1 { pkgs, lib, config, ... }:
3 inherit (builtins) hasAttr;
4 inherit (builtins.extraBuiltins) pass-chomp;
5 inherit (config) networking;
6 inherit (config.services) openldap postfix dovecot2;
7 inherit (config.users) users groups;
8 inherit (pkgs.lib) unlines;
9 domain = "autogeree.net";
10 domainGroup = "autogeree";
11 domainOrg = "autogeree";
12 domainSuffix = "dc=" + lib.concatStringsSep ",dc=" (lib.splitString "." domain);
13 posixAccount = pkgs.callPackage (import ./posixAccount.nix) { inherit domain domainSuffix domainGroup; };
16 services.openldap.databases."${domainSuffix}" = {
17 # WARNING: newlines matter
19 dn: olcDatabase=mdb,cn=config
20 objectClass: olcDatabaseConfig
21 objectClass: olcMdbConfig
22 # Checkpoint the database periodically in case of system failure
23 # and to speed up slapd shutdown.
24 olcDbCheckpoint: 512 30
25 # Database max size is 1G
26 olcDbMaxSize: 1073741824
28 # Database superuser. Needed for syncrepl.
29 olcRootDN: cn=admin,${domainSuffix}
30 # Superuser password, generated with slappasswd -h "{SSHA}"
31 # Commented-out because SASL EXTERNAL mechanism is used.
32 #olcRootPW: {SSHA}COkATGNe7rs/g8vWcYP5rqt4u5sWdMgP
34 olcDbIndex: objectClass eq
36 olcDbIndex: uidNumber,gidNumber eq
37 olcDbIndex: member,memberUid eq
39 olcDbIndex: mailAlias eq
40 olcDbIndex: mailEnabled eq
42 olcAccess: to attrs=userPassword
45 by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
47 olcAccess: to attrs=shadowLastChange
49 by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
51 olcAccess: to dn.sub="ou=posix,${domainSuffix}"
53 ${lib.optionalString (hasAttr postfix.user users) ''by dn="gidNumber=${toString groups.postfix.gid}+uidNumber=${toString users.postfix.uid},cn=peercred,cn=external,cn=auth" read''}
54 ${lib.optionalString (hasAttr dovecot2.user users) ''by dn="gidNumber=${toString groups.dovecot2.gid}+uidNumber=${toString users.dovecot2.uid},cn=peercred,cn=external,cn=auth" read''}
55 by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
64 objectClass: organization
67 dn: cn=admin,${domainSuffix}
68 objectClass: simpleSecurityObject
69 objectClass: organizationalRole
70 description: ${domainOrg} LDAP administrator
71 roleOccupant: ${domainSuffix}
74 dn: ou=posix,${domainSuffix}
76 objectClass: organizationalUnit
78 dn: ou=accounts,ou=posix,${domainSuffix}
80 objectClass: organizationalUnit
82 dn: ou=groups,ou=posix,${domainSuffix}
84 objectClass: organizationalUnit
86 dn: cn=${domainGroup},ou=groups,ou=posix,${domainSuffix}
88 objectClass: posixGroup
93 + lib.concatMapStrings posixAccount [ rec
95 cn = "Julien Moutinho";
97 uidNumber = users.julm.uid;
98 gidNumber = groups.julm.gid;
99 mailAlias = [ "julien.moutinho" ];
100 userPassword = pass-chomp "members/julm/mail/hashedPassword";
101 mailStorageDirectory =
102 let stateDir = "/var/lib/dovecot";
105 # I'm personnaly using "maildir:" instead of "sdbox:" to be able to use a local (neo)mutt on it,
106 # bypassing IMAP because (neo)mutt support of IMAP is very bad
107 # (can't even have a decent $folder_format (with %n or %m) working,
108 # neither sorting them by date).
109 "maildir:${stateDir}/mail/${d}/${uid}/mail.d:LAYOUT=maildir++:UTF-8:CONTROL=${stateDir}/control/${d}/${uid}:INDEX=${stateDir}/index/${d}/${uid}";
sourcephile / git / sourcephile-nix.git / blob