecStart = "/etc/bootstrap/bootstrap.sh";
};
};
};
}
Reference in a new issue View git blame Copy permalink