add declarative lldap using secrets contract

Author: ibizaman

docs/redirects.json

@@ -311,8 +311,11 @@
   "blocks-lldap-global-setup": [
     "blocks-lldap.html#blocks-lldap-global-setup"
   ],
-  "blocks-lldap-manage-user-group": [
-    "blocks-lldap.html#blocks-lldap-manage-user-group"
+  "blocks-lldap-manage-groups": [
+    "blocks-lldap.html#blocks-lldap-manage-groups"
+  ],
+  "blocks-lldap-manage-users": [
+    "blocks-lldap.html#blocks-lldap-manage-users"
   ],
   "blocks-lldap-options": [
     "blocks-lldap.html#blocks-lldap-options"
@@ -362,6 +365,105 @@
   "blocks-lldap-options-shb.lldap.enable": [
     "blocks-lldap.html#blocks-lldap-options-shb.lldap.enable"
   ],
+  "blocks-lldap-options-shb.lldap.ensureGroupFields": [
+    "blocks-lldap.html#blocks-lldap-options-shb.lldap.ensureGroupFields"
+  ],
+  "blocks-lldap-options-shb.lldap.ensureGroupFields._name_.attributeType": [
+    "blocks-lldap.html#blocks-lldap-options-shb.lldap.ensureGroupFields._name_.attributeType"
+  ],
+  "blocks-lldap-options-shb.lldap.ensureGroupFields._name_.isEditable": [
+    "blocks-lldap.html#blocks-lldap-options-shb.lldap.ensureGroupFields._name_.isEditable"
+  ],
+  "blocks-lldap-options-shb.lldap.ensureGroupFields._name_.isList": [
+    "blocks-lldap.html#blocks-lldap-options-shb.lldap.ensureGroupFields._name_.isList"
+  ],
+  "blocks-lldap-options-shb.lldap.ensureGroupFields._name_.isVisible": [
+    "blocks-lldap.html#blocks-lldap-options-shb.lldap.ensureGroupFields._name_.isVisible"
+  ],
+  "blocks-lldap-options-shb.lldap.ensureGroupFields._name_.name": [
+    "blocks-lldap.html#blocks-lldap-options-shb.lldap.ensureGroupFields._name_.name"
+  ],
+  "blocks-lldap-options-shb.lldap.ensureGroups": [
+    "blocks-lldap.html#blocks-lldap-options-shb.lldap.ensureGroups"
+  ],
+  "blocks-lldap-options-shb.lldap.ensureGroups._name_.name": [
+    "blocks-lldap.html#blocks-lldap-options-shb.lldap.ensureGroups._name_.name"
+  ],
+  "blocks-lldap-options-shb.lldap.ensureUserFields": [
+    "blocks-lldap.html#blocks-lldap-options-shb.lldap.ensureUserFields"
+  ],
+  "blocks-lldap-options-shb.lldap.ensureUserFields._name_.attributeType": [
+    "blocks-lldap.html#blocks-lldap-options-shb.lldap.ensureUserFields._name_.attributeType"
+  ],
+  "blocks-lldap-options-shb.lldap.ensureUserFields._name_.isEditable": [
+    "blocks-lldap.html#blocks-lldap-options-shb.lldap.ensureUserFields._name_.isEditable"
+  ],
+  "blocks-lldap-options-shb.lldap.ensureUserFields._name_.isList": [
+    "blocks-lldap.html#blocks-lldap-options-shb.lldap.ensureUserFields._name_.isList"
+  ],
+  "blocks-lldap-options-shb.lldap.ensureUserFields._name_.isVisible": [
+    "blocks-lldap.html#blocks-lldap-options-shb.lldap.ensureUserFields._name_.isVisible"
+  ],
+  "blocks-lldap-options-shb.lldap.ensureUserFields._name_.name": [
+    "blocks-lldap.html#blocks-lldap-options-shb.lldap.ensureUserFields._name_.name"
+  ],
+  "blocks-lldap-options-shb.lldap.ensureUsers": [
+    "blocks-lldap.html#blocks-lldap-options-shb.lldap.ensureUsers"
+  ],
+  "blocks-lldap-options-shb.lldap.ensureUsers._name_.avatar_file": [
