diff --git a/modules/hedgedoc.nix b/modules/hedgedoc.nix index 1c2ef0a..d3bce46 100644 --- a/modules/hedgedoc.nix +++ b/modules/hedgedoc.nix @@ -44,15 +44,17 @@ in allowAnonymousEdits = true; defaultPermission = "limited"; # ldap auth - ldap = rec { - url = "ldap://localhost"; - searchBase = "ou=users,${config.services.portunus.ldap.suffix}"; - searchFilter = "(uid={{username}})"; - bindDn = "uid=${config.services.portunus.ldap.searchUserName},${searchBase}"; - bindCredentials = "\${LDAP_CREDENTIALS}"; - useridField = "uid"; - providerName = "iFSR"; - }; + ldap = + let portunus = config.services.portunus; + in rec { + url = "ldaps://${portunus.domain}"; + searchBase = "ou=users,${portunus.ldap.suffix}"; + searchFilter = "(uid={{username}})"; + bindDn = "uid=${portunus.ldap.searchUserName},${searchBase}"; + bindCredentials = "\${LDAP_CREDENTIALS}"; + useridField = "uid"; + providerName = "iFSR"; + }; }; }; diff --git a/modules/ldap.nix b/modules/ldap.nix index 20755e4..4ccc19d 100644 --- a/modules/ldap.nix +++ b/modules/ldap.nix @@ -7,18 +7,13 @@ let name = "admins"; long_name = "Portunus Admin"; members = [ "admin" ]; - permissions = { - portunus.is_admin = true; - ldap.can_read = true; - }; + permissions.portunus.is_admin = true; } { name = "search"; long_name = "LDAP search group"; members = [ "search" ]; - permissions = { - ldap.can_read = true; - }; + permissions.ldap.can_read = true; } { name = "fsr"; @@ -73,7 +68,7 @@ in # disables port 389, use 636 with tls # `portunus.domain` resolves to localhost - tls = false; + tls = true; }; seedPath = pkgs.writeText "portunus-seed.json" (builtins.toJSON seed); @@ -113,7 +108,7 @@ in let portunus = config.services.portunus; in rec { enable = true; - server = "ldap://localhost"; + server = "ldaps://${portunus.domain}"; base = "ou=users,${portunus.ldap.suffix}"; bind = { distinguishedName = "uid=${portunus.ldap.searchUserName},${base}"; diff --git a/modules/mail.nix b/modules/mail.nix index d047743..157db93 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -11,7 +11,7 @@ let #result_attribute=mail #''; dovecot-ldap-args = pkgs.writeText "ldap-args" '' - uris = ldap://localhost + uris = ldaps://${config.services.portunus.domain} dn = uid=search, ou=users, dc=ifsr, dc=de auth_bind = yes !include ${config.sops.secrets."dovecot_ldap_search".path} diff --git a/modules/mailman.nix b/modules/mailman.nix index 866ae57..1099728 100644 --- a/modules/mailman.nix +++ b/modules/mailman.nix @@ -13,7 +13,7 @@ siteOwner = "root@${config.fsr.domain}"; ldap = { enable = true; - serverUri = "ldap://localhost"; + serverUri = "ldaps://${config.services.portunus.domain}"; bindDn = "uid=search, ou=users, dc=ifsr, dc=de"; bindPasswordFile = config.sops.secrets.mailman_ldap_search.path; userSearch = { diff --git a/modules/matrix.nix b/modules/matrix.nix index a79e4a7..80da2a8 100644 --- a/modules/matrix.nix +++ b/modules/matrix.nix @@ -101,7 +101,7 @@ in - module: ldap_auth_provider.LdapAuthProviderModule config: enabled: true - uri: ldap://localhost + uri: ldaps://${portunus.domain} base: ou=users,${portunus.ldap.suffix} # taken from kaki config attributes: diff --git a/modules/sogo.nix b/modules/sogo.nix index 4ac2eb4..37bb780 100644 --- a/modules/sogo.nix +++ b/modules/sogo.nix @@ -28,7 +28,7 @@ in baseDN = "ou=users, dc=ifsr, dc=de"; bindDN = "uid=search, ou=users, dc=ifsr, dc=de"; bindPassword = LDAP_SEARCH; - hostname = "ldap://localhost"; + hostname = "ldaps://${config.services.portunus.domain}"; canAuthenticate = YES; id = directory;