]> Git — Sourcephile - sourcephile-nix.git/blob - machines/mermet/openldap/autogeree.net.nix
biboumi: add service
[sourcephile-nix.git] / machines / mermet / openldap / autogeree.net.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) hasAttr;
4 inherit (builtins.extraBuiltins) pass-chomp;
5 inherit (config) networking;
6 inherit (config.services) openldap postfix dovecot2;
7 inherit (config.users) users groups;
8 inherit (pkgs.lib) unlines;
9 domain = "autogeree.net";
10 domainGroup = "autogeree";
11 domainOrg = "autogeree";
12 domainSuffix = "dc=" + lib.concatStringsSep ",dc=" (lib.splitString "." domain);
13 posixAccount = pkgs.callPackage (import ./posixAccount.nix) { inherit domain domainSuffix domainGroup; };
14 in
15 {
16 users.groups."${domainGroup}" = {
17 gid = 20001;
18 members = [
19 users."julm".name
20 ];
21 };
22 services.openldap.databases."${domainSuffix}" = {
23 # WARNING: newlines matter
24 conf = ''
25 dn: olcDatabase=mdb,cn=config
26 objectClass: olcDatabaseConfig
27 objectClass: olcMdbConfig
28 # Checkpoint the database periodically in case of system failure
29 # and to speed up slapd shutdown.
30 olcDbCheckpoint: 512 30
31 # Database max size is 1G
32 olcDbMaxSize: 1073741824
33 olcLastMod: TRUE
34 # Database superuser. Needed for syncrepl.
35 olcRootDN: cn=admin,${domainSuffix}
36 # Superuser password, generated with slappasswd -h "{SSHA}"
37 # Commented-out because SASL EXTERNAL mechanism is used.
38 #olcRootPW: {SSHA}COkATGNe7rs/g8vWcYP5rqt4u5sWdMgP
39 #
40 olcDbIndex: objectClass eq
41 olcDbIndex: cn,uid eq
42 olcDbIndex: uidNumber,gidNumber eq
43 olcDbIndex: member,memberUid eq
44 olcDbIndex: mail eq
45 olcDbIndex: mailAlias eq
46 olcDbIndex: mailEnabled eq
47 #
48 olcAccess: to attrs=userPassword
49 by self write
50 by anonymous auth
51 by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
52 by * none
53 olcAccess: to attrs=shadowLastChange
54 by self write
55 by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
56 by * none
57 olcAccess: to dn.sub="ou=posix,${domainSuffix}"
58 by self read
59 ${lib.optionalString (hasAttr postfix.user users) ''by dn="gidNumber=${toString groups.postfix.gid}+uidNumber=${toString users.postfix.uid},cn=peercred,cn=external,cn=auth" read''}
60 ${lib.optionalString (hasAttr dovecot2.user users) ''by dn="gidNumber=${toString groups.dovecot2.gid}+uidNumber=${toString users.dovecot2.uid},cn=peercred,cn=external,cn=auth" read''}
61 by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
62 olcAccess: to *
63 by self read
64 by * none
65 '';
66 data = ''
67 dn: ${domainSuffix}
68 objectClass: top
69 objectClass: dcObject
70 objectClass: organization
71 o: ${domainOrg}
72
73 dn: cn=admin,${domainSuffix}
74 objectClass: simpleSecurityObject
75 objectClass: organizationalRole
76 description: ${domainOrg} LDAP administrator
77 roleOccupant: ${domainSuffix}
78 userPassword:
79
80 dn: ou=posix,${domainSuffix}
81 objectClass: top
82 objectClass: organizationalUnit
83
84 dn: ou=accounts,ou=posix,${domainSuffix}
85 objectClass: top
86 objectClass: organizationalUnit
87
88 dn: ou=groups,ou=posix,${domainSuffix}
89 objectClass: top
90 objectClass: organizationalUnit
91
92 ''
93 + lib.concatMapStrings posixAccount [ rec
94 { uid = "julm";
95 cn = "Julien Moutinho";
96 sn = uid;
97 uidNumber = users."julm".uid;
98 gidNumber = groups."users".gid;
99 mailAlias = [ "julien.moutinho" ];
100 userPassword = pass-chomp "members/julm/mail/hashedPassword";
101 mailHomeDirectory = "/home/${uid}/mail/${domain}";
102 mailStorageDirectory =
103 let stateDir = "/var/lib/dovecot"; in
104 # I'm personnaly using "maildir:" instead of "sdbox:" to be able to use a local (neo)mutt on it,
105 # bypassing IMAP because (neo)mutt support of IMAP is very bad
106 # (can't even have a decent $folder_format (with %n or %m) working,
107 # neither sorting them by date).
108 # WARNING: regarding the atomicity of backuping,
109 # it's not a good idea to put the mails
110 # and the index/control on different ZFS datasets like here.
111 "maildir:/home/${uid}/mail/${domain}/mail:LAYOUT=maildir++:UTF-8:CONTROL=${stateDir}/control/${domain}/${uid}:INDEX=${stateDir}/index/${domain}/${uid}";
112 }
113 ];
114 };
115 }