]> Git — Sourcephile - sourcephile-nix.git/blob - nixos/modules/services/databases/openldap.nix
nix: shell: fix merging with host's env
[sourcephile-nix.git] / nixos / modules / services / databases / openldap.nix
1 { pkgs, lib, config, ... }:
2 let inherit (builtins) baseNameOf readFile;
3 inherit (lib) types;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config.services) openldap;
6 inherit (config.users) ldap;
7 # FIXME: readFIle ?
8 copyFile = file: pkgs.writeText (baseNameOf file) (readFile file);
9 in
10 {
11 options = {
12 services.openldap.domainSuffix = lib.mkOption {
13 type = types.str;
14 default = "dc=${lib.concatStringsSep ",dc=" (lib.splitString "." config.networking.domain)}";
15 description = ''LDAP suffix for config.networking.domain.'';
16 };
17 services.openldap.initConfig = lib.mkOption {
18 type = types.lines;
19 description = "The databases' initial config in LDIF.";
20 apply = lines: pkgs.writeText "cn=config.ldif"
21 (lines + "\n" + unlinesAttrs (olcSuffix: {conf, olcDbDirectory, ...}:
22 "include: file://" + pkgs.writeText "config.ldif" (conf + ''
23 olcSuffix: ${olcSuffix}
24 olcDbDirectory: ${olcDbDirectory}
25 '')
26 ) openldap.databases);
27 # sudo ldapsearch -LLL -H ldapi:// -D cn=admin,cn=config -Y EXTERNAL -b "" -s base supportedControl
28 default = ''
29 dn: cn=config
30 objectClass: olcGlobal
31 #olcPidFile: /run/slapd/slapd.pid
32 # List of arguments that were passed to the server
33 #olcArgsFile: /run/slapd/slapd.args
34 # Read slapd-config(5) for possible values
35 olcLogLevel: none
36 # The tool-threads parameter sets the actual amount of CPU's
37 # that is used for indexing.
38 olcToolThreads: 1
39
40 dn: olcDatabase={-1}frontend,cn=config
41 objectClass: olcDatabaseConfig
42 objectClass: olcFrontendConfig
43 # The maximum number of entries that is returned for a search operation
44 olcSizeLimit: 500
45 # Allow unlimited access to local connection from the local root user
46 olcAccess: to *
47 by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
48 by * break
49 # Allow unauthenticated read access for schema and base DN autodiscovery
50 olcAccess: to dn.exact=""
51 by * read
52 olcAccess: to dn.base="cn=Subschema"
53 by * read
54
55 dn: olcDatabase=config,cn=config
56 objectClass: olcDatabaseConfig
57 olcRootDN: cn=admin,cn=config
58 # Access to cn=config, system root can be manager
59 # with SASL mechanism (-Y EXTERNAL) over unix socket (-H ldapi://)
60 olcAccess: to *
61 by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
62 by * break
63
64 dn: cn=schema,cn=config
65 objectClass: olcSchemaConfig
66
67 include: file://${pkgs.openldap}/etc/schema/core.ldif
68 include: file://${pkgs.openldap}/etc/schema/cosine.ldif
69 include: file://${pkgs.openldap}/etc/schema/nis.ldif
70 include: file://${pkgs.openldap}/etc/schema/inetorgperson.ldif
71 include: file://${copyFile openldap/schema/postfix-book.ldif}
72
73 dn: cn=module{0},cn=config
74 objectClass: olcModuleList
75 # Where the dynamically loaded modules are stored
76 #olcModulePath: /usr/lib/ldap
77 olcModuleLoad: back_mdb
78 '';
79 };
80 services.openldap.databases = lib.mkOption {
81 default = {};
82 type = types.attrsOf (types.submodule ({name, options, config, ...}: {
83 options = {
84 conf = lib.mkOption {
85 type = types.lines;
86 description = "The database's config in LDIF.";
87 };
88 data = lib.mkOption {
89 type = types.lines;
90 description = "The database's data in LDIF.";
91 };
92 olcDbDirectory = lib.mkOption {
93 type = types.str;
94 description = "The directory where the database is stored.";
95 default = "${openldap.dataDir}/${name}";
96 };
97 resetData = lib.mkOption {
98 type = types.bool;
99 description = "Whether to reset the data at each start of the slapd service.";
100 default = false;
101 };
102 };
103 }));
104 };
105 };
106 config = {
107 systemd.services.openldap = {
108 preStart = ''
109 set -e
110 # NOTE: slapd's config is always re-initialized.
111 rm -rf "${openldap.configDir}"/cn=config \
112 "${openldap.configDir}"/cn=config.ldif
113 install -D -d -m 0700 -o "${openldap.user}" -g "${openldap.group}" "${openldap.configDir}"
114 # NOTE: olcDbDirectory must be created before adding the config.
115 '' +
116 unlinesAttrs (olcSuffix: {data, olcDbDirectory, resetData, ...}:
117 lib.optionalString resetData ''
118 rm -rf "${olcDbDirectory}"
119 '' + ''
120 install -D -d -m 0700 -o "${openldap.user}" -g "${openldap.group}" "${olcDbDirectory}"
121 '') openldap.databases
122 + ''
123 # NOTE: slapd is supposed to have been stopped by systemd
124 # before entering this preStart,
125 # hence slap* commands can safely be used.
126 #
127 # NOTE: slapadd(8):
128 # To populate the config database slapd-config(5),
129 # use -n 0 as it is always the first database.
130 # It must physically exist on the filesystem prior to this, however.
131 umask 0077
132 ${pkgs.openldap}/bin/slapadd -n 0 \
133 -F "${openldap.configDir}" \
134 -l ${openldap.initConfig}
135 chown -R "${openldap.user}:${openldap.group}" "${openldap.configDir}"
136 '' +
137 unlinesAttrs (olcSuffix: {data, olcDbDirectory, resetData, ...}:
138 lib.optionalString resetData ''
139 ${pkgs.openldap}/bin/slapadd \
140 -F "${openldap.configDir}" \
141 -l ${pkgs.writeText "data.ldif" data}
142 '' + ''
143 test ! -e "${olcDbDirectory}" ||
144 chown -R "${openldap.user}:${openldap.group}" "${olcDbDirectory}"
145 '') openldap.databases;
146 };
147 };
148 }