]> Git — Sourcephile - sourcephile-nix.git/blob - nixos/modules/services/databases/openldap.nix
transmission: fix and improve the hardening
[sourcephile-nix.git] / nixos / modules / services / databases / openldap.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) baseNameOf readFile;
4 inherit (lib) types;
5 inherit (config.services) openldap;
6 inherit (config.users) ldap;
7 unlines = lib.concatStringsSep "\n";
8 unlinesAttrs = f: as: unlines (lib.mapAttrsToList f as);
9 in
10 {
11 options = {
12 services.openldap.cnConfig = lib.mkOption {
13 type = types.lines;
14 description = "The cn=config in LDIF";
15 apply = lines: pkgs.writeText "cn=config.ldif"
16 (lines + "\n" + unlinesAttrs (olcSuffix: {conf, olcDbDirectory, ...}:
17 "include: file://" + pkgs.writeText "config.ldif" (conf + ''
18 olcSuffix: ${olcSuffix}
19 olcDbDirectory: ${olcDbDirectory}
20 '')
21 ) openldap.databases);
22 default = ''
23 dn: cn=config
24 objectClass: olcGlobal
25 olcLogLevel: none
26 olcToolThreads: 1
27
28 dn: cn={0}module,cn=config
29 objectClass: olcModuleList
30 olcModulePath: ${pkgs.openldap}/lib/modules
31 #olcModuleLoad: pw-sha2
32 #olcModuleLoad: pw-pbkdf2
33 olcModuleLoad: back_mdb
34
35 dn: olcDatabase={-1}frontend,cn=config
36 objectClass: olcDatabaseConfig
37 objectClass: olcFrontendConfig
38 olcSizeLimit: 500
39 # Allow unlimited access to local connection from the local root user
40 olcAccess: to *
41 by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
42 by * break
43 # Allow unauthenticated read access for schema and base DN autodiscovery
44 olcAccess: to dn.exact=""
45 by * read
46 olcAccess: to dn.base="cn=Subschema"
47 by * read
48 # Hash algorithm to be used by LDAP Password Modify Extended Operation or the ppolicy overlay
49 #olcPasswordHash: {PBKDF2-SHA256}
50 olcPasswordHash: {SSHA}
51
52 dn: olcDatabase={0}config,cn=config
53 objectClass: olcDatabaseConfig
54 olcRootDN: cn=admin,cn=config
55 # Access to cn=config, system root can be manager
56 # with SASL mechanism (-Y EXTERNAL) over unix socket (-H ldapi://)
57 olcAccess: to *
58 by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
59 by * break
60
61 dn: cn=schema,cn=config
62 objectClass: olcSchemaConfig
63
64 include: file://${pkgs.openldap}/etc/schema/core.ldif
65 include: file://${pkgs.openldap}/etc/schema/cosine.ldif
66 include: file://${pkgs.openldap}/etc/schema/nis.ldif
67 include: file://${pkgs.openldap}/etc/schema/inetorgperson.ldif
68 '';
69 };
70 services.openldap.databases = lib.mkOption {
71 default = {};
72 type = types.attrsOf (types.submodule ({name, options, config, ...}: {
73 options = {
74 conf = lib.mkOption {
75 type = types.lines;
76 description = "The database's config in LDIF.";
77 };
78 data = lib.mkOption {
79 type = types.nullOr types.lines;
80 description = "The database's data in LDIF.";
81 };
82 olcDbDirectory = lib.mkOption {
83 type = types.str;
84 description = "The directory where the database is stored.";
85 default = "${openldap.dataDir}/${name}";
86 };
87 };
88 }));
89 };
90 };
91 config = lib.mkIf openldap.enable {
92 systemd.services.openldap.preStart =
93 # olcDbDirectory must be created before adding the config.
94 ''
95 set -e
96 install -D -d -m 0700 -o "${openldap.user}" -g "${openldap.group}" "${openldap.configDir}"
97 '' +
98 unlinesAttrs (olcSuffix: {data, olcDbDirectory, ...}: lib.optionalString (data != null) ''
99 rm -rf "${olcDbDirectory}"
100 install -D -d -m 0700 -o "${openldap.user}" -g "${openldap.group}" "${olcDbDirectory}"
101 '') openldap.databases
102 # slapd is supposed to have been stopped by systemd
103 # before entering this preStart,
104 # hence slap* commands can safely be used.
105 #
106 # slapadd(8):
107 # To populate the config database slapd-config(5),
108 # use -n 0 as it is always the first database.
109 # It must physically exist on the filesystem prior to this, however.
110 + ''
111 umask 0077
112 rm -rf "${openldap.configDir}"/cn=config \
113 "${openldap.configDir}"/cn=config.ldif
114 ${pkgs.openldap}/bin/slapadd -n 0 \
115 -F "${openldap.configDir}" \
116 -l ${openldap.cnConfig}
117 chown -R "${openldap.user}:${openldap.group}" "${openldap.configDir}"
118 '' +
119 unlinesAttrs (olcSuffix: {data, olcDbDirectory, ...}: lib.optionalString (data != null) ''
120 ${pkgs.openldap}/bin/slapadd \
121 -F "${openldap.configDir}" \
122 -b ${olcSuffix} \
123 -l ${pkgs.writeText "data.ldif" data}
124 '' + ''
125 test ! -e "${olcDbDirectory}" ||
126 chown -R "${openldap.user}:${openldap.group}" "${olcDbDirectory}"
127 '') openldap.databases;
128 };
129 }