gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 20:39:18 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions
infrastructure/nixos/access/ldap.nix
arcnmx 871b1c5b2d feat(exports): service access
2024-04-15 11:23:20 -07:00

81 lines
2.1 KiB
Nix
Raw Blame History

{
config,
lib,
gensokyo-zone,
access,
...
}:
let
inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
inherit (lib.options) mkOption;
inherit (lib.modules) mkIf mkOptionDefault;
inherit (config.services) nginx;
portPlaintext = 389;
portSsl = 636;
system = access.systemForService "ldap";
inherit (system.exports.services) ldap;
in {
options.services.nginx.access.ldap = with lib.types; {
domain = mkOption {
type = str;
default = "ldap.${config.networking.domain}";
};
localDomain = mkOption {
type = str;
default = "ldap.local.${config.networking.domain}";
};
intDomain = mkOption {
type = str;
default = "ldap.int.${config.networking.domain}";
};
tailDomain = mkOption {
type = str;
default = "ldap.tail.${config.networking.domain}";
};
};
config = {
services.nginx = {
stream = {
upstreams = let
addr = mkAlmostOptionDefault (access.getAddressFor system.name "lan");
in {
ldap.servers.access = {
inherit addr;
port = mkOptionDefault ldap.ports.default.port;
};
ldaps = {
enable = mkAlmostOptionDefault ldap.ports.ssl.enable;
ssl.enable = mkAlmostOptionDefault true;
servers.access = {
inherit addr;
port = mkOptionDefault ldap.ports.ssl.port;
};
};
};
servers.ldap = {
listen = {
ldap.port = mkOptionDefault portPlaintext;
ldaps = {
port = mkOptionDefault portSsl;
ssl = true;
};
};
proxy.upstream = mkAlmostOptionDefault (
if nginx.stream.upstreams.ldaps.enable then "ldaps" else "ldap"
);
};
};
};
networking.firewall = let
inherit (nginx.stream.servers.ldap) listen;
in {
interfaces.local.allowedTCPPorts = [
listen.ldap.port
];
allowedTCPPorts = mkIf listen.ldaps.enable [
listen.ldaps.port
];
};
};
}
Reference in a new issue View git blame Copy permalink