1 { pkgs, lib, config, ... }:
3 inherit (builtins) hasAttr;
4 inherit (builtins.extraBuiltins) pass-chomp;
5 inherit (config) networking;
6 inherit (config.services) openldap postfix dovecot2;
7 inherit (config.users) users groups;
8 inherit (pkgs.lib) unlines;
9 domain = "sourcephile.fr";
10 domainGroup = "sourcephile";
11 domainOrg = "sourcephile";
12 domainSuffix = "dc=" + lib.concatStringsSep ",dc=" (lib.splitString "." domain);
13 posixAccount = pkgs.callPackage (import ./posixAccount.nix) { inherit domain domainSuffix domainGroup; };
16 # DEBUG: echo "$(nixops show-option mermet -d production services.openldap.databases."g".data)"
17 services.openldap.databases."${domainSuffix}" = {
18 # DEBUG: sudo ldapsearch -LLL -H ldapi:// -D cn=admin,cn=config -Y EXTERNAL -b 'olcDatabase={1}mdb,cn=config' -s sub
19 # WARNING: newlines matter
21 dn: olcDatabase=mdb,cn=config
22 objectClass: olcDatabaseConfig
23 objectClass: olcMdbConfig
24 # Checkpoint the database periodically in case of system failure
25 # and to speed up slapd shutdown.
26 olcDbCheckpoint: 512 30
27 # Database max size is 1G
28 olcDbMaxSize: 1073741824
30 # Database superuser. Needed for syncrepl.
31 olcRootDN: cn=admin,${domainSuffix}
32 # Superuser password, generated with slappasswd -h "{SSHA}"
33 # Commented-out because SASL EXTERNAL mechanism is used.
34 #olcRootPW: {SSHA}COkATGNe7rs/g8vWcYP5rqt4u5sWdMgP
36 olcDbIndex: objectClass eq
38 olcDbIndex: uidNumber,gidNumber eq
39 olcDbIndex: member,memberUid eq
41 olcDbIndex: mailAlias eq
42 olcDbIndex: mailEnabled eq
44 olcAccess: to attrs=userPassword
47 by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
49 olcAccess: to attrs=shadowLastChange
51 by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
53 olcAccess: to dn.sub="ou=posix,${domainSuffix}"
55 by dn="gidNumber=${toString groups.nslcd.gid}+uidNumber=${toString users.nslcd.uid},cn=peercred,cn=external,cn=auth" read
56 ${lib.optionalString (hasAttr postfix.user users) ''by dn="gidNumber=${toString groups.postfix.gid}+uidNumber=${toString users.postfix.uid},cn=peercred,cn=external,cn=auth" read''}
57 ${lib.optionalString (hasAttr dovecot2.user users) ''by dn="gidNumber=${toString groups.dovecot2.gid}+uidNumber=${toString users.dovecot2.uid},cn=peercred,cn=external,cn=auth" read''}
58 by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
67 objectClass: organization
70 dn: cn=admin,${domainSuffix}
71 objectClass: simpleSecurityObject
72 objectClass: organizationalRole
73 description: ${domainOrg} LDAP administrator
74 roleOccupant: ${domainSuffix}
77 dn: ou=posix,${domainSuffix}
79 objectClass: organizationalUnit
81 dn: ou=accounts,ou=posix,${domainSuffix}
83 objectClass: organizationalUnit
85 dn: ou=groups,ou=posix,${domainSuffix}
87 objectClass: organizationalUnit
89 dn: cn=${domainGroup},ou=groups,ou=posix,${domainSuffix}
91 objectClass: posixGroup
97 + lib.concatMapStrings posixAccount [ rec
99 cn = "Julien Moutinho";
101 uidNumber = users.julm.uid;
102 gidNumber = groups.julm.gid;
103 mailAlias = [ "julien.moutinho" ];
104 userPassword = pass-chomp "members/julm/mail/hashedPassword";
105 mailStorageDirectory =
106 let stateDir = "/var/lib/dovecot";
109 # I'm personnaly using "maildir:" instead of "sdbox:" to be able to use a local (neo)mutt on it,
110 # bypassing IMAP because (neo)mutt support of IMAP is very bad
111 # (can't even have a decent $folder_format (with %n or %m) working,
112 # neither sorting them by date).
113 "maildir:${stateDir}/mail/${d}/${uid}/mail.d:LAYOUT=maildir++:UTF-8:CONTROL=${stateDir}/control/${d}/${uid}:INDEX=${stateDir}/index/${d}/${uid}";
115 #{ uid="sevy"; uidNumber=10001; cn="Séverine Popek"; sn="sévy";
116 # mailAlias = ["severine.popek" "ouais-ouais"]; }
117 #{ uid="nomail"; uidNumber=10002; mailAlias = ["noalias"]; mailEnabled = false; }
118 #{ uid="post"; mailForwardingAddress = ["ju@${domain}"]; }
119 #{ uid="host"; mailForwardingAddress = ["ju@${domain}"]; }
sourcephile / git / sourcephile-nix.git / blob