35 lines
1.0 KiB
Nix
35 lines
1.0 KiB
Nix
|
{ config, lib, libS, ... }:
|
||
|
|
||
|
let
|
||
|
cfg = config.services.hedgedoc.ldap;
|
||
|
inherit (config.security) ldap;
|
||
|
in
|
||
|
{
|
||
|
options = {
|
||
|
services.hedgedoc.ldap = {
|
||
|
enable = lib.mkEnableOption (lib.mdDoc ''
|
||
|
login only via LDAP.
|
||
|
Use `service.hedgedoc.environmentFile` in format `bindCredentials=password` to set the credentials used by the search user
|
||
|
'');
|
||
|
|
||
|
userGroup = libS.ldap.mkUserGroupOption;
|
||
|
};
|
||
|
};
|
||
|
|
||
|
config.services.hedgedoc.settings.ldap = lib.mkIf cfg.enable {
|
||
|
url = "ldaps://${ldap.domainName}:${toString ldap.port}";
|
||
|
bindDn = ldap.bindDN;
|
||
|
bindCredentials = "$bindCredentials";
|
||
|
searchBase = ldap.userBaseDN;
|
||
|
searchFilter = ldap.searchFilterWithGroupFilter cfg.userGroup (ldap.userFilter "{{username}}");
|
||
|
tlsca = "/etc/ssl/certs/ca-certificates.crt";
|
||
|
useridField = ldap.userField;
|
||
|
};
|
||
|
|
||
|
config.services.portunus.seedSettings.groups = lib.optional (cfg.userGroup != null) {
|
||
|
long_name = "Hedgedoc Users";
|
||
|
name = cfg.userGroup;
|
||
|
permissions = {};
|
||
|
};
|
||
|
}
|