1 {pkgs, lib, config, ...}:
2 let inherit (config) networking;
3 inherit (config.services) openldap;
4 inherit (config.users) users groups;
5 inherit (pkgs.lib) unlines;
6 domainSuffix = openldap.domainSuffix;
10 , gidNumber ? uidNumber
13 , userPassword ? "{SSHA}dwqaKo5nmId8Bym5PghloK+UEndwrVTN"
15 , loginShell ? "/run/current-system/sw/bin/bash"
17 , mailForwardingAddress ? []
18 , domain ? networking.domain
19 }: "\n" + lib.concatStringsSep "\n\n" [
21 dn: uid=${uid},ou=accounts,ou=posix,${domainSuffix}
23 objectClass: posixAccount
24 objectClass: PostfixBookMailAccount
25 objectClass: PostfixBookMailForward
28 mail: ${uid}${lib.optionalString (networking.domain != "") "@${networking.domain}"}
29 mailEnabled: ${if mailEnabled then "TRUE" else "FALSE"}
30 #mailGroupMember: ${networking.domainBase}
31 homeDirectory: /home/${uid}
32 uidNumber: ${toString uidNumber}
33 gidNumber: ${toString gidNumber}
34 loginShell: ${loginShell}'' ]
35 ++ lib.optional (userPassword != "") "userPassword: ${userPassword}"
36 ++ map (forward: "mailForwardingAddress: ${forward}") mailForwardingAddress
37 ++ map (alias: "mailAlias: ${alias}@${networking.domain}") mailAlias
38 ++ lib.optional (mailAlias == []) "mailAlias:"
39 # NOTE: required by PostfixBookMailForward
42 dn: cn=${uid},ou=groups,ou=posix,${domainSuffix}
44 objectClass: posixGroup
45 gidNumber: ${toString gidNumber}
57 # sudo ldapsearch -LLL -H ldapi:// -D cn=admin,cn=config -Y EXTERNAL -b 'olcDatabase={1}mdb,cn=config' -s sub
58 dn: olcBackend={1}mdb,cn=config
59 objectClass: olcBackendConfig
61 dn: olcDatabase={1}mdb,cn=config
62 objectClass: olcDatabaseConfig
63 objectClass: olcMdbConfig
64 # NOTE: checkpoint the database periodically in case of system failure
65 # and to speed slapd shutdown.
66 olcDbCheckpoint: 512 30
67 # Database max size is 1G
68 olcDbMaxSize: 1073741824
70 # NOTE: database superuser. Needed for syncrepl.
71 olcRootDN: cn=admin,${domainSuffix}
72 # NOTE: superuser password, generated with slappasswd -s SECRET
73 #olcRootPW: {SSHA}NONVwwKnKsCBmFxkMqTCFekdu3SJQHc9
75 olcDbIndex: objectClass eq
77 olcDbIndex: uidNumber,gidNumber eq
78 olcDbIndex: member,memberUid eq
80 olcDbIndex: mailEnabled eq
82 olcAccess: to attrs=userPassword
85 by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
87 olcAccess: to attrs=shadowLastChange
90 olcAccess: to dn.sub="ou=posix,${domainSuffix}"
91 by dn="gidNumber=${toString groups.nslcd.gid}+uidNumber=${toString users.nslcd.uid},cn=peercred,cn=external,cn=auth" read
92 by dn="gidNumber=${toString groups.postfix.gid}+uidNumber=${toString users.postfix.uid},cn=peercred,cn=external,cn=auth" read
93 by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
94 # NOTE: dovecot/auth runs as root, hence the gidNumber=0+uidNumber=0
102 objectClass: dcObject
103 objectClass: organization
104 o: ${networking.domainBase}
106 dn: cn=admin,${domainSuffix}
107 objectClass: simpleSecurityObject
108 objectClass: organizationalRole
109 description: ${networking.domainBase} LDAP administrator
110 roleOccupant: ${domainSuffix}
112 #userPassword: {SSHA}NONVwwKnKsCBmFxkMqTCFekdu3SJQHc9
114 dn: ou=posix,${domainSuffix}
116 objectClass: organizationalUnit
118 dn: ou=accounts,ou=posix,${domainSuffix}
120 objectClass: organizationalUnit
122 dn: ou=groups,ou=posix,${domainSuffix}
124 objectClass: organizationalUnit
126 dn: cn=${networking.domainBase},ou=groups,ou=posix,${domainSuffix}
128 objectClass: posixGroup
134 + lib.concatMapStrings posixAccount [
135 { uid="ju"; uidNumber=10000; cn="Julien M."; sn="julm"; mailAlias = ["juju"]; }
136 { uid="sevy"; uidNumber=10001; cn="Séverine P."; sn="sévy"; mailAlias = ["severine.popek" "ouais-ouais"]; }
137 { uid="nomail"; uidNumber=10002; mailAlias = ["noalias"]; mailEnabled = false; }
138 { uid="post"; domain="friot"; mailForwardingAddress = ["ju@${networking.domain}"]; }
139 { uid="host"; mailForwardingAddress = ["ju@${networking.domain}"]; }
sourcephile / git / sourcephile-nix.git / blob