]> Git — Sourcephile - sourcephile-nix.git/blob - install/logical/friot/openldap/plurasoft.nix
nix: improve bootstrap/mermet/ upto ssh root@
[sourcephile-nix.git] / install / logical / friot / openldap / plurasoft.nix
1 {pkgs, lib, config, ...}:
2 let inherit (config) networking;
3 inherit (config.services) openldap;
4 inherit (config.users) users groups;
5 inherit (pkgs.lib) unlines;
6 domainSuffix = openldap.domainSuffix;
7 posixAccount =
8 { uid
9 , uidNumber ? null
10 , gidNumber ? uidNumber
11 , cn ? ""
12 , sn ? ""
13 , userPassword ? "{SSHA}JtC8S4nzm+eX9cVgbyL6gquPWDZD4xXY"
14 # NOTE: doveadm pw -s SSHA -u $user -p $pass
15 , mailAlias ? []
16 , loginShell ? "/run/current-system/sw/bin/bash"
17 , mailEnabled ? true
18 , mailForwardingAddress ? []
19 , domain ? networking.domain
20 }: "\n" + lib.concatStringsSep "\n\n" [
21 (unlines ([ ''
22 dn: uid=${uid},ou=accounts,ou=posix,${domainSuffix}
23 objectClass: person
24 objectClass: posixAccount
25 objectClass: shadowAccount
26 objectClass: PostfixBookMailAccount
27 objectClass: PostfixBookMailForward
28 cn: ${cn}
29 sn: ${sn}
30 mail: ${uid}${lib.optionalString (networking.domain != "") "@${networking.domain}"}
31 mailEnabled: ${if mailEnabled then "TRUE" else "FALSE"}
32 #mailGroupMember: ${networking.domainBase}
33 homeDirectory: /home/${uid}
34 uidNumber: ${toString uidNumber}
35 gidNumber: ${toString gidNumber}
36 loginShell: ${loginShell}'' ]
37 ++ lib.optional (userPassword != "") "userPassword: ${userPassword}"
38 ++ map (forward: "mailForwardingAddress: ${forward}") mailForwardingAddress
39 ++ map (alias: "mailAlias: ${alias}@${networking.domain}") mailAlias
40 ++ lib.optional (mailAlias == []) "mailAlias:"
41 # NOTE: required by PostfixBookMailForward
42 ))
43 ''
44 dn: cn=${uid},ou=groups,ou=posix,${domainSuffix}
45 objectClass: top
46 objectClass: posixGroup
47 gidNumber: ${toString gidNumber}
48 memberUid: ${uid}
49 ''
50 ];
51 in
52 {
53 config = lib.mkIf config.users.ldap.enable {
54 services.openldap = {
55 databases = {
56 "${domainSuffix}" = {
57 resetData = true;
58 conf = ''
59 # sudo ldapsearch -LLL -H ldapi:// -D cn=admin,cn=config -Y EXTERNAL -b 'olcDatabase={1}mdb,cn=config' -s sub
60 dn: olcBackend={1}mdb,cn=config
61 objectClass: olcBackendConfig
62
63 dn: olcDatabase={1}mdb,cn=config
64 objectClass: olcDatabaseConfig
65 objectClass: olcMdbConfig
66 # NOTE: checkpoint the database periodically in case of system failure
67 # and to speed slapd shutdown.
68 olcDbCheckpoint: 512 30
69 # Database max size is 1G
70 olcDbMaxSize: 1073741824
71 olcLastMod: TRUE
72 # NOTE: database superuser. Needed for syncrepl.
73 olcRootDN: cn=admin,${domainSuffix}
74 # NOTE: superuser password, generated with slappasswd -h "{SSHA}" -s "$password"
75 #olcRootPW: {SSHA}COkATGNe7rs/g8vWcYP5rqt4u5sWdMgP
76 #
77 olcDbIndex: objectClass eq
78 olcDbIndex: cn,uid eq
79 olcDbIndex: uidNumber,gidNumber eq
80 olcDbIndex: member,memberUid eq
81 olcDbIndex: mail eq
82 olcDbIndex: mailAlias eq
83 olcDbIndex: mailEnabled eq
84 #
85 olcAccess: to attrs=userPassword
86 by self write
87 by anonymous auth
88 by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
89 by * none
90 olcAccess: to attrs=shadowLastChange
91 by self write
92 by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
93 by * none
94 olcAccess: to dn.sub="ou=posix,${domainSuffix}"
95 by self read
96 by dn="gidNumber=${toString groups.nslcd.gid}+uidNumber=${toString users.nslcd.uid},cn=peercred,cn=external,cn=auth" read
97 by dn="gidNumber=${toString groups.postfix.gid}+uidNumber=${toString users.postfix.uid},cn=peercred,cn=external,cn=auth" read
98 by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
99 # NOTE: dovecot/auth runs as root, hence the gidNumber=0+uidNumber=0
100 olcAccess: to *
101 by self read
102 by * none
103 '';
104 data = ''
105 dn: ${domainSuffix}
106 objectClass: top
107 objectClass: dcObject
108 objectClass: organization
109 o: ${networking.domainBase}
110
111 dn: cn=admin,${domainSuffix}
112 objectClass: simpleSecurityObject
113 objectClass: organizationalRole
114 description: ${networking.domainBase} LDAP administrator
115 roleOccupant: ${domainSuffix}
116 userPassword:
117 #userPassword: {SSHA}NONVwwKnKsCBmFxkMqTCFekdu3SJQHc9
118
119 dn: ou=posix,${domainSuffix}
120 objectClass: top
121 objectClass: organizationalUnit
122
123 dn: ou=accounts,ou=posix,${domainSuffix}
124 objectClass: top
125 objectClass: organizationalUnit
126
127 dn: ou=groups,ou=posix,${domainSuffix}
128 objectClass: top
129 objectClass: organizationalUnit
130
131 dn: cn=${networking.domainBase},ou=groups,ou=posix,${domainSuffix}
132 objectClass: top
133 objectClass: posixGroup
134 gidNumber: 20000
135 memberUid: ju
136 memberUid: sevy
137
138 ''
139 + lib.concatMapStrings posixAccount [
140 { uid="ju"; uidNumber=10000; cn="Julien M."; sn="julm"; mailAlias = ["juju"]; }
141 { uid="sevy"; uidNumber=10001; cn="Séverine P."; sn="sévy"; mailAlias = ["severine.popek" "ouais-ouais"]; }
142 { uid="nomail"; uidNumber=10002; mailAlias = ["noalias"]; mailEnabled = false; }
143 { uid="post"; domain="friot"; mailForwardingAddress = ["ju@${networking.domain}"]; }
144 { uid="host"; mailForwardingAddress = ["ju@${networking.domain}"]; }
145 ];
146 };
147 };
148 };
149 };
150 }