[perso/Immae/Config/Nix.git] / modules / private / databases / openldap_replication.nix

{ pkgs, config, lib, ... }:
let
  cfg = config.myServices.databasesReplication.openldap;
  eldiron_schemas = pkgs.callPackage ./openldap/eldiron_schemas.nix {};
  ldapConfig = hcfg: name: pkgs.writeText "slapd.conf" ''
    include ${pkgs.openldap}/etc/schema/core.schema
    include ${pkgs.openldap}/etc/schema/cosine.schema
    include ${pkgs.openldap}/etc/schema/inetorgperson.schema
    include ${pkgs.openldap}/etc/schema/nis.schema
    ${eldiron_schemas}
    pidfile   /run/slapd_${name}/slapd.pid
    argsfile  /run/slapd_${name}/slapd.args

    moduleload  back_hdb
    backend     hdb
    database    hdb

    suffix    "${hcfg.base}"
    rootdn    "cn=root,${hcfg.base}"
    directory ${cfg.base}/${name}/openldap

    index   objectClass       eq
    index   uid               pres,eq
    index   entryUUID         eq

    include ${config.secrets.fullPaths."openldap_replication/${name}/replication_config"}
    '';
in
{
  options.myServices.databasesReplication.openldap = {
    enable = lib.mkEnableOption "Enable openldap replication";
    base = lib.mkOption {
      type = lib.types.path;
      description = ''
        Base path to put the replications
        '';
    };
    hosts = lib.mkOption {
      default = {};
      description = ''
        Hosts to backup
        '';
      type = lib.types.attrsOf (lib.types.submodule {
        options = {
          package = lib.mkOption {
            type = lib.types.package;
            default = pkgs.openldap;
            description = ''
              Openldap package for this host
            '';
          };
          url = lib.mkOption {
            type = lib.types.str;
            description = ''
              Host to connect to
              '';
          };
          base = lib.mkOption {
            type = lib.types.str;
            description = ''
              Base DN to replicate
              '';
          };
          dn = lib.mkOption {
            type = lib.types.str;
            description = ''
              DN to use
              '';
          };
          password = lib.mkOption {
            type = lib.types.str;
            description = ''
              Password to use
              '';
          };
        };
      });
    };
  };

  config = lib.mkIf cfg.enable {
    users.users.openldap = {
      description = "Openldap database user";
      group = "openldap";
      uid = config.ids.uids.openldap;
      extraGroups = [ "keys" ];
    };
    users.groups.openldap.gid = config.ids.gids.openldap;

    secrets.keys = lib.listToAttrs (lib.flatten (lib.mapAttrsToList (name: hcfg: [
      (lib.nameValuePair "openldap_replication/${name}/replication_config" {
        user = "openldap";
        group = "openldap";
        permissions = "0400";
        text = ''
          syncrepl rid=000
                  provider=${hcfg.url}
                  type=refreshAndPersist
                  searchbase="${hcfg.base}"
                  retry="5 10 300 +"
                  attrs="*,+"
                  schemachecking=off
                  bindmethod=simple
                  binddn="${hcfg.dn}"
                  credentials="${hcfg.password}"
          '';
      })
      (lib.nameValuePair "openldap_replication/${name}/replication_password" {
        user = "openldap";
        group = "openldap";
        permissions = "0400";
        text = hcfg.password;
      })
    ]) cfg.hosts));

    services.cron = {
      enable = true;
      systemCronJobs = lib.flatten (lib.mapAttrsToList (name: hcfg:
        let
          dataDir = "${cfg.base}/${name}/openldap";
          backupDir = "${cfg.base}/${name}/openldap_backup";
          backup_script = pkgs.writeScript "backup_openldap_${name}" ''
              #!${pkgs.stdenv.shell}

