install/logical/friot/openldap/commonsoft.nix

   1 {pkgs, lib, config, ...}:
   2 let inherit (config) networking;
   3     inherit (config.services) openldap;
   4     inherit (config.users) users groups;
   5     inherit (pkgs.lib) unlines;
   6     domainSuffix = openldap.domainSuffix;
   7     posixAccount =
   8      { uid
   9      , uidNumber ? null
  10      , gidNumber ? uidNumber
  11      , cn ? ""
  12      , sn ? ""
  13      , userPassword ? "{SSHA}xeJMEPlG8UKU3iTPwOgFyadeCHwSZH+z"
  14      , mailAlias ? []
  15      , loginShell ? "/run/current-system/sw/bin/bash"
  16      , mailEnabled ? true
  17      , mailForwardingAddress ? []
  18      , domain ? networking.domain
  19      }: "\n" + lib.concatStringsSep "\n\n" [
  20       (unlines ([ ''
  21         dn: uid=${uid},ou=accounts,ou=posix,${domainSuffix}
  22         objectClass: person
  23         objectClass: posixAccount
  24         objectClass: shadowAccount
  25         objectClass: PostfixBookMailAccount
  26         objectClass: PostfixBookMailForward
  27         cn: ${cn}
  28         sn: ${sn}
  29         mail: ${uid}${lib.optionalString (networking.domain != "") "@${networking.domain}"}
  30         mailEnabled: ${if mailEnabled then "TRUE" else "FALSE"}
  31         #mailGroupMember: ${networking.domainBase}
  32         homeDirectory: /home/${uid}
  33         uidNumber: ${toString uidNumber}
  34         gidNumber: ${toString gidNumber}
  35         loginShell: ${loginShell}'' ]
  36         ++ lib.optional (userPassword != "") "userPassword: ${userPassword}"
  37         ++ map (forward: "mailForwardingAddress: ${forward}") mailForwardingAddress
  38         ++ map (alias: "mailAlias: ${alias}@${networking.domain}") mailAlias
  39         ++ lib.optional (mailAlias == []) "mailAlias:"
  40              # NOTE: required by PostfixBookMailForward
  41       ))
  42       ''
  43         dn: cn=${uid},ou=groups,ou=posix,${domainSuffix}
  44         objectClass: top
  45         objectClass: posixGroup
  46         gidNumber: ${toString gidNumber}
  47         memberUid: ${uid}
  48       ''
  49     ];
  50 in
  51 {
  52   config = lib.mkIf config.users.ldap.enable {
  53     services.openldap = {
  54       databases = {
  55         "${domainSuffix}" = {
  56           resetData = true;
  57           conf = ''
  58             # sudo ldapsearch -LLL -H ldapi:// -D cn=admin,cn=config -Y EXTERNAL -b 'olcDatabase={1}mdb,cn=config' -s sub
  59             dn: olcBackend={1}mdb,cn=config
  60             objectClass: olcBackendConfig
  61
  62             dn: olcDatabase={1}mdb,cn=config
  63             objectClass: olcDatabaseConfig
  64             objectClass: olcMdbConfig
  65             # NOTE: checkpoint the database periodically in case of system failure
  66             # and to speed slapd shutdown.
  67             olcDbCheckpoint: 512 30
  68             # Database max size is 1G
  69             olcDbMaxSize: 1073741824
  70             olcLastMod: TRUE
  71             # NOTE: database superuser. Needed for syncrepl.
  72             olcRootDN: cn=admin,${domainSuffix}
  73             # NOTE: superuser password, generated with slappasswd -h "{SSHA}" -s "$password"
  74             #olcRootPW: {SSHA}COkATGNe7rs/g8vWcYP5rqt4u5sWdMgP
  75             #
  76             olcDbIndex: objectClass eq
  77             olcDbIndex: cn,uid eq
  78             olcDbIndex: uidNumber,gidNumber eq
  79             olcDbIndex: member,memberUid eq
  80             olcDbIndex: mail eq
  81             olcDbIndex: mailAlias eq
  82             olcDbIndex: mailEnabled eq
  83             #
  84             olcAccess: to attrs=userPassword
  85               by self write
  86               by anonymous auth
  87               by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
  88               by * none
  89             olcAccess: to attrs=shadowLastChange
  90               by self write
  91               by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
  92               by * none
  93             olcAccess: to dn.sub="ou=posix,${domainSuffix}"
  94               by self read
  95               by dn="gidNumber=${toString groups.nslcd.gid}+uidNumber=${toString users.nslcd.uid},cn=peercred,cn=external,cn=auth" read
  96               by dn="gidNumber=${toString groups.postfix.gid}+uidNumber=${toString users.postfix.uid},cn=peercred,cn=external,cn=auth" read
  97               by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
  98             # NOTE: dovecot/auth runs as root, hence the gidNumber=0+uidNumber=0
  99             olcAccess: to *
 100               by self read
 101               by * none
 102           '';
 103           data = ''
 104             dn: ${domainSuffix}
 105             objectClass: top
 106             objectClass: dcObject
 107             objectClass: organization
 108             o: ${networking.domainBase}
 109
 110             dn: cn=admin,${domainSuffix}
 111             objectClass: simpleSecurityObject
 112             objectClass: organizationalRole
 113             description: ${networking.domainBase} LDAP administrator
 114             roleOccupant: ${domainSuffix}
 115             userPassword:
 116             #userPassword: {SSHA}NONVwwKnKsCBmFxkMqTCFekdu3SJQHc9
 117
 118             dn: ou=posix,${domainSuffix}
 119             objectClass: top
 120             objectClass: organizationalUnit
 121
 122             dn: ou=accounts,ou=posix,${domainSuffix}
 123             objectClass: top
 124             objectClass: organizationalUnit
 125
 126             dn: ou=groups,ou=posix,${domainSuffix}
 127             objectClass: top
 128             objectClass: organizationalUnit
 129
 130             dn: cn=${networking.domainBase},ou=groups,ou=posix,${domainSuffix}
 131             objectClass: top
 132             objectClass: posixGroup
 133             gidnumber: 20000
 134             memberuid: ju
 135             memberuid: sevy
 136
 137           ''
 138           + lib.concatMapStrings posixAccount [
 139             { uid="ju"; uidNumber=10000; cn="Julien M."; sn="julm"; mailAlias = ["juju"]; }
 140             { uid="sevy"; uidNumber=10001; cn="Séverine P."; sn="sévy"; mailAlias = ["severine.popek" "ouais-ouais"]; }
 141             { uid="nomail"; uidNumber=10002; mailAlias = ["noalias"]; mailEnabled = false; }
 142             { uid="post"; domain="friot"; mailForwardingAddress = ["ju@${networking.domain}"]; }
 143             { uid="host"; mailForwardingAddress = ["ju@${networking.domain}"]; }
 144           ];
 145         };
 146       };
 147     };
 148   };
 149 }