]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/openldap/sourcephile.fr.nix
openldap: enable SHA2 and PBKDF2 support
[sourcephile-nix.git] / servers / mermet / openldap / sourcephile.fr.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) hasAttr;
4 inherit (builtins.extraBuiltins) pass-chomp;
5 inherit (config) networking;
6 inherit (config.services) openldap postfix dovecot2;
7 inherit (config.users) users groups;
8 inherit (pkgs.lib) unlines;
9 domain = "sourcephile.fr";
10 domainGroup = "sourcephile";
11 domainOrg = "sourcephile";
12 domainSuffix = "dc=" + lib.concatStringsSep ",dc=" (lib.splitString "." domain);
13 posixAccount =
14 { uid
15 , uidNumber
16 , gidNumber ? uidNumber
17 , cn ? ""
18 , sn ? ""
19 , userPassword ? null # Use slappasswd -o module-load=pw-pbkdf2 -h "{PBKDF2-SHA256}"
20 , mailAlias ? []
21 , homeDirectory ? ""
22 , mailStorageDirectory ? null
23 , loginShell ? "/run/current-system/sw/bin/bash"
24 , mailEnabled ? true
25 , mailForwardingAddress ? []
26 }:
27 "\n" + lib.concatStringsSep "\n\n" [
28 (unlines ([ ''
29 dn: uid=${uid},ou=accounts,ou=posix,${domainSuffix}
30 objectClass: person
31 objectClass: posixAccount
32 objectClass: shadowAccount
33 objectClass: PostfixBookMailAccount
34 objectClass: PostfixBookMailForward
35 cn: ${cn}
36 sn: ${sn}
37 mail: ${uid}@${domain}
38 mailEnabled: ${if mailEnabled then "TRUE" else "FALSE"}
39 mailGroupMember: ${domainGroup}''
40 ]
41 ++ [ "uidNumber: ${toString uidNumber}" ]
42 ++ [ "gidNumber: ${toString gidNumber}" ]
43 ++ [ "homeDirectory: ${homeDirectory}" ]
44 ++ lib.optional (loginShell != null) "loginShell: ${loginShell}"
45 ++ lib.optional (userPassword != null) "userPassword: ${userPassword}"
46 ++ lib.optional (mailStorageDirectory != null) "mailStorageDirectory: ${mailStorageDirectory}"
47 ++ map (forward: "mailForwardingAddress: ${forward}") mailForwardingAddress
48 ++ map (alias: "mailAlias: ${alias}@${domain}") mailAlias
49 ++ lib.optional (mailAlias == []) "mailAlias:"
50 # NOTE: required by PostfixBookMailForward
51 ))
52 ''
53 dn: cn=${uid},ou=groups,ou=posix,${domainSuffix}
54 objectClass: top
55 objectClass: posixGroup
56 gidNumber: ${toString gidNumber}
57 memberUid: ${uid}
58 ''
59 ];
60 in
61 {
62 # DEBUG: echo "$(nixops show-option mermet -d production services.openldap.databases."g".data)"
63 services.openldap.databases."${domainSuffix}" = {
64 #
65 #
66 # WARNING: this deletes data.
67 #
68 #
69 resetData = true;
70
71 # DEBUG: sudo ldapsearch -LLL -H ldapi:// -D cn=admin,cn=config -Y EXTERNAL -b 'olcDatabase={1}mdb,cn=config' -s sub
72 # WARNING: newlines matter
73 conf = ''
74 dn: olcBackend=mdb,cn=config
75 objectClass: olcBackendConfig
76
77 dn: olcDatabase=mdb,cn=config
78 objectClass: olcDatabaseConfig
79 objectClass: olcMdbConfig
80 # Checkpoint the database periodically in case of system failure
81 # and to speed up slapd shutdown.
82 olcDbCheckpoint: 512 30
83 # Database max size is 1G
84 olcDbMaxSize: 1073741824
85 olcLastMod: TRUE
86 # Database superuser. Needed for syncrepl.
87 olcRootDN: cn=admin,${domainSuffix}
88 # Superuser password, generated with slappasswd -h "{SSHA}"
89 # Commented-out because SASL EXTERNAL mechanism is used.
