servers/mermet/openldap/sourcephile.fr.nix

   1 { pkgs, lib, config, ... }:
   2 let
   3   inherit (builtins) hasAttr;
   4   inherit (builtins.extraBuiltins) pass-chomp;
   5   inherit (config) networking;
   6   inherit (config.services) openldap postfix dovecot2;
   7   inherit (config.users) users groups;
   8   inherit (pkgs.lib) unlines;
   9   domain = "sourcephile.fr";
  10   domainGroup = "sourcephile";
  11   domainOrg = "sourcephile";
  12   domainSuffix = "dc=" + lib.concatStringsSep ",dc=" (lib.splitString "." domain);
  13   posixAccount =
  14    { uid
  15    , uidNumber
  16    , gidNumber ? uidNumber
  17    , cn ? ""
  18    , sn ? ""
  19    , userPassword ? null # Use slappasswd -o module-load=pw-pbkdf2 -h "{PBKDF2-SHA256}"
  20    , mailAlias ? []
  21    , homeDirectory ? ""
  22    , mailStorageDirectory ? null
  23    , loginShell ? "/run/current-system/sw/bin/bash"
  24    , mailEnabled ? true
  25    , mailForwardingAddress ? []
  26    }:
  27     "\n" + lib.concatStringsSep "\n\n" [
  28     (unlines ([ ''
  29       dn: uid=${uid},ou=accounts,ou=posix,${domainSuffix}
  30       objectClass: person
  31       objectClass: posixAccount
  32       objectClass: shadowAccount
  33       objectClass: PostfixBookMailAccount
  34       objectClass: PostfixBookMailForward
  35       cn: ${cn}
  36       sn: ${sn}
  37       mail: ${uid}@${domain}
  38       mailEnabled: ${if mailEnabled then "TRUE" else "FALSE"}
  39       mailGroupMember: ${domainGroup}''
  40       ]
  41       ++ [ "uidNumber: ${toString uidNumber}" ]
  42       ++ [ "gidNumber: ${toString gidNumber}" ]
  43       ++ [ "homeDirectory: ${homeDirectory}" ]
  44       ++ lib.optional (loginShell != null)  "loginShell: ${loginShell}"
  45       ++ lib.optional (userPassword != null) "userPassword: ${userPassword}"
  46       ++ lib.optional (mailStorageDirectory != null) "mailStorageDirectory: ${mailStorageDirectory}"
  47       ++ map (forward: "mailForwardingAddress: ${forward}") mailForwardingAddress
  48       ++ map (alias: "mailAlias: ${alias}@${domain}") mailAlias
  49       ++ lib.optional (mailAlias == []) "mailAlias:"
  50       # NOTE: required by PostfixBookMailForward
  51     ))
  52     ''
  53       dn: cn=${uid},ou=groups,ou=posix,${domainSuffix}
  54       objectClass: top
  55       objectClass: posixGroup
  56       gidNumber: ${toString gidNumber}
  57       memberUid: ${uid}
  58     ''
  59   ];
  60 in
  61 {
  62 # DEBUG: echo "$(nixops show-option mermet -d production services.openldap.databases."g".data)"
  63 services.openldap.databases."${domainSuffix}" = {
  64   #
  65   #
  66   # WARNING: this deletes data.
  67   #
  68   #
  69   resetData = true;
  70
  71   # DEBUG: sudo ldapsearch -LLL -H ldapi:// -D cn=admin,cn=config -Y EXTERNAL -b 'olcDatabase={1}mdb,cn=config' -s sub
  72   # WARNING: newlines matter
  73   conf = ''
  74     dn: olcBackend=mdb,cn=config
  75     objectClass: olcBackendConfig
  76
  77     dn: olcDatabase=mdb,cn=config
  78     objectClass: olcDatabaseConfig
  79     objectClass: olcMdbConfig
  80     # Checkpoint the database periodically in case of system failure
  81     # and to speed up slapd shutdown.
  82     olcDbCheckpoint: 512 30
  83     # Database max size is 1G
  84     olcDbMaxSize: 1073741824
  85     olcLastMod: TRUE
  86     # Database superuser. Needed for syncrepl.
  87     olcRootDN: cn=admin,${domainSuffix}
  88     # Superuser password, generated with slappasswd -h "{SSHA}"
  89     # Commented-out because SASL EXTERNAL mechanism is used.
