68 lines
1.6 KiB
Nix
68 lines
1.6 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
let
|
|
cfg = config.fudo.authentication;
|
|
in {
|
|
options.fudo.authentication = {
|
|
enable = mkEnableOption "Use Fudo users & groups from LDAP.";
|
|
|
|
ssl-ca-certificate = mkOption {
|
|
type = types.str;
|
|
description = "Path to the CA certificate to use to bind to the server.";
|
|
};
|
|
|
|
bind-passwd-file = mkOption {
|
|
type = types.str;
|
|
description = "Path to a file containing the password used to bind to the server.";
|
|
};
|
|
|
|
ldap-url = mkOption {
|
|
type = types.str;
|
|
description = "URL of the LDAP server.";
|
|
example = "ldaps://auth.fudo.org";
|
|
};
|
|
|
|
base = mkOption {
|
|
type = types.str;
|
|
description = "The LDAP base in which to look for users.";
|
|
default = "dc=fudo,dc=org";
|
|
};
|
|
|
|
bind-dn = mkOption {
|
|
type = types.str;
|
|
description = "The DN with which to bind the LDAP server.";
|
|
default = "cn=auth_reader,dc=fudo,dc=org";
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
users.ldap = {
|
|
enable = true;
|
|
base = cfg.base;
|
|
bind = {
|
|
distinguishedName = cfg.bind-dn;
|
|
passwordFile = cfg.bind-passwd-file;
|
|
timeLimit = 5;
|
|
};
|
|
loginPam = true;
|
|
nsswitch = true;
|
|
server = cfg.ldap-url;
|
|
timeLimit = 5;
|
|
useTLS = true;
|
|
extraConfig = ''
|
|
TLS_CACERT ${cfg.ssl-ca-certificate}
|
|
TSL_REQCERT allow
|
|
'';
|
|
|
|
daemon = {
|
|
enable = true;
|
|
extraConfig = ''
|
|
tls_cacertfile ${cfg.ssl-ca-certificate}
|
|
tls_reqcert allow
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
}
|