90 #olcRootPW: {SSHA}COkATGNe7rs/g8vWcYP5rqt4u5sWdMgP
91 #
92 olcDbIndex: objectClass eq
93 olcDbIndex: cn,uid eq
94 olcDbIndex: uidNumber,gidNumber eq
95 olcDbIndex: member,memberUid eq
96 olcDbIndex: mail eq
97 olcDbIndex: mailAlias eq
98 olcDbIndex: mailEnabled eq
99 #
100 olcAccess: to attrs=userPassword
101 by self write
102 by anonymous auth
103 by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
104 by * none
105 olcAccess: to attrs=shadowLastChange
106 by self write
107 by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
108 by * none
109 olcAccess: to dn.sub="ou=posix,${domainSuffix}"
110 by self read
111 by dn="gidNumber=${toString groups.nslcd.gid}+uidNumber=${toString users.nslcd.uid},cn=peercred,cn=external,cn=auth" read
112 ${lib.optionalString (hasAttr postfix.user users) ''by dn="gidNumber=${toString groups.postfix.gid}+uidNumber=${toString users.postfix.uid},cn=peercred,cn=external,cn=auth" read''}
113 ${lib.optionalString (hasAttr dovecot2.user users) ''by dn="gidNumber=${toString groups.dovecot2.gid}+uidNumber=${toString users.dovecot2.uid},cn=peercred,cn=external,cn=auth" read''}
114 by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
115 olcAccess: to *
116 by self read
117 by * none
118 '';
119 data = ''
120 dn: ${domainSuffix}
121 objectClass: top
122 objectClass: dcObject
123 objectClass: organization
124 o: ${domainOrg}
125
126 dn: cn=admin,${domainSuffix}
127 objectClass: simpleSecurityObject
128 objectClass: organizationalRole
129 description: ${domainOrg} LDAP administrator
130 roleOccupant: ${domainSuffix}
131 userPassword:
132
133 dn: ou=posix,${domainSuffix}
134 objectClass: top
135 objectClass: organizationalUnit
136
137 dn: ou=accounts,ou=posix,${domainSuffix}
138 objectClass: top
139 objectClass: organizationalUnit
140
141 dn: ou=groups,ou=posix,${domainSuffix}
142 objectClass: top
143 objectClass: organizationalUnit
144
145 dn: cn=${domainGroup},ou=groups,ou=posix,${domainSuffix}
146 objectClass: top
147 objectClass: posixGroup
148 gidNumber: 20000
149 memberUid: julm
150 memberUid: sevy
151
152 ''
153 + lib.concatMapStrings posixAccount [ rec
154 { uid = "julm";
155 cn = "Julien Moutinho";
156 sn = uid;
157 uidNumber = users.julm.uid;
158 gidNumber = groups.julm.gid;
159 mailAlias = [ "julien.moutinho" ];
160 userPassword = pass-chomp "members/julm/mail/hashedPassword";
161 mailStorageDirectory =
162 let stateDir = "/var/lib/dovecot";
163 d=domain;
164 in
165 # I'm personnaly using "maildir:" instead of "sdbox:" to be able to use a local (neo)mutt on it,
166 # bypassing IMAP because (neo)mutt support of IMAP is very bad
167 # (can't even have a decent $folder_format (with %n or %m) working,
168 # neither sorting them by date).
169 "maildir:${stateDir}/mail/${d}/${uid}/mail.d:LAYOUT=maildir++:UTF-8:CONTROL=${stateDir}/control/${d}/${uid}:INDEX=${stateDir}/index/${d}/${uid}";
170 }
171 #{ uid="sevy"; uidNumber=10001; cn="Séverine Popek"; sn="sévy";
172 # mailAlias = ["severine.popek" "ouais-ouais"]; }
173 #{ uid="nomail"; uidNumber=10002; mailAlias = ["noalias"]; mailEnabled = false; }
174 #{ uid="post"; mailForwardingAddress = ["ju@${domain}"]; }
175 #{ uid="host"; mailForwardingAddress = ["ju@${domain}"]; }
176 ];
177 };
178 }