]> Git — Sourcephile - sourcephile-nix.git/blob - nixos/modules/services/databases/openldap.nix
nix: use pkgs.mkShell
[sourcephile-nix.git] / nixos / modules / services / databases / openldap.nix
1 { pkgs, lib, config, ... }:
2 let inherit (builtins) baseNameOf readFile;
3 inherit (lib) types;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config.services) openldap;
6 inherit (config.users) ldap;
7 # FIXME: readFIle ?
8 copyFile = file: pkgs.writeText (baseNameOf file) (readFile file);
9 in
10 {
11 options = {
12 services.openldap.initConfig = lib.mkOption {
13 type = types.lines;
14 description = "The databases' initial config in LDIF.";
15 apply = lines: pkgs.writeText "cn=config.ldif"
16 (lines + "\n" + unlinesAttrs (olcSuffix: {conf, olcDbDirectory, ...}:
17 "include: file://" + pkgs.writeText "config.ldif" (conf + ''
18 olcSuffix: ${olcSuffix}
19 olcDbDirectory: ${olcDbDirectory}
20 '')
21 ) openldap.databases);
22 # sudo ldapsearch -LLL -H ldapi:// -D cn=admin,cn=config -Y EXTERNAL -b "" -s base supportedControl
23 default = ''
24 dn: cn=config
25 objectClass: olcGlobal
26 #olcPidFile: /run/slapd/slapd.pid
27 # List of arguments that were passed to the server
28 #olcArgsFile: /run/slapd/slapd.args
29 # Read slapd-config(5) for possible values
30 olcLogLevel: none
31 # The tool-threads parameter sets the actual amount of CPU's
32 # that is used for indexing.
33 olcToolThreads: 1
34
35 dn: olcDatabase={-1}frontend,cn=config
36 objectClass: olcDatabaseConfig
37 objectClass: olcFrontendConfig
38 # The maximum number of entries that is returned for a search operation
39 olcSizeLimit: 500
40 # Allow unlimited access to local connection from the local root user
41 olcAccess: to *
42 by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
43 by * break
44 # Allow unauthenticated read access for schema and base DN autodiscovery
45 olcAccess: to dn.exact=""
46 by * read
47 olcAccess: to dn.base="cn=Subschema"
48 by * read
49
50 dn: olcDatabase=config,cn=config
51 objectClass: olcDatabaseConfig
52 olcRootDN: cn=admin,cn=config
53 # Access to cn=config, system root can be manager
54 # with SASL mechanism (-Y EXTERNAL) over unix socket (-H ldapi://)
55 olcAccess: to *
56 by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
57 by * break
58
59 dn: cn=schema,cn=config
60 objectClass: olcSchemaConfig
61
62 include: file://${pkgs.openldap}/etc/schema/core.ldif
63 include: file://${pkgs.openldap}/etc/schema/cosine.ldif
64 include: file://${pkgs.openldap}/etc/schema/nis.ldif
65 include: file://${pkgs.openldap}/etc/schema/inetorgperson.ldif
66 include: file://${copyFile openldap/schema/postfix-book.ldif}
67
68 dn: cn=module{0},cn=config
69 objectClass: olcModuleList
70 # Where the dynamically loaded modules are stored
71 #olcModulePath: /usr/lib/ldap
72 olcModuleLoad: back_mdb
73 '';
74 };
75 services.openldap.databases = lib.mkOption {
76 default = {};
77 type = types.attrsOf (types.submodule ({name, options, config, ...}: {
78 options = {
79 conf = lib.mkOption {
80 type = types.lines;
81 description = "The database's config in LDIF.";
82 };
83 data = lib.mkOption {
84 type = types.lines;
85 description = "The database's data in LDIF.";
86 };
87 olcDbDirectory = lib.mkOption {
88 type = types.str;
89 description = "The directory where the database is stored.";
90 default = "${openldap.dataDir}/${name}";
91 };
92 resetData = lib.mkOption {
93 type = types.bool;
94 description = "Whether to reset the data at each start of the slapd service.";
95 default = false;
96 };
97 };
98 }));
99 };
100 };
101 config = lib.mkIf openldap.enable {
102 systemd.services.openldap.preStart = ''
103 set -e
104 # NOTE: slapd's config is always re-initialized.
105 rm -rf "${openldap.configDir}"/cn=config \
106 "${openldap.configDir}"/cn=config.ldif
107 install -D -d -m 0700 -o "${openldap.user}" -g "${openldap.group}" "${openldap.configDir}"
108 # NOTE: olcDbDirectory must be created before adding the config.
109 '' +
110 unlinesAttrs (olcSuffix: {data, olcDbDirectory, resetData, ...}:
111 lib.optionalString resetData ''
112 rm -rf "${olcDbDirectory}"
113 '' + ''
114 install -D -d -m 0700 -o "${openldap.user}" -g "${openldap.group}" "${olcDbDirectory}"
115 '') openldap.databases
116 + ''
117 # NOTE: slapd is supposed to have been stopped by systemd
118 # before entering this preStart,
119 # hence slap* commands can safely be used.
120 #
121 # NOTE: slapadd(8):
122 # To populate the config database slapd-config(5),
123 # use -n 0 as it is always the first database.
124 # It must physically exist on the filesystem prior to this, however.
125 umask 0077
126 ${pkgs.openldap}/bin/slapadd -n 0 \
127 -F "${openldap.configDir}" \
128 -l ${openldap.initConfig}
129 chown -R "${openldap.user}:${openldap.group}" "${openldap.configDir}"
130 '' +
131 unlinesAttrs (olcSuffix: {data, olcDbDirectory, resetData, ...}:
132 lib.optionalString resetData ''
133 ${pkgs.openldap}/bin/slapadd \
134 -F "${openldap.configDir}" \
135 -l ${pkgs.writeText "data.ldif" data}
136 '' + ''
137 test ! -e "${olcDbDirectory}" ||
138 chown -R "${openldap.user}:${openldap.group}" "${olcDbDirectory}"
139 '') openldap.databases;
140 };
141 }