{ config, ... }: let domain = "hydra.ifsr.de"; in { sops.secrets."hydra_ldap_search" = { owner = "hydra"; group = "hydra"; mode = "440"; }; services.hydra = { enable = true; port = 4000; hydraURL = domain; notificationSender = "hydra@localhost"; buildMachinesFiles = [ ]; useSubstitutes = true; extraConfig = '' class = Password password_field = password password_type = self_check class = LDAP ldap_server = localhost timeout = 30 binddn = "uid=search,ou=users,dc=ifsr,dc=de" include ${config.sops.secrets.hydra_ldap_search.path} start_tls = 0 verify = none user_basedn = "ou=users,dc=ifsr,dc=de" user_filter = "(&(objectClass=posixAccount)(uid=%s))" user_scope = one user_field = uid deref = always # Important for role mappings to work: use_roles = 1 role_basedn = "ou=groups,dc=ifsr,dc=de" role_filter = "(&(objectClass=groupOfNames)(member=%s))" role_scope = one role_field = cn role_value = dn deref = always # Make all users in the hydra_admin group Hydra admins admins = admin ''; }; services.nginx.virtualHosts."${domain}" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:${toString config.services.hydra.port}"; }; }; }