install/logical/friot/openldap/commonsoft.coop.nix

   1 {pkgs, lib, config, ...}:
   2 let inherit (config.services) openldap;
   3     inherit (config.users) users groups;
   4     inherit (config.networking) domain baseName;
   5     inherit (pkgs.lib) unlines;
   6     domainSuffix = openldap.domainSuffix;
   7     accountLDIF =
   8      { uid, uidNumber, gidNumber ? uidNumber
   9      , cn ? ""
  10      , sn ? ""
  11      , userPassword ? "{SSHA}dwqaKo5nmId8Bym5PghloK+UEndwrVTN"
  12      , mailAlias ? []
  13      , loginShell ? "/run/current-system/sw/bin/bash"
  14      , mailEnabled ? true
  15      }: ''
  16
  17       dn: uid=${uid},ou=accounts,ou=posix,${domainSuffix}
  18       objectclass: person
  19       objectClass: posixAccount
  20       objectclass: PostfixBookMailAccount
  21       objectclass: PostfixBookMailForward
  22       cn: ${cn}
  23       sn: ${sn}
  24       mail: ${uid}@${domain}
  25       ${unlines (map (ma: "mailAlias: ${ma}@${domain}") mailAlias)}
  26       #mailGroupMember: ${baseName}
  27       uidNumber: ${toString uidNumber}
  28       gidNumber: ${toString gidNumber}
  29       homeDirectory: /home/${uid}
  30       loginShell: ${loginShell}
  31       mailEnabled: ${if mailEnabled then "TRUE" else "FALSE"}
  32       ${lib.optionalString (userPassword != "") "userPassword: ${userPassword}"}
  33
  34       dn: cn=${uid},ou=groups,ou=posix,${domainSuffix}
  35       objectclass: top
  36       objectclass: posixGroup
  37       gidnumber: ${toString gidNumber}
  38       memberuid: ${uid}
  39     '';
  40 in
  41 {
  42   config = {
  43     services.openldap = {
  44       databases = {
  45         "${domainSuffix}" = {
  46           resetData = true;
  47           conf = ''
  48             # sudo ldapsearch -LLL -H ldapi:// -D cn=admin,cn=config -Y EXTERNAL -b 'olcDatabase={1}mdb,cn=config' -s sub
  49             dn: olcBackend={1}mdb,cn=config
  50             objectClass: olcBackendConfig
  51
  52             dn: olcDatabase={1}mdb,cn=config
  53             objectClass: olcDatabaseConfig
  54             objectClass: olcMdbConfig
  55             # NOTE: checkpoint the database periodically in case of system failure
  56             # and to speed slapd shutdown.
  57             olcDbCheckpoint: 512 30
  58             # Database max size is 1G
  59             olcDbMaxSize: 1073741824
  60             olcLastMod: TRUE
  61             # NOTE: database superuser. Needed for syncrepl.
  62             olcRootDN: cn=admin,${domainSuffix}
  63             # NOTE: superuser password, generated with slappasswd -s SECRET
  64             #olcRootPW: {SSHA}NONVwwKnKsCBmFxkMqTCFekdu3SJQHc9
  65             #
  66             olcDbIndex: objectClass eq
  67             olcDbIndex: cn,uid eq
  68             olcDbIndex: uidNumber,gidNumber eq
  69             olcDbIndex: member,memberUid eq
  70             olcDbIndex: mail eq
  71             olcDbIndex: mailEnabled eq
  72             #
  73             olcAccess: to attrs=userPassword
  74               by self write
  75               by anonymous auth
  76               by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
  77               by * none
  78             olcAccess: to attrs=shadowLastChange
  79               by self write
  80               by * none
  81             olcAccess: to dn.sub="ou=posix,${domainSuffix}"
  82               by dn="gidNumber=${toString groups.nslcd.gid}+uidNumber=${toString users.nslcd.uid},cn=peercred,cn=external,cn=auth" read
  83               by dn="gidNumber=${toString groups.postfix.gid}+uidNumber=${toString users.postfix.uid},cn=peercred,cn=external,cn=auth" read
  84               by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
  85             # NOTE: dovecot/auth runs as root, hence the gidNumber=0+uidNumber=0
  86             olcAccess: to *
  87               by self read
  88               by * none
  89           '';
  90           data = ''
  91             dn: ${domainSuffix}
  92             objectClass: top
  93             objectClass: dcObject
  94             objectClass: organization
  95             o: ${baseName}
  96
  97             dn: cn=admin,${domainSuffix}
  98             objectClass: simpleSecurityObject
  99             objectClass: organizationalRole
 100             description: ${baseName} LDAP administrator
 101             roleOccupant: ${domainSuffix}
 102             userPassword:
 103             #userPassword: {SSHA}NONVwwKnKsCBmFxkMqTCFekdu3SJQHc9
 104
 105             dn: ou=posix,${domainSuffix}
 106             objectClass: top
 107             objectClass: organizationalUnit
 108
 109             dn: ou=accounts,ou=posix,${domainSuffix}
 110             objectClass: top
 111             objectClass: organizationalUnit
 112
 113             dn: ou=groups,ou=posix,${domainSuffix}
 114             objectClass: top
 115             objectClass: organizationalUnit
 116
 117             dn: cn=${baseName},ou=groups,ou=posix,${domainSuffix}
 118             objectclass: top
 119             objectclass: posixGroup
 120             gidnumber: 20000
 121             memberuid: ju
 122             memberuid: sevy
 123
 124           ''
 125           + lib.concatMapStrings accountLDIF [
 126             { uid="ju"; uidNumber=10000; cn="Julien M."; sn="julm"; mailAlias = ["juju"]; }
 127             { uid="sevy"; uidNumber=10001; cn="Séverine P."; sn="sévy"; mailAlias = ["severine.popek" "ouais-ouais"]; }
 128             { uid="nomail"; uidNumber=10002; mailAlias = ["noalias"]; mailEnabled = false; }
 129           ];
 130         };
 131       };
 132     };
 133   };
 134 }