]> Git — Sourcephile - sourcephile-nix.git/blob - install/logical/friot/openldap/commonsoft.coop.nix
dovecot: handle perms to auto create Maildirs.
[sourcephile-nix.git] / install / logical / friot / openldap / commonsoft.coop.nix
1 {pkgs, lib, config, ...}:
2 let inherit (config.services) openldap;
3 inherit (config.users) users groups;
4 inherit (config.networking) domain baseName;
5 inherit (pkgs.lib) unlines;
6 domainSuffix = openldap.domainSuffix;
7 accountLDIF =
8 { uid, uidNumber, gidNumber ? uidNumber
9 , cn ? ""
10 , sn ? ""
11 , userPassword ? "{SSHA}dwqaKo5nmId8Bym5PghloK+UEndwrVTN"
12 , mailAlias ? []
13 , loginShell ? "/run/current-system/sw/bin/bash"
14 , mailEnabled ? true
15 }: ''
16
17 dn: uid=${uid},ou=accounts,ou=posix,${domainSuffix}
18 objectclass: person
19 objectClass: posixAccount
20 objectclass: PostfixBookMailAccount
21 objectclass: PostfixBookMailForward
22 cn: ${cn}
23 sn: ${sn}
24 mail: ${uid}@${domain}
25 ${unlines (map (ma: "mailAlias: ${ma}@${domain}") mailAlias)}
26 #mailGroupMember: ${baseName}
27 uidNumber: ${toString uidNumber}
28 gidNumber: ${toString gidNumber}
29 homeDirectory: /home/${uid}
30 loginShell: ${loginShell}
31 mailEnabled: ${if mailEnabled then "TRUE" else "FALSE"}
32 ${lib.optionalString (userPassword != "") "userPassword: ${userPassword}"}
33
34 dn: cn=${uid},ou=groups,ou=posix,${domainSuffix}
35 objectclass: top
36 objectclass: posixGroup
37 gidnumber: ${toString gidNumber}
38 memberuid: ${uid}
39 '';
40 in
41 {
42 config = {
43 services.openldap = {
44 databases = {
45 "${domainSuffix}" = {
46 resetData = true;
47 conf = ''
48 # sudo ldapsearch -LLL -H ldapi:// -D cn=admin,cn=config -Y EXTERNAL -b 'olcDatabase={1}mdb,cn=config' -s sub
49 dn: olcBackend={1}mdb,cn=config
50 objectClass: olcBackendConfig
51
52 dn: olcDatabase={1}mdb,cn=config
53 objectClass: olcDatabaseConfig
54 objectClass: olcMdbConfig
55 # NOTE: checkpoint the database periodically in case of system failure
56 # and to speed slapd shutdown.
57 olcDbCheckpoint: 512 30
58 # Database max size is 1G
59 olcDbMaxSize: 1073741824
60 olcLastMod: TRUE
61 # NOTE: database superuser. Needed for syncrepl.
62 olcRootDN: cn=admin,${domainSuffix}
63 # NOTE: superuser password, generated with slappasswd -s SECRET
64 #olcRootPW: {SSHA}NONVwwKnKsCBmFxkMqTCFekdu3SJQHc9
65 #
66 olcDbIndex: objectClass eq
67 olcDbIndex: cn,uid eq
68 olcDbIndex: uidNumber,gidNumber eq
69 olcDbIndex: member,memberUid eq
70 olcDbIndex: mail eq
71 olcDbIndex: mailEnabled eq
72 #
73 olcAccess: to attrs=userPassword
74 by self write
75 by anonymous auth
76 by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
77 by * none
78 olcAccess: to attrs=shadowLastChange
79 by self write
80 by * none
81 olcAccess: to dn.sub="ou=posix,${domainSuffix}"
82 by dn="gidNumber=${toString groups.nslcd.gid}+uidNumber=${toString users.nslcd.uid},cn=peercred,cn=external,cn=auth" read
83 by dn="gidNumber=${toString groups.postfix.gid}+uidNumber=${toString users.postfix.uid},cn=peercred,cn=external,cn=auth" read
84 by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
85 # NOTE: dovecot/auth runs as root, hence the gidNumber=0+uidNumber=0
86 olcAccess: to *
87 by self read
88 by * none
89 '';
90 data = ''
91 dn: ${domainSuffix}
92 objectClass: top
93 objectClass: dcObject
94 objectClass: organization
95 o: ${baseName}
96
97 dn: cn=admin,${domainSuffix}
98 objectClass: simpleSecurityObject
99 objectClass: organizationalRole
100 description: ${baseName} LDAP administrator
101 roleOccupant: ${domainSuffix}
102 userPassword:
103 #userPassword: {SSHA}NONVwwKnKsCBmFxkMqTCFekdu3SJQHc9
104
105 dn: ou=posix,${domainSuffix}
106 objectClass: top
107 objectClass: organizationalUnit
108
109 dn: ou=accounts,ou=posix,${domainSuffix}
110 objectClass: top
111 objectClass: organizationalUnit
112
113 dn: ou=groups,ou=posix,${domainSuffix}
114 objectClass: top
115 objectClass: organizationalUnit
116
117 dn: cn=${baseName},ou=groups,ou=posix,${domainSuffix}
118 objectclass: top
119 objectclass: posixGroup
120 gidnumber: 20000
121 memberuid: ju
122 memberuid: sevy
123
124 ''
125 + lib.concatMapStrings accountLDIF [
126 { uid="ju"; uidNumber=10000; cn="Julien M."; sn="julm"; mailAlias = ["juju"]; }
127 { uid="sevy"; uidNumber=10001; cn="Séverine P."; sn="sévy"; mailAlias = ["severine.popek" "ouais-ouais"]; }
128 { uid="nomail"; uidNumber=10002; mailAlias = ["noalias"]; mailEnabled = false; }
129 ];
130 };
131 };
132 };
133 };
134 }