From f47eec28891d9d0594cc4d9745d0365212c7e3be Mon Sep 17 00:00:00 2001
From: Chris Montgomery <chris@cdom.io>
Date: Sat, 5 Aug 2023 21:11:21 -0400
Subject: [PATCH] feat(ldap|hierophant): add lldap service

---
 machines/hierophant/default.nix          |  2 +
 machines/hierophant/lldap.nix            | 51 ++++++++++++++++++++++++
 machines/hierophant/secrets/secrets.yaml |  8 +++-
 3 files changed, 59 insertions(+), 2 deletions(-)
 create mode 100644 machines/hierophant/lldap.nix

diff --git a/machines/hierophant/default.nix b/machines/hierophant/default.nix
index 01c8d4053..a7a1ece21 100644
--- a/machines/hierophant/default.nix
+++ b/machines/hierophant/default.nix
@@ -10,6 +10,8 @@
     # ./atticd.nix
     ./seadome-dot-net.nix
 
+    ./lldap.nix
+
     #: applications
     ./grafana.nix
     ./matrix/synapse.nix
diff --git a/machines/hierophant/lldap.nix b/machines/hierophant/lldap.nix
new file mode 100644
index 000000000..ca41ef7f9
--- /dev/null
+++ b/machines/hierophant/lldap.nix
@@ -0,0 +1,51 @@
+{config, ...}: let
+  inherit (config.sops) secrets;
+  inherit (config) users;
+  cfg = config.services.lldap;
+
+  fqdn = "auth.seadome.net";
+in {
+  services.lldap = {
+    enable = true;
+    settings = {
+      ldap_base_dn = "dc=seadome,dc=net";
+      ldap_user_email = "ops@seadome.net";
+      http_url = "https://${fqdn}";
+    };
+    environment = {
+      "LLDAP_JWT_SECRET_FILE" = secrets."lldap/jwt_secret".path;
+      "LLDAP_LDAP_USER_PASS_FILE" = secrets."lldap/ldap_user_pass".path;
+    };
+    environmentFile = secrets."lldap/environment_file".path;
+  };
+
+  services.nginx.virtualHosts."${fqdn}" = {
+    enableACME = true;
+    addSSL = true;
+    locations."/" = {
+      proxyPass = "http://${cfg.settings.http_host}:${builtins.toString cfg.settings.http_port}";
+    };
+  };
+
+  # FIXME: user does not exist -- probably need to fork the nixos module
+  sops.secrets = {
+    "lldap/environment_file" = {
+      owner = users.lldap.name;
+      group = users.lldap.group;
+      mode = "0440";
+      restartUnits = ["lldap.service"];
+    };
+    "lldap/jwt_secret" = {
+      owner = users.lldap.name;
+      group = users.lldap.group;
+      mode = "0440";
+      restartUnits = ["lldap.service"];
+    };
+    "lldap/ldap_user_pass" = {
+      owner = users.lldap.name;
+      group = users.lldap.group;
+      mode = "0440";
+      restartUnits = ["lldap.service"];
+    };
+  };
+}
diff --git a/machines/hierophant/secrets/secrets.yaml b/machines/hierophant/secrets/secrets.yaml
index 4ac41eff6..dcf82724b 100644
