chmod go-rwx /var/lib/nixos/sponsored_users
echo "$mygroup $1 $2" >> /var/lib/nixos/sponsored_users
(${pkgs.openldap}/bin/ldapadd -c -D cn=root,dc=salle-s,dc=org \
- -y /var/secrets/ldap/sync_password 2>/dev/null >/dev/null || true) <<EOF
+ -y ${config.secrets.fullPaths."ldap/sync_password"} 2>/dev/null >/dev/null || true) <<EOF
dn: uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org
objectClass: inetOrgPerson
cn: $1
userdel -r "$1"
sed -i -e "/^$mygroup $1/d" /var/lib/nixos/sponsored_users
${pkgs.openldap}/bin/ldapdelete -D cn=root,dc=salle-s,dc=org \
- -y /var/secrets/ldap/sync_password \
+ -y ${config.secrets.fullPaths."ldap/sync_password"} \
"uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org"
echo "deleted"
exit 0
if [ "$1" = "$mygroup" ]; then
log "resets web password"
${pkgs.openldap}/bin/ldappasswd -D cn=root,dc=salle-s,dc=org \
- -y /var/secrets/ldap/sync_password \
+ -y ${config.secrets.fullPaths."ldap/sync_password"} \
-S "uid=$mygroup,ou=users,dc=salle-s,dc=org"
else
IFS=",";
if [ "$u" = "$1" ]; then
log "resets web password of $1"
${pkgs.openldap}/bin/ldappasswd -D cn=root,dc=salle-s,dc=org \
- -y /var/secrets/ldap/sync_password \
+ -y ${config.secrets.fullPaths."ldap/sync_password"} \
-S "uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org"
exit 0
fi
deps = [ "secrets" "users" ];
text =
let
- com = "-D cn=root,dc=salle-s,dc=org -y /var/secrets/ldap/sync_password";
+ com = "-D cn=root,dc=salle-s,dc=org -y ${config.secrets.fullPaths."ldap/sync_password"}";
in ''
# Add users
- ${pkgs.openldap}/bin/ldapadd -c ${com} -f /var/secrets/ldap/ldaptree.ldif 2>/dev/null >/dev/null || true
+ ${pkgs.openldap}/bin/ldapadd -c ${com} -f ${config.secrets.fullPaths."ldap/ldaptree.ldif"} 2>/dev/null >/dev/null || true
# Remove obsolete users
${pkgs.openldap}/bin/ldapsearch -LLL ${com} -s one -b "ou=users,dc=salle-s,dc=org" "uid" |\
'';
};
- secrets.keys = [
- {
- dest = "ldap/sync_password";
+ secrets.keys = {
+ "ldap/sync_password" = {
permissions = "0400";
text = serverSpecificConfig.ldap_sync_password;
- }
- {
- dest = "ldap/ldaptree.ldif";
+ };
+ "ldap/ldaptree.ldif" = {
permissions = "0400";
text = serverSpecificConfig.ldap_service_users
+ (builtins.concatStringsSep "\n" (lib.mapAttrsToList (n: v: ''
sn: ${n}
uid: ${n}
'') normalUsers));
- }
- ];
+ };
+ };
myServices.monitoring.enable = true;
myServices.certificates.enable = true;