servers/mermet/openldap/sourcephile.nix

   1 {pkgs, lib, config, ...}:
   2 let inherit (builtins) hasAttr;
   3     inherit (config) networking;
   4     inherit (config.services) openldap;
   5     inherit (config.users) users groups;
   6     inherit (pkgs.lib) unlines;
   7     domainSuffix = openldap.domainSuffix;
   8     posixAccount =
   9      { uid
  10      , uidNumber ? null
  11      , gidNumber ? uidNumber
  12      , cn ? ""
  13      , sn ? ""
  14      , userPassword ? "{SSHA}JtC8S4nzm+eX9cVgbyL6gquPWDZD4xXY"
  15        # NOTE: doveadm pw -s SSHA -u $user -p $pass
  16      , mailAlias ? []
  17      , loginShell ? "/run/current-system/sw/bin/bash"
  18      , mailEnabled ? true
  19      , mailForwardingAddress ? []
  20      , domain ? networking.domain
  21      }: "\n" + lib.concatStringsSep "\n\n" [
  22       (unlines ([ ''
  23         dn: uid=${uid},ou=accounts,ou=posix,${domainSuffix}
  24         objectClass: person
  25         objectClass: posixAccount
  26         objectClass: shadowAccount
  27         objectClass: PostfixBookMailAccount
  28         objectClass: PostfixBookMailForward
  29         cn: ${cn}
  30         sn: ${sn}
  31         mail: ${uid}${lib.optionalString (networking.domain != "") "@${networking.domain}"}
  32         mailEnabled: ${if mailEnabled then "TRUE" else "FALSE"}
  33         #mailGroupMember: ${networking.domainBase}
  34         homeDirectory: /home/${uid}
  35         uidNumber: ${toString uidNumber}
  36         gidNumber: ${toString gidNumber}
  37         loginShell: ${loginShell}'' ]
  38         ++ lib.optional (userPassword != "") "userPassword: ${userPassword}"
  39         ++ map (forward: "mailForwardingAddress: ${forward}") mailForwardingAddress
  40         ++ map (alias: "mailAlias: ${alias}@${networking.domain}") mailAlias
  41         ++ lib.optional (mailAlias == []) "mailAlias:"
  42              # NOTE: required by PostfixBookMailForward
  43       ))
  44       ''
  45         dn: cn=${uid},ou=groups,ou=posix,${domainSuffix}
  46         objectClass: top
  47         objectClass: posixGroup
  48         gidNumber: ${toString gidNumber}
  49         memberUid: ${uid}
  50       ''
  51     ];
  52 in
  53 {
  54   config = lib.mkIf config.users.ldap.enable {
  55     services.openldap = {
  56       databases = {
  57         "${domainSuffix}" = {
  58           resetData = true;
  59           conf = ''
  60             # sudo ldapsearch -LLL -H ldapi:// -D cn=admin,cn=config -Y EXTERNAL -b 'olcDatabase={1}mdb,cn=config' -s sub
  61             dn: olcBackend={1}mdb,cn=config
  62             objectClass: olcBackendConfig
  63
  64             dn: olcDatabase={1}mdb,cn=config
  65             objectClass: olcDatabaseConfig
  66             objectClass: olcMdbConfig
  67             # NOTE: checkpoint the database periodically in case of system failure
  68             # and to speed slapd shutdown.
  69             olcDbCheckpoint: 512 30
  70             # Database max size is 1G
  71             olcDbMaxSize: 1073741824
  72             olcLastMod: TRUE
  73             # NOTE: database superuser. Needed for syncrepl.
  74             olcRootDN: cn=admin,${domainSuffix}
  75             # NOTE: superuser password, generated with slappasswd -h "{SSHA}" -s "$password"
  76             #olcRootPW: {SSHA}COkATGNe7rs/g8vWcYP5rqt4u5sWdMgP
  77             #
  78             olcDbIndex: objectClass eq
  79             olcDbIndex: cn,uid eq
  80             olcDbIndex: uidNumber,gidNumber eq
  81             olcDbIndex: member,memberUid eq
  82             olcDbIndex: mail eq
  83             olcDbIndex: mailAlias eq
  84             olcDbIndex: mailEnabled eq
  85             #
  86             olcAccess: to attrs=userPassword
  87               by self write
  88               by anonymous auth
  89               by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
  90               by * none
  91             olcAccess: to attrs=shadowLastChange
  92               by self write
  93               by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
  94               by * none
  95             olcAccess: to dn.sub="ou=posix,${domainSuffix}"
  96               by self read
  97               by dn="gidNumber=${toString groups.nslcd.gid}+uidNumber=${toString users.nslcd.uid},cn=peercred,cn=external,cn=auth" read
  98               ${lib.optionalString (hasAttr "postfix" users) ''by dn="gidNumber=${toString groups.postfix.gid}+uidNumber=${toString users.postfix.uid},cn=peercred,cn=external,cn=auth" read''}
  99               by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
 100             # NOTE: dovecot/auth runs as root, hence the gidNumber=0+uidNumber=0
 101             olcAccess: to *
 102               by self read
 103               by * none
 104           '';
 105           data = ''
 106             dn: ${domainSuffix}
 107             objectClass: top
 108             objectClass: dcObject
 109             objectClass: organization
 110             o: ${networking.domainBase}
 111
 112             dn: cn=admin,${domainSuffix}
 113             objectClass: simpleSecurityObject
 114             objectClass: organizationalRole
 115             description: ${networking.domainBase} LDAP administrator
 116             roleOccupant: ${domainSuffix}
 117             userPassword:
 118             #userPassword: {SSHA}NONVwwKnKsCBmFxkMqTCFekdu3SJQHc9
 119
 120             dn: ou=posix,${domainSuffix}
 121             objectClass: top
 122             objectClass: organizationalUnit
 123
 124             dn: ou=accounts,ou=posix,${domainSuffix}
 125             objectClass: top
 126             objectClass: organizationalUnit
 127
 128             dn: ou=groups,ou=posix,${domainSuffix}
 129             objectClass: top
 130             objectClass: organizationalUnit
 131
 132             dn: cn=${networking.domainBase},ou=groups,ou=posix,${domainSuffix}
 133             objectClass: top
 134             objectClass: posixGroup
 135             gidNumber: 20000
 136             memberUid: ju
 137             memberUid: sevy
 138
 139           ''
 140           + lib.concatMapStrings posixAccount [
 141             { uid="julm"; uidNumber=10000; cn="Julien Moutinho"; sn="julm"; mailAlias = ["julien.moutinho"]; }
 142             { uid="sevy"; uidNumber=10001; cn="Séverine Popek"; sn="sévy"; mailAlias = ["severine.popek" "ouais-ouais"]; }
 143             #{ uid="nomail"; uidNumber=10002; mailAlias = ["noalias"]; mailEnabled = false; }
 144             #{ uid="post"; domain="friot"; mailForwardingAddress = ["ju@${networking.domain}"]; }
 145             #{ uid="host"; mailForwardingAddress = ["ju@${networking.domain}"]; }
 146           ];
 147         };
 148       };
 149     };
 150   };
 151 }