]>
Commit | Line | Data |
---|---|---|
1a64deeb IB |
1 | { lib, pkgs, config, openldap, ... }: |
2 | let | |
3 | cfg = config.myServices.databases.openldap; | |
4 | in | |
5 | { | |
6 | options.myServices.databases = { | |
7 | openldap = { | |
8 | enable = lib.mkOption { | |
9 | default = false; | |
10 | example = true; | |
11 | description = "Whether to enable ldap"; | |
12 | type = lib.types.bool; | |
13 | }; | |
14 | baseDn = lib.mkOption { | |
15 | type = lib.types.str; | |
16 | description = '' | |
17 | Base DN for LDAP | |
18 | ''; | |
19 | }; | |
20 | rootDn = lib.mkOption { | |
21 | type = lib.types.str; | |
22 | description = '' | |
23 | Root DN | |
24 | ''; | |
25 | }; | |
26 | rootPw = lib.mkOption { | |
27 | type = lib.types.str; | |
28 | description = '' | |
29 | Root (Hashed) password | |
30 | ''; | |
31 | }; | |
32 | accessFile = lib.mkOption { | |
33 | type = lib.types.path; | |
34 | description = '' | |
35 | The file path that defines the access | |
36 | ''; | |
37 | }; | |
38 | dataDir = lib.mkOption { | |
39 | type = lib.types.path; | |
40 | default = "/var/lib/openldap/mdb"; | |
41 | description = '' | |
42 | The directory where Openldap stores its data. | |
43 | ''; | |
44 | }; | |
45 | socketsDir = lib.mkOption { | |
46 | type = lib.types.path; | |
47 | default = "/run/openldap"; | |
48 | description = '' | |
49 | The directory where Openldap puts sockets and pid files. | |
50 | ''; | |
51 | }; | |
52 | # Output variables | |
53 | pids = lib.mkOption { | |
54 | type = lib.types.attrsOf lib.types.path; | |
55 | default = { | |
56 | pid = "${cfg.socketsDir}/slapd.pid"; | |
57 | args = "${cfg.socketsDir}/slapd.args"; | |
58 | }; | |
59 | readOnly = true; | |
60 | description = '' | |
61 | Slapd pid files | |
62 | ''; | |
63 | }; | |
64 | }; | |
65 | }; | |
66 | ||
67 | config = lib.mkIf cfg.enable { | |
68 | myServices.dns.zones."immae.eu".subdomains.ldap = | |
69 | with config.myServices.dns.helpers; ips servers.eldiron.ips.main; | |
70 | ||
71 | nixpkgs.overlays = [ | |
72 | (self: super: { | |
73 | openldap_libressl_cyrus = (self.openldap.override { | |
74 | openssl = self.libressl; | |
75 | cyrus_sasl = self.cyrus_sasl.overrideAttrs (old: { | |
76 | configureFlags = old.configureFlags ++ [ "--with-configdir=/etc/sasl2" ]; | |
77 | }); | |
78 | }).overrideAttrs (old: { | |
79 | configureFlags = old.configureFlags ++ [ "--with-cyrus-sasl" "--enable-spasswd" ]; | |
80 | }); | |
81 | }) | |
82 | ]; | |
83 | ||
84 | secrets.keys = { | |
85 | "ldap/password" = { | |
86 | permissions = "0400"; | |
87 | user = "openldap"; | |
88 | group = "openldap"; | |
89 | text = "${cfg.rootPw}"; | |
90 | }; | |
91 | "ldap/access" = { | |
92 | permissions = "0400"; | |
93 | user = "openldap"; | |
94 | group = "openldap"; | |
95 | text = builtins.readFile cfg.accessFile; | |
96 | }; | |
97 | "ldap" = { | |
98 | permissions = "0500"; | |
99 | user = "openldap"; | |
100 | group = "openldap"; | |
101 | isDir = true; | |
102 | }; | |
103 | }; | |
104 | users.users.openldap.extraGroups = [ "keys" ]; | |
105 | networking.firewall.allowedTCPPorts = [ 636 389 ]; | |
106 | ||
107 | security.acme.certs."ldap" = { | |
108 | group = "openldap"; | |
109 | domain = "ldap.immae.eu"; | |
110 | postRun = '' | |
111 | systemctl restart openldap.service | |
112 | ''; | |
113 | }; | |
114 | ||
115 | services.filesWatcher.openldap = { | |
116 | restart = true; | |
117 | paths = [ config.secrets.fullPaths."ldap" ]; | |
118 | }; | |