              ${hcfg.package}/bin/slapcat -b "${hcfg.base}" -f ${ldapConfig hcfg name} -l ${backupDir}/$(${pkgs.coreutils}/bin/date -Iminutes).ldif
            '';
          u = pkgs.callPackage ./utils.nix {};
          cleanup_script = pkgs.writeScript "cleanup_openldap_${name}" (u.exponentialDumps "ldif" backupDir);
        in [
          "0 22,4,10,16 * * * root ${backup_script}"
          "0 3 * * * root ${cleanup_script}"
        ]) cfg.hosts);
    };

    system.activationScripts = lib.attrsets.mapAttrs' (name: hcfg:
      lib.attrsets.nameValuePair "openldap_replication_${name}" {
        deps = [ "users" "groups" ];
        text = ''
          install -m 0700 -o openldap -g openldap -d ${cfg.base}/${name}/openldap
          install -m 0700 -o openldap -g openldap -d ${cfg.base}/${name}/openldap_backup
          '';
      }) cfg.hosts;

    systemd.services = lib.attrsets.mapAttrs' (name: hcfg:
      let
        dataDir = "${cfg.base}/${name}/openldap";
      in
      lib.attrsets.nameValuePair "openldap_backup_${name}" {
        description = "Openldap replication for ${name}";
        wantedBy = [ "multi-user.target" ];
        after = [ "network.target" ];
        unitConfig.RequiresMountsFor = dataDir;

        preStart = ''
          mkdir -p /run/slapd_${name}
          chown -R "openldap:openldap" /run/slapd_${name}
        '';

