[perso/Immae/Config/Nix.git] / modules / private / databases / openldap / default.nix

{ lib, pkgs, config, ... }:
let
  cfg = config.myServices.databases.openldap;
  ldapConfig = let
    eldiron_schemas = pkgs.callPackage ./eldiron_schemas.nix {};
  in ''
    ${eldiron_schemas}

    pidfile         ${cfg.pids.pid}
    argsfile        ${cfg.pids.args}

    moduleload      back_hdb
    backend         hdb

    TLSCertificateFile    ${config.security.acme.certs.ldap.directory}/cert.pem
    TLSCertificateKeyFile ${config.security.acme.certs.ldap.directory}/key.pem
    TLSCACertificateFile  ${config.security.acme.certs.ldap.directory}/fullchain.pem
    TLSCACertificatePath  ${pkgs.cacert.unbundled}/etc/ssl/certs/
    #This makes openldap crash
    #TLSCipherSuite        DEFAULT

    sasl-host kerberos.immae.eu
    '';
in
{
  options.myServices.databases = {
    openldap = {
      enable = lib.mkOption {
        default = false;
        example = true;
        description = "Whether to enable ldap";
        type = lib.types.bool;
      };
      baseDn = lib.mkOption {
        type = lib.types.str;
        description = ''
          Base DN for LDAP
        '';
      };
      rootDn = lib.mkOption {
        type = lib.types.str;
        description = ''
          Root DN
        '';
      };
      rootPw = lib.mkOption {
        type = lib.types.str;
        description = ''
          Root (Hashed) password
        '';
      };
      accessFile = lib.mkOption {
        type = lib.types.path;
        description = ''
          The file path that defines the access
        '';
      };
      dataDir = lib.mkOption {
        type = lib.types.path;
        default = "/var/lib/openldap";
        description = ''
          The directory where Openldap stores its data.
        '';
      };
      socketsDir = lib.mkOption {
        type = lib.types.path;
        default = "/run/slapd";
        description = ''
          The directory where Openldap puts sockets and pid files.
          '';
      };
      # Output variables
      pids = lib.mkOption {
        type = lib.types.attrsOf lib.types.path;
        default = {
          pid  = "${cfg.socketsDir}/slapd.pid";
          args = "${cfg.socketsDir}/slapd.args";
        };
        readOnly = true;
        description = ''
          Slapd pid files
          '';
      };
    };
  };

  config = lib.mkIf cfg.enable {
    secrets.keys = {
       "ldap/password" = {
        permissions = "0400";
        user = "openldap";
        group = "openldap";
        text = "rootpw          ${cfg.rootPw}";
      };
      "ldap/access" = {
        permissions = "0400";
        user = "openldap";
        group = "openldap";
        text = builtins.readFile cfg.accessFile;
      };
      "ldap" = {
        permissions = "0500";
        user = "openldap";
        group = "openldap";
        isDir = true;
      };
    };
    users.users.openldap.extraGroups = [ "keys" ];
    networking.firewall.allowedTCPPorts = [ 636 389 ];

    security.acme.certs."ldap" = config.myServices.databasesCerts // {
      user = "openldap";
      group = "openldap";
      domain = "ldap.immae.eu";
      postRun = ''
        systemctl restart openldap.service
      '';
    };

    services.filesWatcher.openldap = {
      restart = true;
      paths = [ config.secrets.fullPaths."ldap" ];
    };

    services.openldap = {
      enable = true;
      dataDir = cfg.dataDir;
      urlList = [ "ldap://" "ldaps://" ];
      logLevel = "none";
      extraConfig = ldapConfig;
      extraDatabaseConfig = ''
        moduleload      memberof
        overlay         memberof

        moduleload      syncprov
        overlay         syncprov
        syncprov-checkpoint 100 10

