]> Git — Sourcephile - sourcephile-nix.git/blob - install/logical/friot/openldap/commonsoft.coop.nix
shorewall: polish code.
[sourcephile-nix.git] / install / logical / friot / openldap / commonsoft.coop.nix
1 {pkgs, lib, config, ...}:
2 let inherit (config.services) openldap;
3 inherit (config.users) users groups;
4 domainSuffix = openldap.domainSuffix;
5 in
6 {
7 config = {
8 services.openldap = {
9 databases = {
10 "${domainSuffix}" = {
11 resetData = true;
12 conf = ''
13 # sudo ldapsearch -LLL -H ldapi:// -D cn=admin,cn=config -Y EXTERNAL -b 'olcDatabase={1}mdb,cn=config' -s sub
14 dn: olcBackend={1}mdb,cn=config
15 objectClass: olcBackendConfig
16
17 dn: olcDatabase={1}mdb,cn=config
18 objectClass: olcDatabaseConfig
19 objectClass: olcMdbConfig
20 # NOTE: checkpoint the database periodically in case of system failure
21 # and to speed slapd shutdown.
22 olcDbCheckpoint: 512 30
23 # Database max size is 1G
24 olcDbMaxSize: 1073741824
25 olcLastMod: TRUE
26 # NOTE: database superuser. Needed for syncrepl.
27 olcRootDN: cn=admin,${domainSuffix}
28 # NOTE: superuser password, generated with slappasswd -s SECRET
29 # FIXME: remove when dovecot2 compiled with SASL
30 olcRootPW: {SSHA}NONVwwKnKsCBmFxkMqTCFekdu3SJQHc9
31 #
32 olcDbIndex: objectClass eq
33 olcDbIndex: cn,uid eq
34 olcDbIndex: uidNumber,gidNumber eq
35 olcDbIndex: member,memberUid eq
36 olcDbIndex: mail eq
37 olcDbIndex: mailEnabled eq
38 olcDbIndex: mailacceptinggeneralid eq
39 #
40 olcAccess: to attrs=userPassword
41 by self write
42 by anonymous auth
43 by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
44 by * none
45 olcAccess: to attrs=shadowLastChange
46 by self write
47 by * none
48 olcAccess: to dn.sub="ou=posix,${domainSuffix}"
49 by dn="gidNumber=${toString groups.nslcd.gid}+uidNumber=${toString users.nslcd.uid},cn=peercred,cn=external,cn=auth" read
50 by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
51 # NOTE: dovecot/auth runs as root, hence the gidNumber=0+uidNumber=0
52 olcAccess: to *
53 by self read
54 by * none
55 '';
56 data = ''
57 dn: ${domainSuffix}
58 objectClass: top
59 objectClass: dcObject
60 objectClass: organization
61 o: ${config.networking.baseName}
62
63 dn: cn=admin,${domainSuffix}
64 objectClass: simpleSecurityObject
65 objectClass: organizationalRole
66 description: ${config.networking.baseName} LDAP administrator
67 roleOccupant: ${domainSuffix}
68 userPassword:
69 #userPassword: {SSHA}NONVwwKnKsCBmFxkMqTCFekdu3SJQHc9
70
71 dn: ou=posix,${domainSuffix}
72 objectClass: top
73 objectClass: organizationalUnit
74
75 dn: ou=accounts,ou=posix,${domainSuffix}
76 objectClass: top
77 objectClass: organizationalUnit
78
79 dn: ou=groups,ou=posix,${domainSuffix}
80 objectClass: top
81 objectClass: organizationalUnit
82
83 dn: cn=users,ou=groups,ou=posix,${domainSuffix}
84 objectclass: top
85 objectclass: posixGroup
86 gidnumber: 10000
87 memberuid: ju
88 memberuid: sevy
89
90 #dn: cn=dovemail,ou=groups,ou=posix,${domainSuffix}
91 #objectclass: top
92 #objectclass: posixGroup
93 #gidnumber: 497
94 # # FIXME: do not hardcode this gid
95 #memberuid: ju
96 #memberuid: sevy
97
98 dn: uid=ju,ou=accounts,ou=posix,${domainSuffix}
99 #objectClass: account
100 objectclass: person
101 objectClass: posixAccount
102 objectclass: postfixUser
103 objectclass: PostfixBookMailAccount
104 objectclass: PostfixBookMailForward
105 cn: Julien M.
106 sn: julm
107 mail: ju@commonsoft.coop
108 mailAlias: juju@commonsoft.coop
109 #mailacceptinggeneralid: julm
110 #maildrop:
111 uidNumber: 10000
112 gidNumber: 497
113 homeDirectory: /home/ju
114 loginShell: /run/current-system/sw/bin/bash
115 userPassword: {SSHA}144Rfau9KJ14U0U4KdLNB7OrtpiEc3E3
116
117 dn: uid=sevy,ou=accounts,ou=posix,${domainSuffix}
118 #objectClass: account
119 objectclass: person
120 objectClass: posixAccount
121 objectclass: postfixUser
122 objectclass: PostfixBookMailAccount
123 objectclass: PostfixBookMailForward
124 cn: Séverine P.
125 sn: sévy
126 mail: sevy@commonsoft.coop
127 mailAlias: severine.popek@commonsoft.coop
128 uidNumber: 10001
129 gidNumber: 10000
130 homeDirectory: /home/sevy
131 loginShell: /run/current-system/sw/bin/bash
132 userPassword: {SSHA}dwqaKo5nmId8Bym5PghloK+UEndwrVTN
133 '';
134 };
135 };
136 };
137 };
138 }