]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/openldap/sourcephile.nix
nix: fix nixpkgs-channel and gpg-agent
[sourcephile-nix.git] / servers / mermet / openldap / sourcephile.nix
1 {pkgs, lib, config, ...}:
2 let inherit (builtins) hasAttr;
3 inherit (config) networking;
4 inherit (config.services) openldap;
5 inherit (config.users) users groups;
6 inherit (pkgs.lib) unlines;
7 domainSuffix = openldap.domainSuffix;
8 posixAccount =
9 { uid
10 , uidNumber ? null
11 , gidNumber ? uidNumber
12 , cn ? ""
13 , sn ? ""
14 , userPassword ? "{SSHA}JtC8S4nzm+eX9cVgbyL6gquPWDZD4xXY"
15 # NOTE: doveadm pw -s SSHA -u $user -p $pass
16 , mailAlias ? []
17 , loginShell ? "/run/current-system/sw/bin/bash"
18 , mailEnabled ? true
19 , mailForwardingAddress ? []
20 , domain ? networking.domain
21 }: "\n" + lib.concatStringsSep "\n\n" [
22 (unlines ([ ''
23 dn: uid=${uid},ou=accounts,ou=posix,${domainSuffix}
24 objectClass: person
25 objectClass: posixAccount
26 objectClass: shadowAccount
27 objectClass: PostfixBookMailAccount
28 objectClass: PostfixBookMailForward
29 cn: ${cn}
30 sn: ${sn}
31 mail: ${uid}${lib.optionalString (networking.domain != "") "@${networking.domain}"}
32 mailEnabled: ${if mailEnabled then "TRUE" else "FALSE"}
33 #mailGroupMember: ${networking.domainBase}
34 homeDirectory: /home/${uid}
35 uidNumber: ${toString uidNumber}
36 gidNumber: ${toString gidNumber}
37 loginShell: ${loginShell}'' ]
38 ++ lib.optional (userPassword != "") "userPassword: ${userPassword}"
39 ++ map (forward: "mailForwardingAddress: ${forward}") mailForwardingAddress
40 ++ map (alias: "mailAlias: ${alias}@${networking.domain}") mailAlias
41 ++ lib.optional (mailAlias == []) "mailAlias:"
42 # NOTE: required by PostfixBookMailForward
43 ))
44 ''
45 dn: cn=${uid},ou=groups,ou=posix,${domainSuffix}
46 objectClass: top
47 objectClass: posixGroup
48 gidNumber: ${toString gidNumber}
49 memberUid: ${uid}
50 ''
51 ];
52 in
53 {
54 config = lib.mkIf config.users.ldap.enable {
55 services.openldap = {
56 databases = {
57 "${domainSuffix}" = {
58 #
59 #
60 # WARNING: this deletes data.
61 #
62 #
63 resetData = true;
64 conf = ''
65 # sudo ldapsearch -LLL -H ldapi:// -D cn=admin,cn=config -Y EXTERNAL -b 'olcDatabase={1}mdb,cn=config' -s sub
66 dn: olcBackend={1}mdb,cn=config
67 objectClass: olcBackendConfig
68
69 dn: olcDatabase={1}mdb,cn=config
70 objectClass: olcDatabaseConfig
71 objectClass: olcMdbConfig
72 # NOTE: checkpoint the database periodically in case of system failure
73 # and to speed slapd shutdown.
74 olcDbCheckpoint: 512 30
75 # Database max size is 1G
76 olcDbMaxSize: 1073741824
77 olcLastMod: TRUE
78 # NOTE: database superuser. Needed for syncrepl.
79 olcRootDN: cn=admin,${domainSuffix}
80 # NOTE: superuser password, generated with slappasswd -h "{SSHA}" -s "$password"
81 #olcRootPW: {SSHA}COkATGNe7rs/g8vWcYP5rqt4u5sWdMgP
82 #
83 olcDbIndex: objectClass eq
84 olcDbIndex: cn,uid eq
85 olcDbIndex: uidNumber,gidNumber eq
86 olcDbIndex: member,memberUid eq
87 olcDbIndex: mail eq
88 olcDbIndex: mailAlias eq
89 olcDbIndex: mailEnabled eq
90 #
91 olcAccess: to attrs=userPassword
92 by self write
93 by anonymous auth
94 by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
95 by * none
96 olcAccess: to attrs=shadowLastChange
97 by self write
98 by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
99 by * none
100 olcAccess: to dn.sub="ou=posix,${domainSuffix}"
101 by self read
102 by dn="gidNumber=${toString groups.nslcd.gid}+uidNumber=${toString users.nslcd.uid},cn=peercred,cn=external,cn=auth" read
103 ${lib.optionalString (hasAttr "postfix" users) ''by dn="gidNumber=${toString groups.postfix.gid}+uidNumber=${toString users.postfix.uid},cn=peercred,cn=external,cn=auth" read''}
104 by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
105 # NOTE: dovecot/auth runs as root, hence the gidNumber=0+uidNumber=0
106 olcAccess: to *
107 by self read
108 by * none
109 '';
110 data = ''
111 dn: ${domainSuffix}
112 objectClass: top
113 objectClass: dcObject
114 objectClass: organization
115 o: ${networking.domainBase}
116
117 dn: cn=admin,${domainSuffix}
118 objectClass: simpleSecurityObject
119 objectClass: organizationalRole
120 description: ${networking.domainBase} LDAP administrator
121 roleOccupant: ${domainSuffix}
122 userPassword:
123 #userPassword: {SSHA}NONVwwKnKsCBmFxkMqTCFekdu3SJQHc9
124
125 dn: ou=posix,${domainSuffix}
126 objectClass: top
127 objectClass: organizationalUnit
128
129 dn: ou=accounts,ou=posix,${domainSuffix}
130 objectClass: top
131 objectClass: organizationalUnit
132
133 dn: ou=groups,ou=posix,${domainSuffix}
134 objectClass: top
135 objectClass: organizationalUnit
136
137 dn: cn=${networking.domainBase},ou=groups,ou=posix,${domainSuffix}
138 objectClass: top
139 objectClass: posixGroup
140 gidNumber: 20000
141 memberUid: ju
142 memberUid: sevy
143
144 ''
145 + lib.concatMapStrings posixAccount [
146 { uid="julm"; uidNumber=10000; cn="Julien Moutinho"; sn="julm"; mailAlias = ["julien.moutinho"]; }
147 { uid="sevy"; uidNumber=10001; cn="Séverine Popek"; sn="sévy"; mailAlias = ["severine.popek" "ouais-ouais"]; }
148 #{ uid="nomail"; uidNumber=10002; mailAlias = ["noalias"]; mailEnabled = false; }
149 #{ uid="post"; domain="friot"; mailForwardingAddress = ["ju@${networking.domain}"]; }
150 #{ uid="host"; mailForwardingAddress = ["ju@${networking.domain}"]; }
151 ];
152 };
153 };
154 };
155 };
156 }