+    "blocks-lldap.html#blocks-lldap-options-shb.lldap.ensureUsers._name_.avatar_file"
+  ],
+  "blocks-lldap-options-shb.lldap.ensureUsers._name_.avatar_url": [
+    "blocks-lldap.html#blocks-lldap-options-shb.lldap.ensureUsers._name_.avatar_url"
+  ],
+  "blocks-lldap-options-shb.lldap.ensureUsers._name_.displayName": [
+    "blocks-lldap.html#blocks-lldap-options-shb.lldap.ensureUsers._name_.displayName"
+  ],
+  "blocks-lldap-options-shb.lldap.ensureUsers._name_.email": [
+    "blocks-lldap.html#blocks-lldap-options-shb.lldap.ensureUsers._name_.email"
+  ],
+  "blocks-lldap-options-shb.lldap.ensureUsers._name_.firstName": [
+    "blocks-lldap.html#blocks-lldap-options-shb.lldap.ensureUsers._name_.firstName"
+  ],
+  "blocks-lldap-options-shb.lldap.ensureUsers._name_.gravatar_avatar": [
+    "blocks-lldap.html#blocks-lldap-options-shb.lldap.ensureUsers._name_.gravatar_avatar"
+  ],
+  "blocks-lldap-options-shb.lldap.ensureUsers._name_.groups": [
+    "blocks-lldap.html#blocks-lldap-options-shb.lldap.ensureUsers._name_.groups"
+  ],
+  "blocks-lldap-options-shb.lldap.ensureUsers._name_.id": [
+    "blocks-lldap.html#blocks-lldap-options-shb.lldap.ensureUsers._name_.id"
+  ],
+  "blocks-lldap-options-shb.lldap.ensureUsers._name_.lastName": [
+    "blocks-lldap.html#blocks-lldap-options-shb.lldap.ensureUsers._name_.lastName"
+  ],
+  "blocks-lldap-options-shb.lldap.ensureUsers._name_.password": [
+    "blocks-lldap.html#blocks-lldap-options-shb.lldap.ensureUsers._name_.password"
+  ],
+  "blocks-lldap-options-shb.lldap.ensureUsers._name_.password.request": [
+    "blocks-lldap.html#blocks-lldap-options-shb.lldap.ensureUsers._name_.password.request"
+  ],
+  "blocks-lldap-options-shb.lldap.ensureUsers._name_.password.request.group": [
+    "blocks-lldap.html#blocks-lldap-options-shb.lldap.ensureUsers._name_.password.request.group"
+  ],
+  "blocks-lldap-options-shb.lldap.ensureUsers._name_.password.request.mode": [
+    "blocks-lldap.html#blocks-lldap-options-shb.lldap.ensureUsers._name_.password.request.mode"
+  ],
+  "blocks-lldap-options-shb.lldap.ensureUsers._name_.password.request.owner": [
+    "blocks-lldap.html#blocks-lldap-options-shb.lldap.ensureUsers._name_.password.request.owner"
+  ],
+  "blocks-lldap-options-shb.lldap.ensureUsers._name_.password.request.restartUnits": [
+    "blocks-lldap.html#blocks-lldap-options-shb.lldap.ensureUsers._name_.password.request.restartUnits"
+  ],
+  "blocks-lldap-options-shb.lldap.ensureUsers._name_.password.result": [
+    "blocks-lldap.html#blocks-lldap-options-shb.lldap.ensureUsers._name_.password.result"
+  ],
+  "blocks-lldap-options-shb.lldap.ensureUsers._name_.password.result.path": [
+    "blocks-lldap.html#blocks-lldap-options-shb.lldap.ensureUsers._name_.password.result.path"
+  ],
+  "blocks-lldap-options-shb.lldap.ensureUsers._name_.weser_avatar": [
+    "blocks-lldap.html#blocks-lldap-options-shb.lldap.ensureUsers._name_.weser_avatar"
+  ],
   "blocks-lldap-options-shb.lldap.jwtSecret": [
     "blocks-lldap.html#blocks-lldap-options-shb.lldap.jwtSecret"
   ],

