install/logical/friot/openldap/commonsoft.coop.nix

   1 {pkgs, lib, config, ...}:
   2 let inherit (config.services) openldap;
   3     inherit (config.users) users groups;
   4     domainSuffix = openldap.domainSuffix;
   5 in
   6 {
   7   config = {
   8     services.openldap = {
   9       databases = {
  10         "${domainSuffix}" = {
  11           resetData = true;
  12           conf = ''
  13             # sudo ldapsearch -LLL -H ldapi:// -D cn=admin,cn=config -Y EXTERNAL -b 'olcDatabase={1}mdb,cn=config' -s sub
  14             dn: olcBackend={1}mdb,cn=config
  15             objectClass: olcBackendConfig
  16
  17             dn: olcDatabase={1}mdb,cn=config
  18             objectClass: olcDatabaseConfig
  19             objectClass: olcMdbConfig
  20             # NOTE: checkpoint the database periodically in case of system failure
  21             # and to speed slapd shutdown.
  22             olcDbCheckpoint: 512 30
  23             # Database max size is 1G
  24             olcDbMaxSize: 1073741824
  25             olcLastMod: TRUE
  26             # NOTE: database superuser. Needed for syncrepl.
  27             olcRootDN: cn=admin,${domainSuffix}
  28             # NOTE: superuser password, generated with slappasswd -s SECRET
  29             # FIXME: remove when dovecot2 compiled with SASL
  30             olcRootPW: {SSHA}NONVwwKnKsCBmFxkMqTCFekdu3SJQHc9
  31             #
  32             olcDbIndex: objectClass eq
  33             olcDbIndex: cn,uid eq
  34             olcDbIndex: uidNumber,gidNumber eq
  35             olcDbIndex: member,memberUid eq
  36             olcDbIndex: mail eq
  37             olcDbIndex: mailEnabled eq
  38             olcDbIndex: mailacceptinggeneralid eq
  39             #
  40             olcAccess: to attrs=userPassword
  41               by self write
  42               by anonymous auth
  43               by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
  44               by * none
  45             olcAccess: to attrs=shadowLastChange
  46               by self write
  47               by * none
  48             olcAccess: to dn.sub="ou=posix,${domainSuffix}"
  49               by dn="gidNumber=${toString groups.nslcd.gid}+uidNumber=${toString users.nslcd.uid},cn=peercred,cn=external,cn=auth" read
  50               by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
  51             # NOTE: dovecot/auth runs as root, hence the gidNumber=0+uidNumber=0
  52             olcAccess: to *
  53               by self read
  54               by * none
  55           '';
  56           data = ''
  57             dn: ${domainSuffix}
  58             objectClass: top
  59             objectClass: dcObject
  60             objectClass: organization
  61             o: ${config.networking.baseName}
  62
  63             dn: cn=admin,${domainSuffix}
  64             objectClass: simpleSecurityObject
  65             objectClass: organizationalRole
  66             description: ${config.networking.baseName} LDAP administrator
  67             roleOccupant: ${domainSuffix}
  68             userPassword:
  69             #userPassword: {SSHA}NONVwwKnKsCBmFxkMqTCFekdu3SJQHc9
  70
  71             dn: ou=posix,${domainSuffix}
  72             objectClass: top
  73             objectClass: organizationalUnit
  74
  75             dn: ou=accounts,ou=posix,${domainSuffix}
  76             objectClass: top
  77             objectClass: organizationalUnit
  78
  79             dn: ou=groups,ou=posix,${domainSuffix}
  80             objectClass: top
  81             objectClass: organizationalUnit
  82
  83             dn: cn=users,ou=groups,ou=posix,${domainSuffix}
  84             objectclass: top
  85             objectclass: posixGroup
  86             gidnumber: 10000
  87             memberuid: ju
  88             memberuid: sevy
  89
  90             #dn: cn=dovemail,ou=groups,ou=posix,${domainSuffix}
  91             #objectclass: top
  92             #objectclass: posixGroup
  93             #gidnumber: 497
  94             # # FIXME: do not hardcode this gid
  95             #memberuid: ju
  96             #memberuid: sevy
  97
  98             dn: uid=ju,ou=accounts,ou=posix,${domainSuffix}
  99             #objectClass: account
 100             objectclass: person
 101             objectClass: posixAccount
 102             objectclass: postfixUser
 103             objectclass: PostfixBookMailAccount
 104             objectclass: PostfixBookMailForward
 105             cn: Julien M.
 106             sn: julm
 107             mail: ju@commonsoft.coop
 108             mailAlias: juju@commonsoft.coop
 109             #mailacceptinggeneralid: julm
 110             #maildrop:
 111             uidNumber: 10000
 112             gidNumber: 497
 113             homeDirectory: /home/ju
 114             loginShell: /run/current-system/sw/bin/bash
 115             userPassword: {SSHA}144Rfau9KJ14U0U4KdLNB7OrtpiEc3E3
 116
 117             dn: uid=sevy,ou=accounts,ou=posix,${domainSuffix}
 118             #objectClass: account
 119             objectclass: person
 120             objectClass: posixAccount
 121             objectclass: postfixUser
 122             objectclass: PostfixBookMailAccount
 123             objectclass: PostfixBookMailForward
 124             cn: Séverine P.
 125             sn: sévy
 126             mail: sevy@commonsoft.coop
 127             mailAlias: severine.popek@commonsoft.coop
 128             uidNumber: 10001
 129             gidNumber: 10000
 130             homeDirectory: /home/sevy
 131             loginShell: /run/current-system/sw/bin/bash
 132             userPassword: {SSHA}dwqaKo5nmId8Bym5PghloK+UEndwrVTN
 133           '';
 134         };
 135       };
 136     };
 137   };
 138 }