X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Fdatabases%2Fopenldap%2Fdefault.nix;h=22f6f7b3de3b8b5d9223b6034b3a203c32cc6a1d;hb=16b80abd57bb215d0e72f3983f997a007743b8fb;hp=46f85d26f0ca6f1da3358690ee5eee78334e97cb;hpb=9ade8f6eb774dc7d19d82a070199b5024786b819;p=perso%2FImmae%2FConfig%2FNix.git diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix index 46f85d2..22f6f7b 100644 --- a/modules/private/databases/openldap/default.nix +++ b/modules/private/databases/openldap/default.nix @@ -1,23 +1,10 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let cfg = config.myServices.databases.openldap; ldapConfig = let - kerberosSchema = pkgs.fetchurl { - url = "https://raw.githubusercontent.com/krb5/krb5/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"; - sha256 = "17fnkkf6s3lznsl7wp6914pqsc78d038rh38l638big8z608ksww"; - }; - puppetSchema = pkgs.fetchurl { - url = "https://raw.githubusercontent.com/puppetlabs/puppet/master/ext/ldap/puppet.schema"; - sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh"; - }; + eldiron_schemas = pkgs.callPackage ./eldiron_schemas.nix {}; in '' - include ${pkgs.openldap}/etc/schema/core.schema - include ${pkgs.openldap}/etc/schema/cosine.schema - include ${pkgs.openldap}/etc/schema/inetorgperson.schema - include ${pkgs.openldap}/etc/schema/nis.schema - include ${puppetSchema} - include ${kerberosSchema} - include ${./immae.schema} + ${eldiron_schemas} pidfile ${cfg.pids.pid} argsfile ${cfg.pids.args} @@ -27,12 +14,16 @@ let moduleload memberof database hdb - suffix "${myconfig.env.ldap.base}" - rootdn "${myconfig.env.ldap.root_dn}" + suffix "${cfg.baseDn}" + rootdn "${cfg.rootDn}" include ${config.secrets.location}/ldap/password directory ${cfg.dataDir} overlay memberof + moduleload syncprov + overlay syncprov + syncprov-checkpoint 100 10 + TLSCertificateFile ${config.security.acme.directory}/ldap/cert.pem TLSCertificateKeyFile ${config.security.acme.directory}/ldap/key.pem TLSCACertificateFile ${config.security.acme.directory}/ldap/fullchain.pem @@ -48,11 +39,35 @@ in options.myServices.databases = { openldap = { enable = lib.mkOption { - default = cfg.enable; + default = false; example = true; description = "Whether to enable ldap"; type = lib.types.bool; }; + baseDn = lib.mkOption { + type = lib.types.str; + description = '' + Base DN for LDAP + ''; + }; + rootDn = lib.mkOption { + type = lib.types.str; + description = '' + Root DN + ''; + }; + rootPw = lib.mkOption { + type = lib.types.str; + description = '' + Root (Hashed) password + ''; + }; + accessFile = lib.mkOption { + type = lib.types.path; + description = '' + The file path that defines the access + ''; + }; dataDir = lib.mkOption { type = lib.types.path; default = "/var/lib/openldap"; @@ -89,27 +104,19 @@ in permissions = "0400"; user = "openldap"; group = "openldap"; - text = "rootpw ${myconfig.env.ldap.root_pw}"; + text = "rootpw ${cfg.rootPw}"; } { - dest = "ldap/access "; + dest = "ldap/access"; permissions = "0400"; user = "openldap"; group = "openldap"; - text = builtins.readFile "${myconfig.privateFiles}/ldap.conf"; + text = builtins.readFile "${cfg.accessFile}"; } ]; users.users.openldap.extraGroups = [ "keys" ]; networking.firewall.allowedTCPPorts = [ 636 389 ]; - services.cron = { - systemCronJobs = [ - '' - 35 1,13 * * * root ${pkgs.openldap}/bin/slapcat -v -b "dc=immae,dc=eu" -f ${pkgs.writeText "slapd.conf" ldapConfig} -l ${cfg.dataDir}/backup.ldif | ${pkgs.gnugrep}/bin/grep -v "^# id=[0-9a-f]*$" - '' - ]; - }; - security.acme.certs."ldap" = config.myServices.databasesCerts // { user = "openldap"; group = "openldap"; @@ -120,6 +127,11 @@ in ''; }; + services.filesWatcher.openldap = { + restart = true; + paths = [ "${config.secrets.location}/ldap/" ]; + }; + services.openldap = { enable = true; dataDir = cfg.dataDir;