flake.nix

@@ -15,6 +15,11 @@
     let
       originPkgs = nixpkgs.legacyPackages.${system};
       shbPatches = originPkgs.lib.optionals (system == "x86_64-linux") [
+        # Get rid of lldap patches when https://github.com/NixOS/nixpkgs/pull/425923 is merged.
+        ./patches/0001-lldap-lldap-0.6.1-unstable-2025-07-16.patch
+        ./patches/0002-lldap-add-options-to-set-important-secrets.patch
+        ./patches/0003-lldap-bootstrap-init-unstable-2025-07-16-lldap-add-e.patch
+
         # Leaving commented out as an example.
         # (originPkgs.fetchpatch {
         #   url = "https://github.com/NixOS/nixpkgs/pull/317107.patch";

modules/blocks/lldap.nix

@@ -6,6 +6,46 @@ let
   contracts = pkgs.callPackage ../contracts {};
 
   fqdn = "${cfg.subdomain}.${cfg.domain}";
+
+  inherit (lib) mkOption types;
+
+  ensureFormat = pkgs.formats.json { };
+
+  ensureFieldsOptions = name: {
+    name = mkOption {
+      type = types.str;
+      description = "Name of the field.";
+      default = name;
+    };
+
+    attributeType = mkOption {
+      type = types.enum [
+        "STRING"
+        "INTEGER"
+        "JPEG"
+        "DATE_TIME"
+      ];
+      description = "Attribute type.";
+    };
+
+    isEditable = mkOption {
+      type = types.bool;
+      description = "Is field editable.";
+      default = true;
+    };
+
+    isList = mkOption {
+      type = types.bool;
+      description = "Is field a list.";
+      default = false;
+    };
+
+    isVisible = mkOption {
+      type = types.bool;
+      description = "Is field visible in UI.";
+      default = true;
+    };
+  };
 in
 {
   options.shb.lldap = {
@@ -118,10 +158,155 @@ in
         };
       };
     };
+
+    ensureUsers = mkOption {
+      description = ''
+        Create the users defined here on service startup.
+
+        If `enforceEnsure` option is `true`, the groups
+        users belong to must be present in the `ensureGroups` option.
+
+        Non-default options must be added to the `ensureGroupFields` option.
+      '';
+      default = { };
+      type = types.attrsOf (
+        types.submodule (
+          { name, ... }:
+          {
+            freeformType = ensureFormat.type;
+
+            options = {
+              id = mkOption {
+                type = types.str;
+                description = "Username.";
+                default = name;
+              };
+
+              email = mkOption {
+                type = types.str;
+                description = "Email.";
+              };
+
+              password = mkOption {
+                description = "Password.";
+                type = lib.types.submodule {
+                  options = contracts.secret.mkRequester {
+                    mode = "0440";
+                    owner = "lldap";
+                    group = "lldap";
+                    restartUnits = [ "lldap.service" ];
+                  };
+                };
+              };
+
+              displayName = mkOption {
+                type = types.nullOr types.str;
+                default = null;
+                description = "Display name.";
+              };
+
+              firstName = mkOption {
+                type = types.nullOr types.str;
+                default = null;
+                description = "First name.";
+              };
+
+              lastName = mkOption {
+                type = types.nullOr types.str;
+                default = null;
+                description = "Last name.";
+              };
+
+              avatar_file = mkOption {
+                type = types.nullOr types.str;
+                default = null;
+                description = "Avatar file. Must be a valid path to jpeg file (ignored if avatar_url specified)";
+              };
+
+              avatar_url = mkOption {
+                type = types.nullOr types.str;
+                default = null;
+                description = "Avatar url. must be a valid URL to jpeg file (ignored if gravatar_avatar specified)";
+              };
+
+              gravatar_avatar = mkOption {
+                type = types.nullOr types.str;
+                default = null;
+                description = "Get avatar from Gravatar using the email.";
+              };
+
+              weser_avatar = mkOption {
+                type = types.nullOr types.str;
+                default = null;
+                description = "Convert avatar retrieved by gravatar or the URL.";
+              };
+
+              groups = mkOption {
+                type = types.listOf types.str;
+                default = [ ];
+                description = "Groups the user would be a member of (all the groups must be specified in group config files).";
+              };
+            };
+          }
+        )
+      );
+    };
+
+    ensureGroups = mkOption {
+      description = ''
+        Create the groups defined here on service startup.
+
+        Non-default options must be added to the `ensureGroupFields` option.
+      '';
+      default = { };
+      type = types.attrsOf (
+        types.submodule (
+          { name, ... }:
+          {
+            freeformType = ensureFormat.type;
+
+            options = {
+              name = mkOption {
+                type = types.str;
+                description = "Name of the group.";
+                default = name;
+              };
+            };
+          }
+        )
+      );
+    };
+
+    ensureUserFields = mkOption {
+      description = "Extra fields for users";
+      default = { };
+      type = types.attrsOf (
+        types.submodule (
+          { name, ... }:
+          {
+            options = ensureFieldsOptions name;
+          }
+        )
+      );
+    };
+
+    ensureGroupFields = mkOption {
+      description = "Extra fields for groups";
+      default = { };
+      type = types.attrsOf (
+        types.submodule (
+          { name, ... }:
+          {
+            options = ensureFieldsOptions name;
+          }
+        )
+      );
+    };
   };
 
 
   config = lib.mkIf cfg.enable {
+
     services.nginx = {
       enable = true;
 
@@ -151,10 +336,12 @@ in
     services.lldap = {
       enable = true;
 
-      environment = {
-        LLDAP_JWT_SECRET_FILE = toString cfg.jwtSecret.result.path;
-        LLDAP_LDAP_USER_PASS_FILE = toString cfg.ldapUserPassword.result.path;
+      adminPasswordFile = toString cfg.ldapUserPassword.result.path;
+      jwtSecretFile = toString cfg.jwtSecret.result.path;
+      resetAdminPassword = "always";
+      enforceEnsure = true;
 
+      environment = {
         RUST_LOG = lib.mkIf cfg.debug "debug";
       };
 
@@ -170,6 +357,11 @@ in
 
         verbose = cfg.debug;
       };
+
+      inherit (cfg) ensureGroups ensureUserFields ensureGroupFields;
+      ensureUsers = lib.mapAttrs (n: v: (lib.removeAttrs v [ "password" ]) // {
+        "password_file" = v.password.result.path;
+      }) cfg.ensureUsers;
     };
   };
 }