        serviceConfig = {
          ExecStart = "${hcfg.package}/libexec/slapd -d 0 -u openldap -g openldap -f ${ldapConfig hcfg name}";
        };
    }) cfg.hosts;
  };
}
Commit	Line	Data
ab8f306d	1	{ pkgs, config, lib, ... }:
16b80abd IB	2	let
	3	cfg = config.myServices.databasesReplication.openldap;
	4	eldiron_schemas = pkgs.callPackage ./openldap/eldiron_schemas.nix {};
	5	ldapConfig = hcfg: name: pkgs.writeText "slapd.conf" ''
5400b9b6 IB	6	include ${pkgs.openldap}/etc/schema/core.schema
	7	include ${pkgs.openldap}/etc/schema/cosine.schema
	8	include ${pkgs.openldap}/etc/schema/inetorgperson.schema
	9	include ${pkgs.openldap}/etc/schema/nis.schema
16b80abd IB	10	${eldiron_schemas}
	11	pidfile /run/slapd_${name}/slapd.pid
	12	argsfile /run/slapd_${name}/slapd.args
	13
	14	moduleload back_hdb
	15	backend hdb
	16	database hdb
	17
	18	suffix "${hcfg.base}"
	19	rootdn "cn=root,${hcfg.base}"
	20	directory ${cfg.base}/${name}/openldap
	21
	22	index objectClass eq
	23	index uid pres,eq
	24	index entryUUID eq
	25
da30ae4f	26	include ${config.secrets.fullPaths."openldap_replication/${name}/replication_config"}
16b80abd IB	27	'';
	28	in
	29	{
	30	options.myServices.databasesReplication.openldap = {
	31	enable = lib.mkEnableOption "Enable openldap replication";
	32	base = lib.mkOption {
	33	type = lib.types.path;
	34	description = ''
	35	Base path to put the replications
	36	'';
	37	};
	38	hosts = lib.mkOption {
	39	default = {};
	40	description = ''
	41	Hosts to backup
	42	'';
	43	type = lib.types.attrsOf (lib.types.submodule {
	44	options = {
	45	package = lib.mkOption {
	46	type = lib.types.package;
	47	default = pkgs.openldap;
	48	description = ''
	49	Openldap package for this host
	50	'';
	51	};
	52	url = lib.mkOption {
	53	type = lib.types.str;
	54	description = ''
	55	Host to connect to
	56	'';
	57	};
	58	base = lib.mkOption {
	59	type = lib.types.str;
	60	description = ''
	61	Base DN to replicate
	62	'';
	63	};
	64	dn = lib.mkOption {
	65	type = lib.types.str;
	66	description = ''
	67	DN to use
	68	'';
	69	};
	70	password = lib.mkOption {
	71	type = lib.types.str;
	72	description = ''
	73	Password to use
	74	'';
	75	};
	76	};
	77	});
	78	};
	79	};
	80
	81	config = lib.mkIf cfg.enable {
	82	users.users.openldap = {
	83	description = "Openldap database user";
	84	group = "openldap";
	85	uid = config.ids.uids.openldap;
	86	extraGroups = [ "keys" ];
	87	};
	88	users.groups.openldap.gid = config.ids.gids.openldap;
	89
4c4652aa IB	90	secrets.keys = lib.listToAttrs (lib.flatten (lib.mapAttrsToList (name: hcfg: [
4c4652aa IB	91	(lib.nameValuePair "openldap_replication/${name}/replication_config" {
16b80abd IB	92	user = "openldap";
	93	group = "openldap";
	94	permissions = "0400";
	95	text = ''
	96	syncrepl rid=000
	97	provider=${hcfg.url}
	98	type=refreshAndPersist
	99	searchbase="${hcfg.base}"
	100	retry="5 10 300 +"
	101	attrs="*,+"
	102	schemachecking=off
	103	bindmethod=simple
	104	binddn="${hcfg.dn}"
	105	credentials="${hcfg.password}"
	106	'';
4c4652aa IB	107	})
4c4652aa IB	108	(lib.nameValuePair "openldap_replication/${name}/replication_password" {
16b80abd IB	109	user = "openldap";
	110	group = "openldap";
	111	permissions = "0400";
	112	text = hcfg.password;
4c4652aa IB	113	})
4c4652aa IB	114	]) cfg.hosts));
16b80abd IB	115
	116	services.cron = {
	117	enable = true;
	118	systemCronJobs = lib.flatten (lib.mapAttrsToList (name: hcfg:
	119	let
	120	dataDir = "${cfg.base}/${name}/openldap";
	121	backupDir = "${cfg.base}/${name}/openldap_backup";
	122	backup_script = pkgs.writeScript "backup_openldap_${name}" ''
	123	#!${pkgs.stdenv.shell}
	124
4c853ba6	125	${hcfg.package}/bin/slapcat -b "${hcfg.base}" -f ${ldapConfig hcfg name} -l ${backupDir}/$(${pkgs.coreutils}/bin/date -Iminutes).ldif
16b80abd IB	126	'';
	127	u = pkgs.callPackage ./utils.nix {};
	128	cleanup_script = pkgs.writeScript "cleanup_openldap_${name}" (u.exponentialDumps "ldif" backupDir);
	129	in [
	130	"0 22,4,10,16 * * * root ${backup_script}"
	131	"0 3 * * * root ${cleanup_script}"
	132	]) cfg.hosts);
	133	};
	134
	135	system.activationScripts = lib.attrsets.mapAttrs' (name: hcfg:
	136	lib.attrsets.nameValuePair "openldap_replication_${name}" {
	137	deps = [ "users" "groups" ];
	138	text = ''
	139	install -m 0700 -o openldap -g openldap -d ${cfg.base}/${name}/openldap
	140	install -m 0700 -o openldap -g openldap -d ${cfg.base}/${name}/openldap_backup
	141	'';
	142	}) cfg.hosts;
	143
	144	systemd.services = lib.attrsets.mapAttrs' (name: hcfg:
	145	let
	146	dataDir = "${cfg.base}/${name}/openldap";
	147	in
	148	lib.attrsets.nameValuePair "openldap_backup_${name}" {
	149	description = "Openldap replication for ${name}";
	150	wantedBy = [ "multi-user.target" ];
	151	after = [ "network.target" ];
	152	unitConfig.RequiresMountsFor = dataDir;
	153
	154	preStart = ''
	155	mkdir -p /run/slapd_${name}
	156	chown -R "openldap:openldap" /run/slapd_${name}
	157	'';
	158
	159	serviceConfig = {
	160	ExecStart = "${hcfg.package}/libexec/slapd -d 0 -u openldap -g openldap -f ${ldapConfig hcfg name}";
	161	};
	162	}) cfg.hosts;
	163	};
	164	}
	165
	166