  90     #olcRootPW: {SSHA}COkATGNe7rs/g8vWcYP5rqt4u5sWdMgP
  91     #
  92     olcDbIndex: objectClass eq
  93     olcDbIndex: cn,uid eq
  94     olcDbIndex: uidNumber,gidNumber eq
  95     olcDbIndex: member,memberUid eq
  96     olcDbIndex: mail eq
  97     olcDbIndex: mailAlias eq
  98     olcDbIndex: mailEnabled eq
  99     #
 100     olcAccess: to attrs=userPassword
 101       by self write
 102       by anonymous auth
 103       by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
 104       by * none
 105     olcAccess: to attrs=shadowLastChange
 106       by self write
 107       by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
 108       by * none
 109     olcAccess: to dn.sub="ou=posix,${domainSuffix}"
 110       by self read
 111       by dn="gidNumber=${toString groups.nslcd.gid}+uidNumber=${toString users.nslcd.uid},cn=peercred,cn=external,cn=auth" read
 112       ${lib.optionalString (hasAttr postfix.user users) ''by dn="gidNumber=${toString groups.postfix.gid}+uidNumber=${toString users.postfix.uid},cn=peercred,cn=external,cn=auth" read''}
 113       ${lib.optionalString (hasAttr dovecot2.user users) ''by dn="gidNumber=${toString groups.dovecot2.gid}+uidNumber=${toString users.dovecot2.uid},cn=peercred,cn=external,cn=auth" read''}
 114       by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
 115     olcAccess: to *
 116       by self read
 117       by * none
 118   '';
 119   data = ''
 120     dn: ${domainSuffix}
 121     objectClass: top
 122     objectClass: dcObject
 123     objectClass: organization
 124     o: ${domainOrg}
 125
 126     dn: cn=admin,${domainSuffix}
 127     objectClass: simpleSecurityObject
 128     objectClass: organizationalRole
 129     description: ${domainOrg} LDAP administrator
 130     roleOccupant: ${domainSuffix}
 131     userPassword:
 132
 133     dn: ou=posix,${domainSuffix}
 134     objectClass: top
 135     objectClass: organizationalUnit
 136
 137     dn: ou=accounts,ou=posix,${domainSuffix}
 138     objectClass: top
 139     objectClass: organizationalUnit
 140
 141     dn: ou=groups,ou=posix,${domainSuffix}
 142     objectClass: top
 143     objectClass: organizationalUnit
 144
 145     dn: cn=${domainGroup},ou=groups,ou=posix,${domainSuffix}
 146     objectClass: top
 147     objectClass: posixGroup
 148     gidNumber: 20000
 149     memberUid: julm
 150     memberUid: sevy
 151
 152   ''
 153   + lib.concatMapStrings posixAccount [ rec
 154     { uid = "julm";
 155       cn = "Julien Moutinho";
 156       sn = uid;
 157       uidNumber = users.julm.uid;
 158       gidNumber = groups.julm.gid;
 159       mailAlias = [ "julien.moutinho" ];
 160       userPassword = pass-chomp "members/julm/mail/hashedPassword";
 161       mailStorageDirectory =
 162         let stateDir = "/var/lib/dovecot";
 163             d=domain;
 164         in
 165         # I'm personnaly using "maildir:" instead of "sdbox:" to be able to use a local (neo)mutt on it,
 166         # bypassing IMAP because (neo)mutt support of IMAP is very bad
 167         # (can't even have a decent $folder_format (with %n or %m) working,
 168         # neither sorting them by date).
 169         "maildir:${stateDir}/mail/${d}/${uid}/mail.d:LAYOUT=maildir++:UTF-8:CONTROL=${stateDir}/control/${d}/${uid}:INDEX=${stateDir}/index/${d}/${uid}";
 170     }
 171     #{ uid="sevy"; uidNumber=10001; cn="Séverine Popek"; sn="sévy";
 172     #  mailAlias = ["severine.popek" "ouais-ouais"]; }
 173     #{ uid="nomail"; uidNumber=10002; mailAlias = ["noalias"]; mailEnabled = false; }
 174     #{ uid="post"; mailForwardingAddress = ["ju@${domain}"]; }
 175     #{ uid="host"; mailForwardingAddress = ["ju@${domain}"]; }
 176   ];
 177 };
 178 }