servers/mermet/openldap/autogeree.net.nix

   1 { pkgs, lib, config, ... }:
   2 let
   3   inherit (builtins) hasAttr;
   4   inherit (builtins.extraBuiltins) pass-chomp;
   5   inherit (config) networking;
   6   inherit (config.services) openldap postfix dovecot2;
   7   inherit (config.users) users groups;
   8   inherit (pkgs.lib) unlines;
   9   domain = "autogeree.net";
  10   domainGroup = "autogeree";
  11   domainOrg = "autogeree";
  12   domainSuffix = "dc=" + lib.concatStringsSep ",dc=" (lib.splitString "." domain);
  13   posixAccount = pkgs.callPackage (import ./posixAccount.nix) { inherit domain domainSuffix domainGroup; };
  14 in
  15 {
  16 users.groups."${domainGroup}" = {
  17   gid = 20001;
  18   members = ["julm"];
  19 };
  20 services.openldap.databases."${domainSuffix}" = {
  21   # WARNING: newlines matter
  22   conf = ''
  23     dn: olcDatabase=mdb,cn=config
  24     objectClass: olcDatabaseConfig
  25     objectClass: olcMdbConfig
  26     # Checkpoint the database periodically in case of system failure
  27     # and to speed up slapd shutdown.
  28     olcDbCheckpoint: 512 30
  29     # Database max size is 1G
  30     olcDbMaxSize: 1073741824
  31     olcLastMod: TRUE
  32     # Database superuser. Needed for syncrepl.
  33     olcRootDN: cn=admin,${domainSuffix}
  34     # Superuser password, generated with slappasswd -h "{SSHA}"
  35     # Commented-out because SASL EXTERNAL mechanism is used.
  36     #olcRootPW: {SSHA}COkATGNe7rs/g8vWcYP5rqt4u5sWdMgP
  37     #
  38     olcDbIndex: objectClass eq
  39     olcDbIndex: cn,uid eq
  40     olcDbIndex: uidNumber,gidNumber eq
  41     olcDbIndex: member,memberUid eq
  42     olcDbIndex: mail eq
  43     olcDbIndex: mailAlias eq
  44     olcDbIndex: mailEnabled eq
  45     #
  46     olcAccess: to attrs=userPassword
  47       by self write
  48       by anonymous auth
  49       by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
  50       by * none
  51     olcAccess: to attrs=shadowLastChange
  52       by self write
  53       by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
  54       by * none
  55     olcAccess: to dn.sub="ou=posix,${domainSuffix}"
  56       by self read
  57       ${lib.optionalString (hasAttr postfix.user users) ''by dn="gidNumber=${toString groups.postfix.gid}+uidNumber=${toString users.postfix.uid},cn=peercred,cn=external,cn=auth" read''}
  58       ${lib.optionalString (hasAttr dovecot2.user users) ''by dn="gidNumber=${toString groups.dovecot2.gid}+uidNumber=${toString users.dovecot2.uid},cn=peercred,cn=external,cn=auth" read''}
  59       by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
  60     olcAccess: to *
  61       by self read
  62       by * none
  63   '';
  64   data = ''
  65     dn: ${domainSuffix}
  66     objectClass: top
  67     objectClass: dcObject
  68     objectClass: organization
  69     o: ${domainOrg}
  70
  71     dn: cn=admin,${domainSuffix}
  72     objectClass: simpleSecurityObject
  73     objectClass: organizationalRole
  74     description: ${domainOrg} LDAP administrator
  75     roleOccupant: ${domainSuffix}
  76     userPassword:
  77
  78     dn: ou=posix,${domainSuffix}
  79     objectClass: top
  80     objectClass: organizationalUnit
  81
  82     dn: ou=accounts,ou=posix,${domainSuffix}
  83     objectClass: top
  84     objectClass: organizationalUnit
  85
  86     dn: ou=groups,ou=posix,${domainSuffix}
  87     objectClass: top
  88     objectClass: organizationalUnit
  89
  90   ''
  91   + lib.concatMapStrings posixAccount [ rec
  92     { uid = "julm";
  93       cn = "Julien Moutinho";
  94       sn = uid;
  95       uidNumber = users.julm.uid;
  96       gidNumber = groups.julm.gid;
  97       mailAlias = [ "julien.moutinho" ];
  98       userPassword = pass-chomp "members/julm/mail/hashedPassword";
  99       mailStorageDirectory =
 100         let stateDir = "/var/lib/dovecot";
 101             d=domain;
 102         in
 103         # I'm personnaly using "maildir:" instead of "sdbox:" to be able to use a local (neo)mutt on it,
 104         # bypassing IMAP because (neo)mutt support of IMAP is very bad
 105         # (can't even have a decent $folder_format (with %n or %m) working,
 106         # neither sorting them by date).
 107         "maildir:${stateDir}/home/${d}/${uid}/mail:LAYOUT=maildir++:UTF-8:CONTROL=${stateDir}/control/${d}/${uid}:INDEX=${stateDir}/index/${d}/${uid}";
 108     }
 109   ];
 110 };
 111 }