]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/openldap/autogeree.net.nix
mermet: creds: reencrypt
[sourcephile-nix.git] / hosts / mermet / openldap / autogeree.net.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) hasAttr;
4 inherit (config.services) openldap postfix dovecot2;
5 inherit (config.users) users groups;
6 domain = "autogeree.net";
7 domainGroup = "autogeree";
8 domainOrg = "autogeree";
9 domainSuffix = "dc=" + lib.concatStringsSep ",dc=" (lib.splitString "." domain);
10 posixAccount = pkgs.callPackage (import ./posixAccount.nix) { inherit domain domainSuffix domainGroup; };
11 in
12 {
13 users.groups."${domainGroup}" = {
14 gid = 20001;
15 members = [
16 users."julm".name
17 ];
18 };
19 services.openldap = {
20 # sudo ldapsearch -LLL -H ldapi:// -D cn=admin,cn=config -Y EXTERNAL -b 'olcDatabase={2}mdb,cn=config' -s sub
21 settings.children."olcDatabase={2}mdb".attrs = {
22 objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
23 olcDatabase = "{2}mdb";
24 olcSuffix = domainSuffix;
25 olcDbDirectory = "/var/lib/openldap/${domainSuffix}";
26 olcDbIndex = [
27 "objectClass eq"
28 "cn,uid eq"
29 "uidNumber,gidNumber eq"
30 "member,memberUid eq"
31 "mail eq"
32 "mailAlias eq"
33 "mailEnabled eq"
34 ];
35 olcAccess = [
36 ''to attrs=userPassword
37 by self write
38 by anonymous auth
39 by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
40 by * none
41 ''
42 ''to attrs=shadowLastChange
43 by self write
44 by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
45 by * none
46 ''
47 ''to dn.sub="ou=posix,${domainSuffix}"
48 by self read
49 ${lib.optionalString (hasAttr postfix.user users) ''by dn="gidNumber=${toString groups.postfix.gid}+uidNumber=${toString users.postfix.uid},cn=peercred,cn=external,cn=auth" read''}
50 ${lib.optionalString (hasAttr dovecot2.user users) ''by dn="gidNumber=${toString groups.dovecot2.gid}+uidNumber=${toString users.dovecot2.uid},cn=peercred,cn=external,cn=auth" read''}
51 by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
52 ''
53 ''to *
54 by self read
55 by * none
56 ''
57 ];
58 # Checkpoint the database periodically in case of system failure
59 # and to speed up slapd shutdown.
60 olcDbCheckpoint = "512 30";
61 # Database max size is 1G
62 olcDbMaxSize = "1073741824";
63 olcLastMod = "TRUE";
64 # Database superuser. Needed for syncrepl.
65 olcRootDN = "cn=admin,${domainSuffix}";
66 # Superuser password, generated with slappasswd -h "{SSHA}"
67 # Commented-out because SASL EXTERNAL mechanism is used.
68 #olcRootPW = "{SSHA}COkATGNe7rs/g8vWcYP5rqt4u5sWdMgP";
69 };
70 # sudo ldapsearch -LLL -H ldapi:// -D cn=admin,cn=config -Y EXTERNAL -b 'ou=posix,dc=autogeree,dc=net' -s sub
71 declarativeContents."${domainSuffix}" = ''
72 dn: ${domainSuffix}
73 objectClass: top
74 objectClass: dcObject
75 objectClass: organization
76 o: ${domainOrg}
77
78 dn: cn=admin,${domainSuffix}
79 objectClass: simpleSecurityObject
80 objectClass: organizationalRole
81 description: ${domainOrg} LDAP administrator
82 roleOccupant: ${domainSuffix}
83 userPassword:
84
85 dn: ou=posix,${domainSuffix}
86 objectClass: top
87 objectClass: organizationalUnit
88
89 dn: ou=accounts,ou=posix,${domainSuffix}
90 objectClass: top
91 objectClass: organizationalUnit
92
93 dn: ou=groups,ou=posix,${domainSuffix}
94 objectClass: top
95 objectClass: organizationalUnit
96
97 ''
98 /*
99 dn: cn=${domainGroup},ou=groups,ou=posix,${domainSuffix}
100 objectClass: top
101 objectClass: posixGroup
102 gidNumber: 20000
103 memberUid: julm
104
105 dn: cn=autogeree,ou=groups,ou=posix,${domainSuffix}
106 objectClass: top
107 objectClass: posixGroup
108 gidNumber: 20001
109 memberUid: julm
110 */
111 + lib.concatMapStrings posixAccount [
112 rec {
113 uid = "julm";
114 cn = "Julien Moutinho";
115 sn = uid;
116 uidNumber = users."julm".uid;
117 gidNumber = groups."users".gid;
118 mailAlias = [ "julien.moutinho" ];
119 userPassword = builtins.readFile (./. + "/${domain}/${uid}/hashedPassword.clear");
120 mailHomeDirectory = "/home/${uid}/mail/${domain}";
121 mailQuota = "1G";
122 mailStorageDirectory =
123 let stateDir = "/var/lib/dovecot"; in
124 # I'm personnaly using "maildir:" instead of "sdbox:" to be able to use a local (neo)mutt on it,
125 # bypassing IMAP because (neo)mutt support of IMAP is very bad
126 # (can't even have a decent $folder_format (with %n or %m) working,
127 # neither sorting them by date).
128 # WARNING: regarding the atomicity of backuping,
129 # it's not a good idea to put the mails
130 # and the index/control on different ZFS datasets like here.
131 "maildir:/home/${uid}/mail/${domain}/mail:LAYOUT=maildir++:UTF-8:CONTROL=${stateDir}/control/${domain}/${uid}:INDEX=${stateDir}/index/${domain}/${uid}";
132 }
133 ];
134 };
135 }