{ config, pkgs, lib, ... }: with lib; let # Container config name = "lldap"; # Version tagging lldapVersion = "v0.6.2"; # Helper helper = import ../service-helper.nix { inherit config pkgs lib; }; cfg = config.numbus-server.services.lldap; # Derive Base DN from domain (e.g., example.com -> dc=example,dc=com) domainParts = splitString "." config.numbus-server.services.domain; baseDN = concatStringsSep "," (map (p: "dc=${p}") domainParts); in helper.mkPodmanService { inherit name; pod = "false"; description = "LLDAP, unified user management"; defaultPort = "17170"; dependencies = [ "sops-install-secrets.service" "network-online.target" ]; middlewares = [ "secureHeaders" ]; dirPermissions = [ "100999:100 ${cfg.configDir}" ]; secrets = [ "lldap/jwt_secret" "lldap/key_seed" "lldap/admin_password" ]; composeText = '' services: lldap: image: lldap/lldap:${lldapVersion} container_name: lldap hostname: lldap user: '1000:1000' networks: lldap: ipv4_address: 10.89.185.253 ports: - "3890:3890" - "${cfg.port}:17170" volumes: - ${cfg.configDir}:/data environment: - UID=1000 - GID=1000 - TZ=${config.time.timeZone} - LLDAP_LDAP_BASE_DN=${baseDN} - LLDAP_JWT_SECRET="${config.sops.placeholder."lldap/jwt_secret"}" - LLDAP_KEY_SEED="${config.sops.placeholder."lldap/key_seed"}" - LLDAP_LDAP_USER_PASS="${config.sops.placeholder."lldap/admin_password"}" - LLDAP_SMTP_OPTIONS__ENABLE_PASSWORD_RESET=true - LLDAP_SMTP_OPTIONS__SERVER=${config.numbus-server.mail.smtpServer} - LLDAP_SMTP_OPTIONS__PORT=${config.numbus-server.mail.smtpPort} - LLDAP_SMTP_OPTIONS__SMTP_ENCRYPTION=${config.numbus-server.mail.smtpEncryption} - LLDAP_SMTP_OPTIONS__USER=${config.numbus-server.mail.smtpUsername} - LLDAP_SMTP_OPTIONS__PASSWORD=${config.sops.placeholder."mail/smtpPassword"} - LLDAP_SMTP_OPTIONS__FROM=no-reply <${config.numbus-server.mail.fromAddress}> security_opt: - no-new-privileges:true cap_drop: - NET_RAW restart: unless-stopped networks: lldap: driver: bridge name: lldap ipam: config: - subnet: "10.89.185.0/24" gateway: "10.89.185.254" ''; }