machines/mermet/openldap/autogeree.net.nix

   1 { inputs, pkgs, lib, config, ... }:
   2 let
   3   inherit (builtins) hasAttr;
   4   inherit (config) networking;
   5   inherit (config.services) openldap postfix dovecot2;
   6   inherit (config.users) users groups;
   7   inherit (pkgs.lib) unlines;
   8   domain = "autogeree.net";
   9   domainGroup = "autogeree";
  10   domainOrg = "autogeree";
  11   domainSuffix = "dc=" + lib.concatStringsSep ",dc=" (lib.splitString "." domain);
  12   posixAccount = pkgs.callPackage (import ./posixAccount.nix) { inherit domain domainSuffix domainGroup; };
  13 in
  14 {
  15 users.groups."${domainGroup}" = {
  16   gid = 20001;
  17   members = [
  18     users."julm".name
  19   ];
  20 };
  21 services.openldap = {
  22   # sudo ldapsearch -LLL -H ldapi:// -D cn=admin,cn=config -Y EXTERNAL -b 'olcDatabase={2}mdb,cn=config' -s sub
  23   settings.children."olcDatabase={2}mdb".attrs = {
  24     objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
  25     olcDatabase = "{2}mdb";
  26     olcSuffix = domainSuffix;
  27     olcDbDirectory = "/var/db/ldap/${domainSuffix}";
  28     olcDbIndex = [
  29       "objectClass eq"
  30       "cn,uid eq"
  31       "uidNumber,gidNumber eq"
  32       "member,memberUid eq"
  33       "mail eq"
  34       "mailAlias eq"
  35       "mailEnabled eq"
  36     ];
  37     olcAccess = [
  38       ''to attrs=userPassword
  39       by self write
  40       by anonymous auth
  41       by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
  42       by * none
  43       ''
  44       ''to attrs=shadowLastChange
  45       by self write
  46       by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
  47       by * none
  48       ''
  49       ''to dn.sub="ou=posix,${domainSuffix}"
  50       by self read
  51       ${lib.optionalString (hasAttr postfix.user users) ''by dn="gidNumber=${toString groups.postfix.gid}+uidNumber=${toString users.postfix.uid},cn=peercred,cn=external,cn=auth" read''}
  52       ${lib.optionalString (hasAttr dovecot2.user users) ''by dn="gidNumber=${toString groups.dovecot2.gid}+uidNumber=${toString users.dovecot2.uid},cn=peercred,cn=external,cn=auth" read''}
  53       by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
  54       ''
  55       ''to *
  56       by self read
  57       by * none
  58       ''
  59     ];
  60     # Checkpoint the database periodically in case of system failure
  61     # and to speed up slapd shutdown.
  62     olcDbCheckpoint = "512 30";
  63     # Database max size is 1G
  64     olcDbMaxSize = "1073741824";
  65     olcLastMod = "TRUE";
  66     # Database superuser. Needed for syncrepl.
  67     olcRootDN = "cn=admin,${domainSuffix}";
  68     # Superuser password, generated with slappasswd -h "{SSHA}"
  69     # Commented-out because SASL EXTERNAL mechanism is used.
  70     #olcRootPW = "{SSHA}COkATGNe7rs/g8vWcYP5rqt4u5sWdMgP";
  71   };
  72   # sudo ldapsearch -LLL -H ldapi:// -D cn=admin,cn=config -Y EXTERNAL -b 'ou=posix,dc=autogeree,dc=net' -s sub
  73   declarativeContents."${domainSuffix}" = ''
  74     dn: ${domainSuffix}
  75     objectClass: top
  76     objectClass: dcObject
  77     objectClass: organization
  78     o: ${domainOrg}
  79
  80     dn: cn=admin,${domainSuffix}
  81     objectClass: simpleSecurityObject
  82     objectClass: organizationalRole
  83     description: ${domainOrg} LDAP administrator
  84     roleOccupant: ${domainSuffix}
  85     userPassword:
  86
  87     dn: ou=posix,${domainSuffix}
  88     objectClass: top
  89     objectClass: organizationalUnit
  90
  91     dn: ou=accounts,ou=posix,${domainSuffix}
  92     objectClass: top
  93     objectClass: organizationalUnit
  94
  95     dn: ou=groups,ou=posix,${domainSuffix}
  96     objectClass: top
  97     objectClass: organizationalUnit
  98
  99     ''
 100     /*
 101       dn: cn=${domainGroup},ou=groups,ou=posix,${domainSuffix}
 102       objectClass: top
 103       objectClass: posixGroup
 104       gidNumber: 20000
 105       memberUid: julm
 106
 107       dn: cn=autogeree,ou=groups,ou=posix,${domainSuffix}
 108       objectClass: top
 109       objectClass: posixGroup
 110       gidNumber: 20001
 111       memberUid: julm
 112     */
 113     + lib.concatMapStrings posixAccount [
 114       rec {
 115         uid = "julm";
 116         cn = "Julien Moutinho";
 117         sn = uid;
 118         uidNumber = users."julm".uid;
 119         gidNumber = groups."users".gid;
 120         mailAlias = [ "julien.moutinho" ];
 121         userPassword = builtins.readFile (inputs.secrets + "/members/mail/julm/hashedPassword");
 122         mailHomeDirectory = "/home/${uid}/mail/${domain}";
 123         mailStorageDirectory =
 124           let stateDir = "/var/lib/dovecot"; in
 125           # I'm personnaly using "maildir:" instead of "sdbox:" to be able to use a local (neo)mutt on it,
 126           # bypassing IMAP because (neo)mutt support of IMAP is very bad
 127           # (can't even have a decent $folder_format (with %n or %m) working,
 128           # neither sorting them by date).
 129           # WARNING: regarding the atomicity of backuping,
 130           # it's not a good idea to put the mails
 131           # and the index/control on different ZFS datasets like here.
 132           "maildir:/home/${uid}/mail/${domain}/mail:LAYOUT=maildir++:UTF-8:CONTROL=${stateDir}/control/${domain}/${uid}:INDEX=${stateDir}/index/${domain}/${uid}";
 133       }
 134     ];
 135 };
 136 }