[perso/Immae/Config/Nix.git] / modules / private / databases / openldap / default.nix

{ lib, pkgs, config, ... }:
let
  cfg = config.myServices.databases.openldap;
  ldapConfig = let
    kerberosSchema = pkgs.fetchurl {
      url = "https://raw.githubusercontent.com/krb5/krb5/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema";
      sha256 = "17fnkkf6s3lznsl7wp6914pqsc78d038rh38l638big8z608ksww";
    };
    puppetSchema = pkgs.fetchurl {
      url = "https://raw.githubusercontent.com/puppetlabs/puppet/master/ext/ldap/puppet.schema";
      sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh";
    };
  in ''
    include         ${pkgs.openldap}/etc/schema/core.schema
    include         ${pkgs.openldap}/etc/schema/cosine.schema
    include         ${pkgs.openldap}/etc/schema/inetorgperson.schema
    include         ${pkgs.openldap}/etc/schema/nis.schema
    include         ${puppetSchema}
    include         ${kerberosSchema}
    include         ${./immae.schema}

    pidfile         ${cfg.pids.pid}
    argsfile        ${cfg.pids.args}

    moduleload      back_hdb
    backend         hdb

    moduleload      memberof
    database        hdb
    suffix          "${cfg.baseDn}"
    rootdn          "${cfg.rootDn}"
    include         ${config.secrets.location}/ldap/password
    directory       ${cfg.dataDir}
    overlay         memberof

    TLSCertificateFile    ${config.security.acme.directory}/ldap/cert.pem
    TLSCertificateKeyFile ${config.security.acme.directory}/ldap/key.pem
    TLSCACertificateFile  ${config.security.acme.directory}/ldap/fullchain.pem
    TLSCACertificatePath  ${pkgs.cacert.unbundled}/etc/ssl/certs/
    #This makes openldap crash
    #TLSCipherSuite        DEFAULT

    sasl-host kerberos.immae.eu
    include ${config.secrets.location}/ldap/access
    '';
in
{
  options.myServices.databases = {
    openldap = {
      enable = lib.mkOption {
        default = false;
        example = true;
        description = "Whether to enable ldap";
        type = lib.types.bool;
      };
      baseDn = lib.mkOption {
        type = lib.types.str;
        description = ''
          Base DN for LDAP
        '';
      };
      rootDn = lib.mkOption {
        type = lib.types.str;
        description = ''
          Root DN
        '';
      };
      rootPw = lib.mkOption {
        type = lib.types.str;
        description = ''
          Root (Hashed) password
        '';
      };
      accessFile = lib.mkOption {
        type = lib.types.path;
        description = ''
          The file path that defines the access
        '';
      };
      dataDir = lib.mkOption {
        type = lib.types.path;
        default = "/var/lib/openldap";
        description = ''
          The directory where Openldap stores its data.
        '';
      };
      socketsDir = lib.mkOption {
        type = lib.types.path;
        default = "/run/slapd";
        description = ''
          The directory where Openldap puts sockets and pid files.
          '';
      };
      # Output variables
      pids = lib.mkOption {
        type = lib.types.attrsOf lib.types.path;
        default = {
          pid  = "${cfg.socketsDir}/slapd.pid";
          args = "${cfg.socketsDir}/slapd.args";
        };
        readOnly = true;
        description = ''
          Slapd pid files
          '';
      };
    };
  };

  config = lib.mkIf cfg.enable {
    secrets.keys = [
       {
        dest = "ldap/password";
        permissions = "0400";
        user = "openldap";
        group = "openldap";
        text = "rootpw          ${cfg.rootPw}";
      }
      {
        dest = "ldap/access";
        permissions = "0400";
        user = "openldap";
        group = "openldap";
        text = builtins.readFile "${cfg.accessFile}";
      }
    ];
    users.users.openldap.extraGroups = [ "keys" ];
    networking.firewall.allowedTCPPorts = [ 636 389 ];

    services.cron = {
      systemCronJobs = [
        ''
          35 1,13 * * * root ${pkgs.openldap}/bin/slapcat -v -b "dc=immae,dc=eu" -f ${pkgs.writeText "slapd.conf" ldapConfig} -l ${cfg.dataDir}/backup.ldif | ${pkgs.gnugrep}/bin/grep -v "^# id=[0-9a-f]*$"
        ''
      ];
    };

    security.acme.certs."ldap" = config.myServices.databasesCerts // {
      user = "openldap";
      group = "openldap";
      plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ];
      domain = "ldap.immae.eu";
      postRun = ''
        systemctl restart openldap.service
      '';
    };

    services.filesWatcher.openldap = {
      restart = true;
      paths = [ "${config.secrets.location}/ldap/" ];
    };

