]>
Commit | Line | Data |
---|---|---|
ab8f306d | 1 | { pkgs, config, lib, ... }: |
16b80abd IB |
2 | let |
3 | cfg = config.myServices.databasesReplication.openldap; | |
16b80abd | 4 | ldapConfig = hcfg: name: pkgs.writeText "slapd.conf" '' |
5400b9b6 IB |
5 | include ${pkgs.openldap}/etc/schema/core.schema |
6 | include ${pkgs.openldap}/etc/schema/cosine.schema | |
7 | include ${pkgs.openldap}/etc/schema/inetorgperson.schema | |
8 | include ${pkgs.openldap}/etc/schema/nis.schema | |
e34b3079 | 9 | include ${./openldap/immae.schema} |
16b80abd IB |
10 | pidfile /run/slapd_${name}/slapd.pid |
11 | argsfile /run/slapd_${name}/slapd.args | |
12 | ||
13 | moduleload back_hdb | |
14 | backend hdb | |
15 | database hdb | |
16 | ||
17 | suffix "${hcfg.base}" | |
18 | rootdn "cn=root,${hcfg.base}" | |
19 | directory ${cfg.base}/${name}/openldap | |
20 | ||
21 | index objectClass eq | |
22 | index uid pres,eq | |
23 | index entryUUID eq | |
24 | ||
da30ae4f | 25 | include ${config.secrets.fullPaths."openldap_replication/${name}/replication_config"} |
16b80abd IB |
26 | ''; |
27 | in | |
28 | { | |
29 | options.myServices.databasesReplication.openldap = { | |
30 | enable = lib.mkEnableOption "Enable openldap replication"; | |
31 | base = lib.mkOption { | |
32 | type = lib.types.path; | |
33 | description = '' | |
34 | Base path to put the replications | |
35 | ''; | |
36 | }; | |
37 | hosts = lib.mkOption { | |
38 | default = {}; | |
39 | description = '' | |
40 | Hosts to backup | |
41 | ''; | |
42 | type = lib.types.attrsOf (lib.types.submodule { | |
43 | options = { | |
44 | package = lib.mkOption { | |
45 | type = lib.types.package; | |
46 | default = pkgs.openldap; | |
47 | description = '' | |
48 | Openldap package for this host | |
49 | ''; | |
50 | }; | |
51 | url = lib.mkOption { | |
52 | type = lib.types.str; | |
53 | description = '' | |
54 | Host to connect to | |
55 | ''; | |
56 | }; | |
57 | base = lib.mkOption { | |
58 | type = lib.types.str; | |
59 | description = '' | |
60 | Base DN to replicate | |
61 | ''; | |
62 | }; | |
63 | dn = lib.mkOption { | |
64 | type = lib.types.str; | |
65 | description = '' | |
66 | DN to use | |
67 | ''; | |
68 | }; | |
69 | password = lib.mkOption { | |
70 | type = lib.types.str; | |
71 | description = '' | |
72 | Password to use | |
73 | ''; | |
74 | }; | |
75 | }; | |
76 | }); | |
77 | }; | |
78 | }; | |
79 | ||
80 | config = lib.mkIf cfg.enable { | |
81 | users.users.openldap = { | |
82 | description = "Openldap database user"; | |
83 | group = "openldap"; | |
84 | uid = config.ids.uids.openldap; | |
85 | extraGroups = [ "keys" ]; | |
86 | }; | |
87 | users.groups.openldap.gid = config.ids.gids.openldap; | |
88 | ||
4c4652aa IB |
89 | secrets.keys = lib.listToAttrs (lib.flatten (lib.mapAttrsToList (name: hcfg: [ |
90 | (lib.nameValuePair "openldap_replication/${name}/replication_config" { | |
16b80abd IB |
91 | user = "openldap"; |
92 | group = "openldap"; | |
93 | permissions = "0400"; | |
94 | text = '' | |
95 | syncrepl rid=000 | |
96 | provider=${hcfg.url} | |
97 | type=refreshAndPersist | |
98 | searchbase="${hcfg.base}" | |
99 | retry="5 10 300 +" | |
100 | attrs="*,+" | |
101 | schemachecking=off | |
102 | bindmethod=simple | |
103 | binddn="${hcfg.dn}" | |
104 | credentials="${hcfg.password}" | |
105 | ''; | |
4c4652aa IB |
106 | }) |
107 | (lib.nameValuePair "openldap_replication/${name}/replication_password" { | |
16b80abd IB |
108 | user = "openldap"; |
109 | group = "openldap"; | |
110 | permissions = "0400"; | |
111 | text = hcfg.password; | |
4c4652aa IB |
112 | }) |
113 | ]) cfg.hosts)); | |
16b80abd IB |
114 | |
115 | services.cron = { | |
116 | enable = true; | |
117 | systemCronJobs = lib.flatten (lib.mapAttrsToList (name: hcfg: | |
118 | let | |
119 | dataDir = "${cfg.base}/${name}/openldap"; | |
120 | backupDir = "${cfg.base}/${name}/openldap_backup"; | |
121 | backup_script = pkgs.writeScript "backup_openldap_${name}" '' | |
122 | #!${pkgs.stdenv.shell} | |
123 | ||
4c853ba6 | 124 | ${hcfg.package}/bin/slapcat -b "${hcfg.base}" -f ${ldapConfig hcfg name} -l ${backupDir}/$(${pkgs.coreutils}/bin/date -Iminutes).ldif |
16b80abd IB |
125 | ''; |
126 | u = pkgs.callPackage ./utils.nix {}; | |
127 | cleanup_script = pkgs.writeScript "cleanup_openldap_${name}" (u.exponentialDumps "ldif" backupDir); | |
128 | in [ | |
129 | "0 22,4,10,16 * * * root ${backup_script}" | |
130 | "0 3 * * * root ${cleanup_script}" | |
131 | ]) cfg.hosts); | |
132 | }; | |
133 | ||
134 | system.activationScripts = lib.attrsets.mapAttrs' (name: hcfg: | |
135 | lib.attrsets.nameValuePair "openldap_replication_${name}" { | |
136 | deps = [ "users" "groups" ]; | |
137 | text = '' | |
138 | install -m 0700 -o openldap -g openldap -d ${cfg.base}/${name}/openldap | |
139 | install -m 0700 -o openldap -g openldap -d ${cfg.base}/${name}/openldap_backup | |
140 | ''; | |
141 | }) cfg.hosts; | |
142 | ||
143 | systemd.services = lib.attrsets.mapAttrs' (name: hcfg: | |
144 | let | |
145 | dataDir = "${cfg.base}/${name}/openldap"; | |
146 | in | |
147 | lib.attrsets.nameValuePair "openldap_backup_${name}" { | |
148 | description = "Openldap replication for ${name}"; | |
149 | wantedBy = [ "multi-user.target" ]; | |
150 | after = [ "network.target" ]; | |
151 | unitConfig.RequiresMountsFor = dataDir; | |
152 | ||
153 | preStart = '' | |
154 | mkdir -p /run/slapd_${name} | |
155 | chown -R "openldap:openldap" /run/slapd_${name} | |
156 | ''; | |
157 | ||
158 | serviceConfig = { | |
159 | ExecStart = "${hcfg.package}/libexec/slapd -d 0 -u openldap -g openldap -f ${ldapConfig hcfg name}"; | |
160 | }; | |
161 | }) cfg.hosts; | |
162 | }; | |
163 | } | |
164 | ||
165 |