modules/private/databases/openldap_replication.nix

   1 { pkgs, config, myconfig, lib, ... }:
   2 let
   3   cfg = config.myServices.databasesReplication.openldap;
   4   eldiron_schemas = pkgs.callPackage ./openldap/eldiron_schemas.nix {};
   5   ldapConfig = hcfg: name: pkgs.writeText "slapd.conf" ''
   6     ${eldiron_schemas}
   7     pidfile   /run/slapd_${name}/slapd.pid
   8     argsfile  /run/slapd_${name}/slapd.args
   9
  10     moduleload  back_hdb
  11     backend     hdb
  12     database    hdb
  13
  14     suffix    "${hcfg.base}"
  15     rootdn    "cn=root,${hcfg.base}"
  16     directory ${cfg.base}/${name}/openldap
  17
  18     index   objectClass       eq
  19     index   uid               pres,eq
  20     index   entryUUID         eq
  21
  22     include ${config.secrets.location}/openldap_replication/${name}/replication_config
  23     '';
  24 in
  25 {
  26   options.myServices.databasesReplication.openldap = {
  27     enable = lib.mkEnableOption "Enable openldap replication";
  28     base = lib.mkOption {
  29       type = lib.types.path;
  30       description = ''
  31         Base path to put the replications
  32         '';
  33     };
  34     hosts = lib.mkOption {
  35       default = {};
  36       description = ''
  37         Hosts to backup
  38         '';
  39       type = lib.types.attrsOf (lib.types.submodule {
  40         options = {
  41           package = lib.mkOption {
  42             type = lib.types.package;
  43             default = pkgs.openldap;
  44             description = ''
  45               Openldap package for this host
  46             '';
  47           };
  48           url = lib.mkOption {
  49             type = lib.types.str;
  50             description = ''
  51               Host to connect to
  52               '';
  53           };
  54           base = lib.mkOption {
  55             type = lib.types.str;
  56             description = ''
  57               Base DN to replicate
  58               '';
  59           };
  60           dn = lib.mkOption {
  61             type = lib.types.str;
  62             description = ''
  63               DN to use
  64               '';
  65           };
  66           password = lib.mkOption {
  67             type = lib.types.str;
  68             description = ''
  69               Password to use
  70               '';
  71           };
  72         };
  73       });
  74     };
  75   };
  76
  77   config = lib.mkIf cfg.enable {
  78     users.users.openldap = {
  79       description = "Openldap database user";
  80       group = "openldap";
  81       uid = config.ids.uids.openldap;
  82       extraGroups = [ "keys" ];
  83     };
  84     users.groups.openldap.gid = config.ids.gids.openldap;
  85
  86     secrets.keys = lib.flatten (lib.mapAttrsToList (name: hcfg: [
  87       {
  88         dest = "openldap_replication/${name}/replication_config";
  89         user = "openldap";
  90         group = "openldap";
  91         permissions = "0400";
  92         text = ''
  93           syncrepl rid=000
  94                   provider=${hcfg.url}
  95                   type=refreshAndPersist
  96                   searchbase="${hcfg.base}"
  97                   retry="5 10 300 +"
  98                   attrs="*,+"
  99                   schemachecking=off
 100                   bindmethod=simple
 101                   binddn="${hcfg.dn}"
 102                   credentials="${hcfg.password}"
 103           '';
 104       }
 105       {
 106         dest = "openldap_replication/${name}/replication_password";
 107         user = "openldap";
 108         group = "openldap";
 109         permissions = "0400";
 110         text = hcfg.password;
 111       }
 112     ]) cfg.hosts);
 113
 114     services.cron = {
 115       enable = true;
 116       systemCronJobs = lib.flatten (lib.mapAttrsToList (name: hcfg:
 117         let
 118           dataDir = "${cfg.base}/${name}/openldap";
 119           backupDir = "${cfg.base}/${name}/openldap_backup";
 120           backup_script = pkgs.writeScript "backup_openldap_${name}" ''
 121               #!${pkgs.stdenv.shell}
 122
 123               ${hcfg.package}/bin/slapcat -b "${hcfg.base}" -f ${ldapConfig hcfg name} -l ${backupDir}/$(${pkgs.coreutils}/bin/date -Iseconds).ldif
 124             '';
 125           u = pkgs.callPackage ./utils.nix {};
 126           cleanup_script = pkgs.writeScript "cleanup_openldap_${name}" (u.exponentialDumps "ldif" backupDir);
 127         in [
 128           "0 22,4,10,16 * * * root ${backup_script}"
 129           "0 3 * * * root ${cleanup_script}"
 130         ]) cfg.hosts);
 131     };
 132
 133     system.activationScripts = lib.attrsets.mapAttrs' (name: hcfg:
 134       lib.attrsets.nameValuePair "openldap_replication_${name}" {
 135         deps = [ "users" "groups" ];
 136         text = ''
 137           install -m 0700 -o openldap -g openldap -d ${cfg.base}/${name}/openldap
 138           install -m 0700 -o openldap -g openldap -d ${cfg.base}/${name}/openldap_backup
 139           '';
 140       }) cfg.hosts;
 141
 142     systemd.services = lib.attrsets.mapAttrs' (name: hcfg:
 143       let
 144         dataDir = "${cfg.base}/${name}/openldap";
 145       in
 146       lib.attrsets.nameValuePair "openldap_backup_${name}" {
 147         description = "Openldap replication for ${name}";
 148         wantedBy = [ "multi-user.target" ];
 149         after = [ "network.target" ];
 150         unitConfig.RequiresMountsFor = dataDir;
 151
 152         preStart = ''
 153           mkdir -p /run/slapd_${name}
 154           chown -R "openldap:openldap" /run/slapd_${name}
 155         '';
 156
 157         serviceConfig = {
 158           ExecStart = "${hcfg.package}/libexec/slapd -d 0 -u openldap -g openldap -f ${ldapConfig hcfg name}";
 159         };
 160     }) cfg.hosts;
 161   };
 162 }
 163
 164