feat: mail server

system/modules/openldap.nix

@@ -0,0 +1,129 @@
+{
+  urlList ? [ "ldap:///" ],
+}:
+{
+  pkgs,
+  config,
+  ...
+}:
+let
+  create_ldap_user = pkgs.writeShellScriptBin "create_ldap_user" ''
+    # Base DN for LDAP directory
+    BASE_DN="dc=net,dc=dn"
+    # Organizational Unit (OU) where users are stored
+    OU="people"
+
+    # Prompt for username
+    read -p "Please enter the username: " USERNAME
+
+    # Prompt for password (hidden input)
+    read -s -p "Please enter the password: " USER_PASSWORD
+    echo
+    # Prompt for password confirmation (hidden input)
+    read -s -p "Please confirm the password: " USER_PASSWORD_CONFIRM
+    echo
+
+    # Check if the entered passwords match
+    if [ "$USER_PASSWORD" != "$USER_PASSWORD_CONFIRM" ]; then
+      echo "❌ Passwords do not match. Please run the script again."
+      exit 1
+    fi
+
+    # Hash the password using slappasswd
+    PASSWORD_HASH=$(slappasswd -s "$USER_PASSWORD")
+
+    # Construct the Distinguished Name (DN) for the user
+    USER_DN="uid=$USERNAME,ou=$OU,$BASE_DN"
+
+    # Check if the base DN (dc=net,dc=dn) exists, if not, create it
+    ldapsearch -x -b "$BASE_DN" > /dev/null 2>&1
+    if [ $? -ne 0 ]; then
+      echo "⚠️ $BASE_DN does not exist. Creating it now..."
+      cat <<EOF | ldapadd -x -D "cn=admin,$BASE_DN" -W
+    dn: $BASE_DN
+    objectClass: top
+    objectClass: domain
+    dc: net
+    EOF
+    fi
+
+    # Check if the OU exists, if not, create it
+    ldapsearch -x -b "ou=$OU,$BASE_DN" > /dev/null 2>&1
+    if [ $? -ne 0 ]; then
+      echo "⚠️ OU=$OU does not exist. Creating it now..."
+      cat <<EOF | ldapadd -x -D "cn=admin,$BASE_DN" -W
+    dn: ou=$OU,$BASE_DN
+    objectClass: organizationalUnit
+    ou: $OU
+    EOF
+    fi
+
+    # Add the user entry to the LDAP directory
+    cat <<EOF | ldapadd -x -D "cn=admin,$BASE_DN" -W
+    dn: $USER_DN
+    objectClass: inetOrgPerson
+    objectClass: organizationalPerson
+    objectClass: person
+    objectClass: top
+    uid: $USERNAME
+    cn: $USERNAME
+    sn: $USERNAME
+    userPassword: $PASSWORD_HASH
+    EOF
+
+    # Confirm the user was successfully created
+    echo "✅ User $USERNAME has been successfully created."  '';
+in
+{
+  environment.systemPackages = [
+    create_ldap_user
+  ];
+
+  services.openldap = {
+    enable = true;
+    urlList = urlList;
+
+    settings = {
+      attrs = {
+        olcLogLevel = "conns config";
+      };
+
+      children = {
+        "cn=schema".includes = [
+          "${pkgs.openldap}/etc/schema/core.ldif"
+          "${pkgs.openldap}/etc/schema/cosine.ldif"
+          "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
+        ];
+
+        "olcDatabase={1}mdb".attrs = {
+          objectClass = [
+            "olcDatabaseConfig"
+            "olcMdbConfig"
+          ];
+
+          olcDatabase = "{1}mdb";
+          olcDbDirectory = "/var/lib/openldap/data";
+
+          olcSuffix = "dc=net,dc=dn";
+
+          olcRootDN = "cn=admin,dc=net,dc=dn";
+          olcRootPW.path = config.sops.secrets."openldap/adminPassword".path;
+
+          olcAccess = [
+            # custom access rules for userPassword attributes
+            ''
+              {0}to attrs=userPassword
+                by self write
+                by anonymous auth
+                by * none''
+
+            # allow read on anything else
+            ''
+              {1}to *
+                by * read''
+          ];
+        };
+      };
+    };
+  };
+}