119 | ||
120 | services.openldap = { | |
121 | enable = true; | |
122 | urlList = [ "ldap://" "ldaps://" ]; | |
123 | package = pkgs.openldap_libressl_cyrus; | |
124 | settings = { | |
125 | attrs = { | |
126 | olcPidFile = cfg.pids.pid; | |
127 | olcArgsFile = cfg.pids.args; | |
128 | olcLogLevel = "none"; | |
129 | olcTLSCertificateFile = "${config.security.acme.certs.ldap.directory}/cert.pem"; | |
130 | olcTLSCertificateKeyFile = "${config.security.acme.certs.ldap.directory}/key.pem"; | |
131 | olcTLSCACertificateFile = "${config.security.acme.certs.ldap.directory}/fullchain.pem"; | |
132 | olcTLSCACertificatePath = "${pkgs.cacert.unbundled}/etc/ssl/certs/"; | |
133 | # This makes openldap crash | |
134 | # olcTLSCipherSuite = "DEFAULT"; | |
135 | #olcSaslHost = "kerberos.immae.eu"; | |
136 | # Map sasl "dn" to ldap dn | |
137 | #olcAuthzRegexp = ''{0}"uid=([^,]*)(,cn=IMMAE.EU)?,cn=(gssapi|gss-spnego),cn=auth" "uid=$1,ou=users,dc=immae,dc=eu"''; | |
138 | }; | |
139 | children = { | |
140 | "cn=module{0}" = { | |
141 | attrs = { | |
142 | cn = "module{0}"; | |
143 | objectClass = [ "olcModuleList" ]; | |
144 | olcModuleLoad = [ "{0}back_mdb" "{1}memberof" "{2}syncprov" ]; | |
145 | }; | |
146 | }; | |
147 | "cn=schema".includes = map (schema: | |
148 | "${config.services.openldap.package}/etc/schema/${schema}.ldif" | |
149 | ) [ "core" "cosine" "inetorgperson" "nis" ] ++ [ | |
150 | "${openldap.immae-ldif}" | |
151 | ]; | |
152 | "olcDatabase={0}config" = { | |
153 | attrs = { | |
154 | objectClass = "olcDatabaseConfig"; | |
155 | olcDatabase = "{0}config"; | |
156 | olcAccess = ["{0}to * by * none"]; | |
157 | }; | |
158 | }; | |
159 | "olcDatabase={1}mdb" = { | |
160 | attrs = { | |
161 | objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; | |
162 | olcDatabase = "{1}mdb"; | |
163 | olcDbIndex = [ | |
164 | "objectClass eq" | |
165 | "uid pres,eq" | |
166 | "mail pres,eq,sub" | |
167 | "cn pres,eq,sub" | |
168 | "sn pres,eq,sub" | |
169 | "dc eq" | |
170 | "member eq" | |
171 | "memberOf eq" | |
172 | ]; | |
173 | olcAccess = let | |
174 | join = builtins.replaceStrings ["\n"] [" "]; | |
175 | in [ | |
176 | # First matching "to" + "by" wins | |
177 | #### Replication needs full access | |
178 | (join ''{0}to * | |
179 | by dn.base="uid=ldap_replication,cn=ldap,ou=services,dc=immae,dc=eu" read | |
180 | by * break | |
181 | '') | |
182 | #### Prevent modification of SASL passwords | |
183 | (join ''{1}to attrs=userPassword val.regex="^.SASL..+" | |
184 | by self read | |
185 | by anonymous auth | |
186 | by * none | |
187 | '') | |
188 | #### Oneself needs access to users password | |
189 | (join ''{2}to attrs=userPassword,shadowLastChange | |
190 | by self write | |
191 | by anonymous auth | |
192 | by * none | |
193 | '') | |
194 | #### Should be write, but disabled during migration to psql | |
195 | (join ''{3}to attrs=immaeSshKey | |
196 | by self read | |
197 | by * break | |
198 | '') | |
199 | ||
200 | #### Anyone can auth, and I can see myself | |
201 | (join ''{4}to * | |
202 | by self read | |
203 | by anonymous auth | |
204 | by * break | |
205 | '') | |
206 | ||
207 | #### Specific access for phpldapadmin | |
208 | (join ''{5}to filter="(uid=*)" attrs=entry,uid | |
209 | by dn.base="cn=phpldapadmin,ou=services,dc=immae,dc=eu" read | |
210 | by * break | |
211 | '') | |
212 | ||
213 | #### Hosts | |
214 | # The attributes are available to every host | |
215 | (join ''{6}to dn.one="ou=hosts,dc=immae,dc=eu" | |
