mirror of
https://github.com/gensokyo-zone/infrastructure.git
synced 2026-02-10 04:49:19 -08:00
90 lines
2.3 KiB
Nix
90 lines
2.3 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
gensokyo-zone,
|
|
access,
|
|
...
|
|
}: let
|
|
inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
|
|
inherit (lib.options) mkOption;
|
|
inherit (lib.modules) mkIf mkOptionDefault;
|
|
inherit (config.services) nginx;
|
|
portPlaintext = 389;
|
|
portSsl = 636;
|
|
upstreamName = "ldap'access";
|
|
in {
|
|
options.services.nginx.access.ldap = with lib.types; {
|
|
domain = mkOption {
|
|
type = str;
|
|
default = "ldap.${config.networking.domain}";
|
|
};
|
|
localDomain = mkOption {
|
|
type = str;
|
|
default = "ldap.local.${config.networking.domain}";
|
|
};
|
|
intDomain = mkOption {
|
|
type = str;
|
|
default = "ldap.int.${config.networking.domain}";
|
|
};
|
|
tailDomain = mkOption {
|
|
type = str;
|
|
default = "ldap.tail.${config.networking.domain}";
|
|
};
|
|
};
|
|
config = {
|
|
services.nginx = {
|
|
stream = {
|
|
upstreams = {
|
|
${upstreamName}.servers = {
|
|
ldaps = {
|
|
accessService = {
|
|
inherit (nginx.stream.upstreams.ldaps.servers.access.accessService) system name id port;
|
|
};
|
|
};
|
|
ldap = {upstream, ...}: {
|
|
enable = mkIf upstream.servers.ldaps.enable false;
|
|
accessService = {
|
|
inherit (nginx.stream.upstreams.ldap.servers.access.accessService) system name id port;
|
|
};
|
|
};
|
|
};
|
|
ldap.servers.access = {
|
|
accessService = {
|
|
name = "ldap";
|
|
};
|
|
};
|
|
ldaps = {config, ...}: {
|
|
enable = mkAlmostOptionDefault config.servers.access.enable;
|
|
servers.access = {
|
|
accessService = {
|
|
name = "ldap";
|
|
port = "ssl";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
servers.ldap = {
|
|
listen = {
|
|
ldap.port = mkOptionDefault portPlaintext;
|
|
ldaps = {
|
|
port = mkOptionDefault portSsl;
|
|
ssl = true;
|
|
};
|
|
};
|
|
proxy.upstream = mkAlmostOptionDefault upstreamName;
|
|
};
|
|
};
|
|
};
|
|
|
|
networking.firewall = let
|
|
inherit (nginx.stream.servers.ldap) listen;
|
|
in {
|
|
interfaces.local.allowedTCPPorts = [
|
|
listen.ldap.port
|
|
];
|
|
allowedTCPPorts = mkIf listen.ldaps.enable [
|
|
listen.ldaps.port
|
|
];
|
|
};
|
|
};
|
|
}
|