    services.openldap = {
      enable = true;
      dataDir = cfg.dataDir;
      urlList = [ "ldap://" "ldaps://" ];
      extraConfig = ldapConfig;
    };
  };
}
Commit	Line	Data
4aac110f	1	{ lib, pkgs, config, ... }:
182ae57f IB	2	let
	3	cfg = config.myServices.databases.openldap;
	4	ldapConfig = let
	5	kerberosSchema = pkgs.fetchurl {
	6	url = "https://raw.githubusercontent.com/krb5/krb5/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema";
	7	sha256 = "17fnkkf6s3lznsl7wp6914pqsc78d038rh38l638big8z608ksww";
	8	};
	9	puppetSchema = pkgs.fetchurl {
	10	url = "https://raw.githubusercontent.com/puppetlabs/puppet/master/ext/ldap/puppet.schema";
	11	sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh";
	12	};
	13	in ''
	14	include ${pkgs.openldap}/etc/schema/core.schema
	15	include ${pkgs.openldap}/etc/schema/cosine.schema
	16	include ${pkgs.openldap}/etc/schema/inetorgperson.schema
	17	include ${pkgs.openldap}/etc/schema/nis.schema
	18	include ${puppetSchema}
	19	include ${kerberosSchema}
	20	include ${./immae.schema}
	21
	22	pidfile ${cfg.pids.pid}
	23	argsfile ${cfg.pids.args}
	24
	25	moduleload back_hdb
	26	backend hdb
	27
	28	moduleload memberof
	29	database hdb
4aac110f IB	30	suffix "${cfg.baseDn}"
4aac110f IB	31	rootdn "${cfg.rootDn}"
182ae57f IB	32	include ${config.secrets.location}/ldap/password
	33	directory ${cfg.dataDir}
	34	overlay memberof
	35
9ade8f6e IB	36	TLSCertificateFile ${config.security.acme.directory}/ldap/cert.pem
	37	TLSCertificateKeyFile ${config.security.acme.directory}/ldap/key.pem
	38	TLSCACertificateFile ${config.security.acme.directory}/ldap/fullchain.pem
182ae57f IB	39	TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/
	40	#This makes openldap crash
	41	#TLSCipherSuite DEFAULT
	42
	43	sasl-host kerberos.immae.eu
	44	include ${config.secrets.location}/ldap/access
	45	'';
	46	in
	47	{
	48	options.myServices.databases = {
	49	openldap = {
	50	enable = lib.mkOption {
8415083e	51	default = false;
182ae57f IB	52	example = true;
	53	description = "Whether to enable ldap";
	54	type = lib.types.bool;
	55	};
4aac110f IB	56	baseDn = lib.mkOption {
	57	type = lib.types.str;
	58	description = ''
	59	Base DN for LDAP
	60	'';
	61	};
	62	rootDn = lib.mkOption {
	63	type = lib.types.str;
	64	description = ''
	65	Root DN
	66	'';
	67	};
	68	rootPw = lib.mkOption {
	69	type = lib.types.str;
	70	description = ''
	71	Root (Hashed) password
	72	'';
	73	};
	74	accessFile = lib.mkOption {
	75	type = lib.types.path;
	76	description = ''
	77	The file path that defines the access
	78	'';
	79	};
182ae57f IB	80	dataDir = lib.mkOption {
	81	type = lib.types.path;
	82	default = "/var/lib/openldap";
	83	description = ''
	84	The directory where Openldap stores its data.
	85	'';
	86	};
	87	socketsDir = lib.mkOption {
	88	type = lib.types.path;
	89	default = "/run/slapd";
	90	description = ''
	91	The directory where Openldap puts sockets and pid files.
	92	'';
	93	};
	94	# Output variables
	95	pids = lib.mkOption {
	96	type = lib.types.attrsOf lib.types.path;
	97	default = {
	98	pid = "${cfg.socketsDir}/slapd.pid";
	99	args = "${cfg.socketsDir}/slapd.args";
	100	};
	101	readOnly = true;
	102	description = ''
	103	Slapd pid files
	104	'';
	105	};
	106	};
	107	};
	108
	109	config = lib.mkIf cfg.enable {
	110	secrets.keys = [
	111	{
	112	dest = "ldap/password";
	113	permissions = "0400";
	114	user = "openldap";
	115	group = "openldap";
4aac110f	116	text = "rootpw ${cfg.rootPw}";
182ae57f IB	117	}
182ae57f IB	118	{
4aac110f	119	dest = "ldap/access";
182ae57f IB	120	permissions = "0400";
	121	user = "openldap";
	122	group = "openldap";
4aac110f	123	text = builtins.readFile "${cfg.accessFile}";
182ae57f IB	124	}
	125	];
	126	users.users.openldap.extraGroups = [ "keys" ];
	127	networking.firewall.allowedTCPPorts = [ 636 389 ];
	128
	129	services.cron = {
	130	systemCronJobs = [
	131	''
	132	35 1,13 * * * root ${pkgs.openldap}/bin/slapcat -v -b "dc=immae,dc=eu" -f ${pkgs.writeText "slapd.conf" ldapConfig} -l ${cfg.dataDir}/backup.ldif \| ${pkgs.gnugrep}/bin/grep -v "^# id=[0-9a-f]*$"
	133	''
	134	];
	135	};
	136
	137	security.acme.certs."ldap" = config.myServices.databasesCerts // {
	138	user = "openldap";
	139	group = "openldap";
	140	plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ];
	141	domain = "ldap.immae.eu";
	142	postRun = ''
	143	systemctl restart openldap.service
	144	'';
	145	};
	146
17f6eae9 IB	147	services.filesWatcher.openldap = {
	148	restart = true;
	149	paths = [ "${config.secrets.location}/ldap/" ];
	150	};
	151
182ae57f IB	152	services.openldap = {
	153	enable = true;
	154	dataDir = cfg.dataDir;
	155	urlList = [ "ldap://" "ldaps://" ];
	156	extraConfig = ldapConfig;
	157	};
	158	};
	159	}