install/logical/friot/openldap/commonsoft.coop.nix

   1 {pkgs, lib, config, ...}:
   2 let inherit (config.services) openldap;
   3     inherit (config.users) users groups;
   4     domainSuffix = openldap.domainSuffix;
   5 in
   6 {
   7   config = {
   8     services.openldap = {
   9       databases = {
  10         "${domainSuffix}" = {
  11           resetData = true;
  12           conf = ''
  13             # sudo ldapsearch -LLL -H ldapi:// -D cn=admin,cn=config -Y EXTERNAL -b 'olcDatabase={1}mdb,cn=config' -s sub
  14             dn: olcBackend={1}mdb,cn=config
  15             objectClass: olcBackendConfig
  16
  17             dn: olcDatabase={1}mdb,cn=config
  18             objectClass: olcDatabaseConfig
  19             objectClass: olcMdbConfig
  20             # NOTE: checkpoint the database periodically in case of system failure
  21             # and to speed slapd shutdown.
  22             olcDbCheckpoint: 512 30
  23             # Database max size is 1G
  24             olcDbMaxSize: 1073741824
  25             olcLastMod: TRUE
  26             # NOTE: database superuser. Needed for syncrepl.
  27             olcRootDN: cn=admin,${domainSuffix}
  28             # NOTE: superuser password, generated with slappasswd -s SECRET
  29             # FIXME: remove when dovecot2 compiled with SASL
  30             olcRootPW: {SSHA}NONVwwKnKsCBmFxkMqTCFekdu3SJQHc9
  31             #
  32             olcDbIndex: objectClass eq
  33             olcDbIndex: cn,uid eq
  34             olcDbIndex: uidNumber,gidNumber eq
  35             olcDbIndex: member,memberUid eq
  36             olcDbIndex: mail eq
  37             olcDbIndex: mailEnabled eq
  38             olcDbIndex: mailacceptinggeneralid eq
  39             #
  40             olcAccess: to attrs=userPassword
  41               by self write
  42               by anonymous auth
  43               by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
  44               by * none
  45             olcAccess: to attrs=shadowLastChange
  46               by self write
  47               by * none
  48             olcAccess: to dn.sub="ou=posix,${domainSuffix}"
  49               by dn="gidNumber=${toString groups.nslcd.gid}+uidNumber=${toString users.nslcd.uid},cn=peercred,cn=external,cn=auth" read
  50               by dn="gidNumber=${toString groups.postfix.gid}+uidNumber=${toString users.postfix.uid},cn=peercred,cn=external,cn=auth" read
  51               by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
  52             # NOTE: dovecot/auth runs as root, hence the gidNumber=0+uidNumber=0
  53             olcAccess: to *
  54               by self read
  55               by * none
  56           '';
  57           data = ''
  58             dn: ${domainSuffix}
  59             objectClass: top
  60             objectClass: dcObject
  61             objectClass: organization
  62             o: ${config.networking.baseName}
  63
  64             dn: cn=admin,${domainSuffix}
  65             objectClass: simpleSecurityObject
  66             objectClass: organizationalRole
  67             description: ${config.networking.baseName} LDAP administrator
  68             roleOccupant: ${domainSuffix}
  69             userPassword:
  70             #userPassword: {SSHA}NONVwwKnKsCBmFxkMqTCFekdu3SJQHc9
  71
  72             dn: ou=posix,${domainSuffix}
  73             objectClass: top
  74             objectClass: organizationalUnit
  75
  76             dn: ou=accounts,ou=posix,${domainSuffix}
  77             objectClass: top
  78             objectClass: organizationalUnit
  79
  80             dn: ou=groups,ou=posix,${domainSuffix}
  81             objectClass: top
  82             objectClass: organizationalUnit
  83
  84             dn: cn=users,ou=groups,ou=posix,${domainSuffix}
  85             objectclass: top
  86             objectclass: posixGroup
  87             gidnumber: 10000
  88             memberuid: ju
  89             memberuid: sevy
  90
  91             #dn: cn=dovemail,ou=groups,ou=posix,${domainSuffix}
  92             #objectclass: top
  93             #objectclass: posixGroup
  94             #gidnumber: 497
  95             # # FIXME: do not hardcode this gid
  96             #memberuid: ju
  97             #memberuid: sevy
  98
  99             dn: uid=ju,ou=accounts,ou=posix,${domainSuffix}
 100             #objectClass: account
 101             objectclass: person
 102             objectClass: posixAccount
 103             objectclass: postfixUser
 104             objectclass: PostfixBookMailAccount
 105             objectclass: PostfixBookMailForward
 106             cn: Julien M.
 107             sn: julm
 108             mail: ju@commonsoft.coop
 109             mailAlias: juju@commonsoft.coop
 110             uidNumber: 10000
 111             gidNumber: 497
 112             homeDirectory: /home/ju
 113             loginShell: /run/current-system/sw/bin/bash
 114             userPassword: {SSHA}144Rfau9KJ14U0U4KdLNB7OrtpiEc3E3
 115
 116             dn: uid=sevy,ou=accounts,ou=posix,${domainSuffix}
 117             #objectClass: account
 118             objectclass: person
 119             objectClass: posixAccount
 120             objectclass: postfixUser
 121             objectclass: PostfixBookMailAccount
 122             objectclass: PostfixBookMailForward
 123             cn: Séverine P.
 124             sn: sévy
 125             mail: sevy@commonsoft.coop
 126             mailAlias: severine.popek@commonsoft.coop
 127             uidNumber: 10001
 128             gidNumber: 10000
 129             homeDirectory: /home/sevy
 130             loginShell: /run/current-system/sw/bin/bash
 131             userPassword: {SSHA}dwqaKo5nmId8Bym5PghloK+UEndwrVTN
 132           '';
 133         };
 134       };
 135     };
 136   };
 137 }