216 | by dn.subtree="ou=hosts,dc=immae,dc=eu" read | |
217 | by dn.base="dc=immae,dc=eu" search | |
218 | by * break | |
219 | '') | |
220 | #### /Hosts | |
221 | ||
222 | #### Local services | |
223 | # this/-* & user : all your ancestors have access to you | |
224 | # this/memberOf/-* & user : all those whom you belong to (in a group), | |
225 | # and their ancestors, have access to you | |
226 | # user/immaeAccessWriteDn*/member & this : you have write access to the | |
227 | # members of your immaeAccessDn | |
228 | # attributes | |
229 | # user/immaeAccessDn*/member & this : you have access to the members | |
230 | # of your immaeAccessDn attributes | |
231 | # user/immaeAccessReadSubtree* & this/-* : you have access to the | |
232 | # childrens of your immaeAccessReadSubtree | |
233 | # attributes | |
234 | # this/memberOf/-* & user/immaeAccessReadSubtree*: you have access to | |
235 | # the members of the childrens of your | |
236 | # immaeAccessReadSubtree attributes | |
237 | # http://www.openldap.org/faq/data/cache/1133.html | |
238 | (join ''{7}to dn.subtree="dc=immae,dc=eu" | |
239 | by dn.subtree="ou=external_services,dc=immae,dc=eu" break | |
240 | by set.exact="this/-* & user" read | |
241 | by set.exact="this/memberOf/-* & user" read | |
242 | by set.exact="user/immaeAccessWriteDn*/member & this" write | |
243 | by set.exact="user/immaeAccessDn*/member & this" read | |
244 | by set.exact="user/immaeAccessReadSubtree* & this/-*" read | |
245 | by set.exact="this/memberOf/-* & user/immaeAccessReadSubtree*" read | |
246 | by users search | |
247 | by * break | |
248 | '') | |
249 | #### /Local services | |
250 | ||
251 | #### External services | |
252 | # http://www.openldap.org/faq/data/cache/429.html | |
253 | # FIXME: Find a way to whitelist? | |
254 | (join ''{8}to attrs=immaeSshKey | |
255 | by dn.subtree="ou=external_services,dc=immae,dc=eu" none | |
256 | '') | |
257 | (join ''{9}to dn.subtree="dc=immae,dc=eu" | |
258 | by set.exact="this/-* & user" read | |
259 | by set.exact="this/memberOf/-* & user" read | |
260 | by set.exact="user/immaeAccessDn*/member & this/-*" read | |
261 | by users search | |
262 | by * none | |
263 | '') | |
264 | #### /External services | |
265 | ]; | |
266 | olcDbDirectory = cfg.dataDir; | |
267 | olcRootDN = cfg.rootDn; | |
268 | olcRootPW.path = config.secrets.fullPaths."ldap/password"; | |
269 | olcSuffix = cfg.baseDn; | |
270 | }; | |
271 | children = { | |
272 | "olcOverlay={0}memberof" = { | |
273 | attrs = { | |
274 | objectClass = [ "olcOverlayConfig" "olcMemberOf" ]; | |
275 | olcOverlay = "{0}memberof"; | |
276 | }; | |
277 | }; | |
278 | "olcOverlay={1}syncprov" = { | |
279 | attrs = { | |
280 | objectClass = [ "olcOverlayConfig" "olcSyncProvConfig" ]; | |
281 | olcOverlay = "{1}syncprov"; | |
282 | olcSpCheckpoint = "100 10"; | |
283 | }; | |
284 | }; | |
285 | }; | |
286 | }; | |
287 | }; | |
288 | }; | |
289 | }; | |
290 | myServices.monitoring.fromMasterActivatedPlugins = [ "tcp" ]; | |
291 | myServices.monitoring.fromMasterObjects.service = [ | |
292 | { | |
293 | service_description = "ldap SSL is up to date"; | |
294 | host_name = config.hostEnv.fqdn; | |
295 | use = "external-service"; | |
296 | check_command = ["check_tcp_ssl" "636"]; | |
297 | ||
298 | servicegroups = "webstatus-ssl"; | |
299 | _webstatus_name = "LDAP"; | |
300 | _webstatus_url = "ldap.immae.eu"; | |
301 | } | |
302 | ]; | |
303 | }; | |
304 | } |