]> Git — Sourcephile - sourcephile-nix.git/blob - machines/mermet/openldap/autogeree.net.nix
tor: improve type-checking and hardening (ter)
[sourcephile-nix.git] / machines / mermet / openldap / autogeree.net.nix
1 { inputs, pkgs, lib, config, ... }:
2 let
3 inherit (builtins) hasAttr;
4 inherit (config) networking;
5 inherit (config.services) openldap postfix dovecot2;
6 inherit (config.users) users groups;
7 inherit (pkgs.lib) unlines;
8 domain = "autogeree.net";
9 domainGroup = "autogeree";
10 domainOrg = "autogeree";
11 domainSuffix = "dc=" + lib.concatStringsSep ",dc=" (lib.splitString "." domain);
12 posixAccount = pkgs.callPackage (import ./posixAccount.nix) { inherit domain domainSuffix domainGroup; };
13 in
14 {
15 users.groups."${domainGroup}" = {
16 gid = 20001;
17 members = [
18 users."julm".name
19 ];
20 };
21 services.openldap.databases."${domainSuffix}" = {
22 # WARNING: newlines matter
23 conf = ''
24 dn: olcDatabase=mdb,cn=config
25 objectClass: olcDatabaseConfig
26 objectClass: olcMdbConfig
27 # Checkpoint the database periodically in case of system failure
28 # and to speed up slapd shutdown.
29 olcDbCheckpoint: 512 30
30 # Database max size is 1G
31 olcDbMaxSize: 1073741824
32 olcLastMod: TRUE
33 # Database superuser. Needed for syncrepl.
34 olcRootDN: cn=admin,${domainSuffix}
35 # Superuser password, generated with slappasswd -h "{SSHA}"
36 # Commented-out because SASL EXTERNAL mechanism is used.
37 #olcRootPW: {SSHA}COkATGNe7rs/g8vWcYP5rqt4u5sWdMgP
38 #
39 olcDbIndex: objectClass eq
40 olcDbIndex: cn,uid eq
41 olcDbIndex: uidNumber,gidNumber eq
42 olcDbIndex: member,memberUid eq
43 olcDbIndex: mail eq
44 olcDbIndex: mailAlias eq
45 olcDbIndex: mailEnabled eq
46 #
47 olcAccess: to attrs=userPassword
48 by self write
49 by anonymous auth
50 by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
51 by * none
52 olcAccess: to attrs=shadowLastChange
53 by self write
54 by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
55 by * none
56 olcAccess: to dn.sub="ou=posix,${domainSuffix}"
57 by self read
58 ${lib.optionalString (hasAttr postfix.user users) ''by dn="gidNumber=${toString groups.postfix.gid}+uidNumber=${toString users.postfix.uid},cn=peercred,cn=external,cn=auth" read''}
59 ${lib.optionalString (hasAttr dovecot2.user users) ''by dn="gidNumber=${toString groups.dovecot2.gid}+uidNumber=${toString users.dovecot2.uid},cn=peercred,cn=external,cn=auth" read''}
60 by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
61 olcAccess: to *
62 by self read
63 by * none
64 '';
65 data = ''
66 dn: ${domainSuffix}
67 objectClass: top
68 objectClass: dcObject
69 objectClass: organization
70 o: ${domainOrg}
71
72 dn: cn=admin,${domainSuffix}
73 objectClass: simpleSecurityObject
74 objectClass: organizationalRole
75 description: ${domainOrg} LDAP administrator
76 roleOccupant: ${domainSuffix}
77 userPassword:
78
79 dn: ou=posix,${domainSuffix}
80 objectClass: top
81 objectClass: organizationalUnit
82
83 dn: ou=accounts,ou=posix,${domainSuffix}
84 objectClass: top
85 objectClass: organizationalUnit
86
87 dn: ou=groups,ou=posix,${domainSuffix}
88 objectClass: top
89 objectClass: organizationalUnit
90
91 ''
92 + lib.concatMapStrings posixAccount [ rec
93 { uid = "julm";
94 cn = "Julien Moutinho";
95 sn = uid;
96 uidNumber = users."julm".uid;
97 gidNumber = groups."users".gid;
98 mailAlias = [ "julien.moutinho" ];
99 userPassword = builtins.readFile (inputs.secrets + "/members/mail/julm/hashedPassword");
100 mailHomeDirectory = "/home/${uid}/mail/${domain}";
101 mailStorageDirectory =
102 let stateDir = "/var/lib/dovecot"; in
103 # I'm personnaly using "maildir:" instead of "sdbox:" to be able to use a local (neo)mutt on it,
104 # bypassing IMAP because (neo)mutt support of IMAP is very bad
105 # (can't even have a decent $folder_format (with %n or %m) working,
106 # neither sorting them by date).
107 # WARNING: regarding the atomicity of backuping,
108 # it's not a good idea to put the mails
109 # and the index/control on different ZFS datasets like here.
110 "maildir:/home/${uid}/mail/${domain}/mail:LAYOUT=maildir++:UTF-8:CONTROL=${stateDir}/control/${domain}/${uid}:INDEX=${stateDir}/index/${domain}/${uid}";
111 }
112 ];
113 };
114 }