        include ${config.secrets.fullPaths."ldap/access"}
        '';
      rootpwFile = config.secrets.fullPaths."ldap/password";
      suffix = cfg.baseDn;
      rootdn = cfg.rootDn;
      database = "hdb";
    };
  };
}
Commit	Line	Data
4aac110f	1	{ lib, pkgs, config, ... }:
182ae57f IB	2	let
	3	cfg = config.myServices.databases.openldap;
	4	ldapConfig = let
16b80abd	5	eldiron_schemas = pkgs.callPackage ./eldiron_schemas.nix {};
182ae57f	6	in ''
16b80abd	7	${eldiron_schemas}
182ae57f IB	8
	9	pidfile ${cfg.pids.pid}
	10	argsfile ${cfg.pids.args}
	11
	12	moduleload back_hdb
	13	backend hdb
	14
5400b9b6 IB	15	TLSCertificateFile ${config.security.acme.certs.ldap.directory}/cert.pem
	16	TLSCertificateKeyFile ${config.security.acme.certs.ldap.directory}/key.pem
	17	TLSCACertificateFile ${config.security.acme.certs.ldap.directory}/fullchain.pem
182ae57f IB	18	TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/
	19	#This makes openldap crash
	20	#TLSCipherSuite DEFAULT
	21
	22	sasl-host kerberos.immae.eu
182ae57f IB	23	'';
	24	in
	25	{
	26	options.myServices.databases = {
	27	openldap = {
	28	enable = lib.mkOption {
8415083e	29	default = false;
182ae57f IB	30	example = true;
	31	description = "Whether to enable ldap";
	32	type = lib.types.bool;
	33	};
4aac110f IB	34	baseDn = lib.mkOption {
	35	type = lib.types.str;
	36	description = ''
	37	Base DN for LDAP
	38	'';
	39	};
	40	rootDn = lib.mkOption {
	41	type = lib.types.str;
	42	description = ''
	43	Root DN
	44	'';
	45	};
	46	rootPw = lib.mkOption {
	47	type = lib.types.str;
	48	description = ''
	49	Root (Hashed) password
	50	'';
	51	};
	52	accessFile = lib.mkOption {
	53	type = lib.types.path;
	54	description = ''
	55	The file path that defines the access
	56	'';
	57	};
182ae57f IB	58	dataDir = lib.mkOption {
	59	type = lib.types.path;
	60	default = "/var/lib/openldap";
	61	description = ''
	62	The directory where Openldap stores its data.
	63	'';
	64	};
	65	socketsDir = lib.mkOption {
	66	type = lib.types.path;
	67	default = "/run/slapd";
	68	description = ''
	69	The directory where Openldap puts sockets and pid files.
	70	'';
	71	};
	72	# Output variables
	73	pids = lib.mkOption {
	74	type = lib.types.attrsOf lib.types.path;
	75	default = {
	76	pid = "${cfg.socketsDir}/slapd.pid";
	77	args = "${cfg.socketsDir}/slapd.args";
	78	};
	79	readOnly = true;
	80	description = ''
	81	Slapd pid files
	82	'';
	83	};
	84	};
	85	};
	86
	87	config = lib.mkIf cfg.enable {
4c4652aa IB	88	secrets.keys = {
4c4652aa IB	89	"ldap/password" = {
182ae57f IB	90	permissions = "0400";
	91	user = "openldap";
	92	group = "openldap";
4aac110f	93	text = "rootpw ${cfg.rootPw}";
4c4652aa IB	94	};
4c4652aa IB	95	"ldap/access" = {
182ae57f IB	96	permissions = "0400";
	97	user = "openldap";
	98	group = "openldap";
da30ae4f	99	text = builtins.readFile cfg.accessFile;
4c4652aa IB	100	};
4c4652aa IB	101	"ldap" = {
da30ae4f IB	102	permissions = "0500";
	103	user = "openldap";
	104	group = "openldap";
	105	isDir = true;
4c4652aa IB	106	};
4c4652aa IB	107	};
182ae57f IB	108	users.users.openldap.extraGroups = [ "keys" ];
	109	networking.firewall.allowedTCPPorts = [ 636 389 ];
	110
5400b9b6	111	security.acme.certs."ldap" = config.myServices.databasesCerts // {
182ae57f IB	112	user = "openldap";
182ae57f IB	113	group = "openldap";
182ae57f IB	114	domain = "ldap.immae.eu";
	115	postRun = ''
	116	systemctl restart openldap.service
	117	'';
	118	};
	119
17f6eae9 IB	120	services.filesWatcher.openldap = {
17f6eae9 IB	121	restart = true;
da30ae4f	122	paths = [ config.secrets.fullPaths."ldap" ];
17f6eae9 IB	123	};
17f6eae9 IB	124
182ae57f IB	125	services.openldap = {
	126	enable = true;
	127	dataDir = cfg.dataDir;
	128	urlList = [ "ldap://" "ldaps://" ];
34a16461	129	logLevel = "none";
182ae57f	130	extraConfig = ldapConfig;
5400b9b6 IB	131	extraDatabaseConfig = ''
	132	moduleload memberof
	133	overlay memberof
	134
	135	moduleload syncprov
	136	overlay syncprov
	137	syncprov-checkpoint 100 10
	138
da30ae4f	139	include ${config.secrets.fullPaths."ldap/access"}
5400b9b6	140	'';
da30ae4f	141	rootpwFile = config.secrets.fullPaths."ldap/password";
5400b9b6 IB	142	suffix = cfg.baseDn;
	143	rootdn = cfg.rootDn;
	144	database = "hdb";
182ae57f IB	145	};
	146	};
	147	}