diff --git a/etc/default.nix b/etc/default.nix
index 5e8406d6ffa..ff5b477498f 100644
--- a/etc/default.nix
+++ b/etc/default.nix
@@ -187,15 +187,6 @@ let
target = "ssmtp/ssmtp.conf";
}
- # LDAP configuration.
- ++ optional config.users.ldap.enable {
- source = import ./ldap.conf.nix {
- inherit (pkgs) writeText;
- inherit config;
- };
- target = "ldap.conf";
- }
-
# A bunch of PAM configuration files for various programs.
++ (map
(program:
diff --git a/system/options.nix b/system/options.nix
index efa9372fcf4..d3caa8ea927 100644
--- a/system/options.nix
+++ b/system/options.nix
@@ -2043,46 +2043,6 @@ in
};
- users = {
-
- ldap = {
-
- enable = mkOption {
- default = false;
- description = "
- Whether to enable authentication against an LDAP server.
- ";
- };
-
- server = mkOption {
- example = "ldap://ldap.example.org/";
- description = "
- The URL of the LDAP server.
- ";
- };
-
- base = mkOption {
- example = "dc=example,dc=org";
- description = "
- The distinguished name of the search base.
- ";
- };
-
- useTLS = mkOption {
- default = false;
- description = "
- If enabled, use TLS (encryption) over an LDAP (port 389)
- connection. The alternative is to specify an LDAPS server (port
- 636) in or to forego
- security.
- ";
- };
-
- };
-
- };
-
-
nesting = {
children = mkOption {
default = [];
@@ -2158,6 +2118,9 @@ in
(import ../upstart-jobs/pulseaudio.nix)
(import ../upstart-jobs/kbd.nix)
+ #users
+ (import ../upstart-jobs/ldap)
+
# fonts
diff --git a/upstart-jobs/ldap/default.nix b/upstart-jobs/ldap/default.nix
new file mode 100644
index 00000000000..4c964cd79f2
--- /dev/null
+++ b/upstart-jobs/ldap/default.nix
@@ -0,0 +1,76 @@
+{pkgs, config, ...}:
+
+###### interface
+let
+ inherit (pkgs.lib) mkOption mkIf;
+
+ options = {
+ users = {
+ ldap = {
+
+ enable = mkOption {
+ default = false;
+ description = "
+ Whether to enable authentication against an LDAP server.
+ ";
+ };
+
+ server = mkOption {
+ example = "ldap://ldap.example.org/";
+ description = "
+ The URL of the LDAP server.
+ ";
+ };
+
+ base = mkOption {
+ example = "dc=example,dc=org";
+ description = "
+ The distinguished name of the search base.
+ ";
+ };
+
+ useTLS = mkOption {
+ default = false;
+ description = "
+ If enabled, use TLS (encryption) over an LDAP (port 389)
+ connection. The alternative is to specify an LDAPS server (port
+ 636) in or to forego
+ security.
+ ";
+ };
+
+ };
+ };
+ };
+in
+
+###### implementation
+
+mkIf config.users.ldap.enable {
+ require = [
+ options
+ ];
+
+ # LDAP configuration.
+ environment = {
+ etc = [
+
+ # Careful: OpenLDAP seems to be very picky about the indentation of
+ # this file. Directives HAVE to start in the first column!
+ { source = pkgs.writeText "ldap.conf" ''
+ uri ${config.users.ldap.server}
+ base ${config.users.ldap.base}
+
+ ${
+ if config.users.ldap.useTLS then ''
+ ssl start_tls
+ tls_checkpeer no
+ '' else ""
+ }
+ '';
+ target = "ldap.conf";
+ }
+ ];
+ };
+
+}
diff --git a/etc/ldap.conf.nix b/upstart-jobs/ldap/ldap.conf.nix
similarity index 100%
rename from etc/ldap.conf.nix
rename to upstart-jobs/ldap/ldap.conf.nix