X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=nixops%2Fmodules%2Fdatabases%2Fopenldap.nix;fp=nixops%2Fmodules%2Fdatabases%2Fopenldap.nix;h=0000000000000000000000000000000000000000;hb=182ae57f53731be220075bc87aff4d47a35563b8;hp=ff97fb3ac4a78758bf7d6f49e45e7dfbe97ef75f;hpb=6c97d2d715620a1cdc3b8a785174590ec0dafb98;p=perso%2FImmae%2FConfig%2FNix.git diff --git a/nixops/modules/databases/openldap.nix b/nixops/modules/databases/openldap.nix deleted file mode 100644 index ff97fb3..0000000 --- a/nixops/modules/databases/openldap.nix +++ /dev/null @@ -1,104 +0,0 @@ -{ lib, pkgs, config, myconfig, ... }: -let - cfg = config.services.myDatabases; - ldapConfig = let - kerberosSchema = pkgs.fetchurl { - url = "https://raw.githubusercontent.com/krb5/krb5/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"; - sha256 = "17fnkkf6s3lznsl7wp6914pqsc78d038rh38l638big8z608ksww"; - }; - puppetSchema = pkgs.fetchurl { - url = "https://raw.githubusercontent.com/puppetlabs/puppet/master/ext/ldap/puppet.schema"; - sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh"; - }; - in '' - include ${pkgs.openldap}/etc/schema/core.schema - include ${pkgs.openldap}/etc/schema/cosine.schema - include ${pkgs.openldap}/etc/schema/inetorgperson.schema - include ${pkgs.openldap}/etc/schema/nis.schema - include ${puppetSchema} - include ${kerberosSchema} - include ${./immae.schema} - - pidfile /run/slapd/slapd.pid - argsfile /run/slapd/slapd.args - - moduleload back_hdb - backend hdb - - moduleload memberof - database hdb - suffix "${myconfig.env.ldap.base}" - rootdn "${myconfig.env.ldap.root_dn}" - include /var/secrets/ldap/password - directory /var/lib/openldap - overlay memberof - - TLSCertificateFile /var/lib/acme/ldap/cert.pem - TLSCertificateKeyFile /var/lib/acme/ldap/key.pem - TLSCACertificateFile /var/lib/acme/ldap/fullchain.pem - TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/ - #This makes openldap crash - #TLSCipherSuite DEFAULT - - sasl-host kerberos.immae.eu - include /var/secrets/ldap/access - ''; -in { - options.services.myDatabases = { - ldap = { - enable = lib.mkOption { - default = cfg.enable; - example = true; - description = "Whether to enable ldap"; - type = lib.types.bool; - }; - }; - }; - - config = lib.mkIf cfg.enable { - secrets.keys = [ - { - dest = "ldap/password"; - permissions = "0400"; - user = "openldap"; - group = "openldap"; - text = "rootpw ${myconfig.env.ldap.root_pw}"; - } - { - dest = "ldap/access "; - permissions = "0400"; - user = "openldap"; - group = "openldap"; - text = builtins.readFile "${myconfig.privateFiles}/ldap.conf"; - } - ]; - users.users.openldap.extraGroups = [ "keys" ]; - networking.firewall.allowedTCPPorts = [ 636 389 ]; - - services.cron = { - systemCronJobs = [ - '' - 35 1,13 * * * root ${pkgs.openldap}/bin/slapcat -v -b "dc=immae,dc=eu" -f ${pkgs.writeText "slapd.conf" ldapConfig} -l /var/lib/openldap/backup.ldif | ${pkgs.gnugrep}/bin/grep -v "^# id=[0-9a-f]*$" - '' - ]; - }; - - security.acme.certs."ldap" = config.services.myCertificates.certConfig // { - user = "openldap"; - group = "openldap"; - plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ]; - domain = "ldap.immae.eu"; - postRun = '' - systemctl restart openldap.service - ''; - }; - - services.openldap = { - enable = config.services.myDatabases.ldap.enable; - dataDir = "/var/lib/openldap"; - urlList = [ "ldap://" "ldaps://" ]; - extraConfig = ldapConfig; - }; - }; -} -