--- a/machines/hierophant/secrets/secrets.yaml
+++ b/machines/hierophant/secrets/secrets.yaml
@@ -1,4 +1,8 @@
 attic-server-token: ENC[AES256_GCM,data:4+4GoxUpb3HmTYeznvM52cQ4idCE5nPoXWToepKLkzHMLRh5huT8HcHFoSW47a5oHqkf3erA3yejGd235OQjdu9r53k/CSLP0m1vt4qqW7Vnzx8zQSSI2cTxEu0zVWFr3ygdGuNknjunAIW3fyePLkYsHkWA2E+tSGN/9pkjGHuiF97XkG9BA/03Dh0/sjNFfaPiF6H3J4LeI/XCLrfHvzyDT+HX9A3ebZzNZpw/XYTP8cgB6tDydA4SZMUDpfMV0lshgztSCHPN5/AljJSWPguy4thfZ4XmPaX0RKC6uR/1BhYG6ft35w3oEIEjTtZLZw5w+lA/r7uFhYwZidMKW50x07+3M3dqFCFDJgd2SgU=,iv:Y0i2KjKZswq/FX+axHWRx4EPDVZnDWhSt0A/It9c368=,tag:iCWWazC8Bj2f+LtsiN3MuQ==,type:str]
+lldap:
+    environment_file: ENC[AES256_GCM,data:TVbCXadbaPzp8s5B7kDXKLKjPiwsHe8LiQ/04FGVS8dUAKBIpqdEcqBlwHOhDgz5cF5cneWrMS6rdFXCwrX3x+dq8kcAzaAN+7tSbH0gPlDH7TKSiQ==,iv:rmlGpINJMqPWlzDC5okxRm89hzpY9qUx2GRpacRejKc=,tag:Mn49VmycMfBMPkxwhmputQ==,type:str]
+    jwt_secret: ENC[AES256_GCM,data:gvMpTXS5+GoXNE7jsJP6+p1RTqR0jiFwtoDhu1UGIIg=,iv:aij58RUoXsy2CMQR6y2r/FKttorW++SpOyPwp6lgzGA=,tag:CfX9/+o8/EaZsIw5G7kjfw==,type:str]
+    ldap_user_pass: ENC[AES256_GCM,data:v1aFwdc8cOoNB4F6hCxciix7gQfQx2ls1A==,iv:6QDvKsVZn9R2BPXATTH93SFQaq7dYNvyk3Iwjv29cX8=,tag:nnQvFEJAUtoYEQS26yNxlA==,type:str]
 matrix-synapse:
     client-secret-yaml: ENC[AES256_GCM,data:Xxp0Q1ZSA33oe8jDahaC0A5Hm6TgXPny44l0nA692xHdv+ATwuo/V9YLWgWTBGpddATaP9HCWhcze0rH6UGRH7uwn8RmU1IUCvhAyMYrHQ==,iv:jhlZJckuAQXptFig0PFifXsBR+uGs3XhP2xd0IBvv/8=,tag:DQ8HhlmMH1R2URQUifh06w==,type:str]
     recaptcha-private-key-yaml: ENC[AES256_GCM,data:EQ9ijgXU0V6ZXWmuNBLNC79uNQdb1aDHhh7KlVa1L6RJjk5pV3km2KvxHNI2oFFrA03CIRIU7VciCYFHIrSU,iv:22lD+10rvGtpZL6bYEZN77CwnPkv5cfIeU09WVURpUM=,tag:ep706Ami3KMyFlv4waydKQ==,type:str]
@@ -29,8 +33,8 @@ sops:
             bmZiRzRua2pyM1BuSG9OSFZPdlc2clUKjtA+r+2DciSzcIdqGmMkbSKtKczdTHQw
             vyk26GZNNjPAqk8FYwm+zxsPBY07LKZ9DklpKmadAzx+4LofcuBp1Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-08-05T17:33:23Z"
-    mac: ENC[AES256_GCM,data:61A8cO7iiFSFq6kcG93Dkqv6CQqQv0242j4uLQZvkyDu2vq/0CHmTDEuxXPlShcUJXEhVyTZQVcqvWKU08knRHpKa5byOe5yPb/znmq0dhpreDD7xQaEJwdmF2JC2G/34B4PEDXAaqsqagQepxnr4B31qmeOVTnbLh87NMu9lV4=,iv:WUU3i4j2CLSXVlT9a0Uli17iDum7Q0RhzT797nmEDRI=,tag:qI4AoLgLcNkiwtY/hoqmQg==,type:str]
+    lastmodified: "2023-08-06T01:09:33Z"
+    mac: ENC[AES256_GCM,data:Cz7vjQTttyM7MLLZj75OnEZf/oxFwJ2wh7Mimgo/oJARXqMXm6aPJzbHn+wgjG5DlFiIXAnR1o/A63P0IB4HViL5o1R5Ic8w8/VUFrZnkjuDfY6mt1pm9+C7DatRlBM0BXJ64kmjx7JPqrFINlvaW/zYqr7LiyaPu9U+MSzx7pU=,iv:MtHow3dKbTiuDV69Ms/puq5JwxdVnczIWWQ1VLBIJAQ=,tag:M3lWt8/nPs7j4G83FEZnMQ==,type:str]
     pgp:
         - created_at: "2023-07-01T21:23:20Z"
           enc: |-