systems/backup-2/databases/openldap_replication.nix

   1 { pkgs, config, lib, openldap, ... }:
   2 let
   3   cfg = config.myServices.databasesReplication.openldap;
   4   ldapConfig = hcfg: name: pkgs.writeText "slapd.conf" ''
   5     include ${pkgs.openldap}/etc/schema/core.schema
   6     include ${pkgs.openldap}/etc/schema/cosine.schema
   7     include ${pkgs.openldap}/etc/schema/inetorgperson.schema
   8     include ${pkgs.openldap}/etc/schema/nis.schema
   9     include ${openldap.immae-schema}
  10     pidfile   /run/slapd_${name}/slapd.pid
  11     argsfile  /run/slapd_${name}/slapd.args
  12
  13     moduleload  back_mdb
  14     backend     mdb
  15     database    mdb
  16
  17     suffix    "${hcfg.base}"
  18     rootdn    "cn=root,${hcfg.base}"
  19     directory ${cfg.base}/${name}/openldap
  20
  21     index   objectClass       eq
  22     index   uid               pres,eq
  23     index   entryUUID         eq
  24
  25     include ${config.secrets.fullPaths."openldap_replication/${name}/replication_config"}
  26     '';
  27 in
  28 {
  29   options.myServices.databasesReplication.openldap = {
  30     enable = lib.mkEnableOption "Enable openldap replication";
  31     base = lib.mkOption {
  32       type = lib.types.path;
  33       description = ''
  34         Base path to put the replications
  35         '';
  36     };
  37     hosts = lib.mkOption {
  38       default = {};
  39       description = ''
  40         Hosts to backup
  41         '';
  42       type = lib.types.attrsOf (lib.types.submodule {
  43         options = {
  44           package = lib.mkOption {
  45             type = lib.types.package;
  46             default = pkgs.openldap;
  47             description = ''
  48               Openldap package for this host
  49             '';
  50           };
  51           url = lib.mkOption {
  52             type = lib.types.str;
  53             description = ''
  54               Host to connect to
  55               '';
  56           };
  57           base = lib.mkOption {
  58             type = lib.types.str;
  59             description = ''
  60               Base DN to replicate
  61               '';
  62           };
  63           dn = lib.mkOption {
  64             type = lib.types.str;
  65             description = ''
  66               DN to use
  67               '';
  68           };
  69           password = lib.mkOption {
  70             type = lib.types.str;
  71             description = ''
  72               Password to use
  73               '';
  74           };
  75         };
  76       });
  77     };
  78   };
  79
  80   config = lib.mkIf cfg.enable {
  81     users.users.openldap = {
  82       description = "Openldap database user";
  83       group = "openldap";
  84       uid = config.ids.uids.openldap;
  85       extraGroups = [ "keys" ];
  86     };
  87     users.groups.openldap.gid = config.ids.gids.openldap;
  88
  89     secrets.keys = lib.listToAttrs (lib.flatten (lib.mapAttrsToList (name: hcfg: [
  90       (lib.nameValuePair "openldap_replication/${name}/replication_config" {
  91         user = "openldap";
  92         group = "openldap";
  93         permissions = "0400";
  94         text = ''
  95           syncrepl rid=000
  96                   provider=${hcfg.url}
  97                   type=refreshAndPersist
  98                   searchbase="${hcfg.base}"
  99                   retry="5 10 300 +"
 100                   attrs="*,+"
 101                   schemachecking=off
 102                   bindmethod=simple
 103                   binddn="${hcfg.dn}"
 104                   credentials="${hcfg.password}"
 105           '';
 106       })
 107       (lib.nameValuePair "openldap_replication/${name}/replication_password" {
 108         user = "openldap";
 109         group = "openldap";
 110         permissions = "0400";
 111         text = hcfg.password;
 112       })
 113     ]) cfg.hosts));
 114
 115     services.cron = {
 116       enable = true;
 117       systemCronJobs = lib.flatten (lib.mapAttrsToList (name: hcfg:
 118         let
 119           dataDir = "${cfg.base}/${name}/openldap";
 120           backupDir = "${cfg.base}/${name}/openldap_backup";
 121           backup_script = pkgs.writeScript "backup_openldap_${name}" ''
 122               #!${pkgs.stdenv.shell}
 123
 124               ${hcfg.package}/bin/slapcat -b "${hcfg.base}" -f ${ldapConfig hcfg name} -l ${backupDir}/$(${pkgs.coreutils}/bin/date -Iminutes).ldif
 125             '';
 126           u = pkgs.callPackage ./utils.nix {};
 127           cleanup_script = pkgs.writeScript "cleanup_openldap_${name}" (u.exponentialDumps "ldif" backupDir);
 128         in [
 129           "0 22,4,10,16 * * * root ${backup_script}"
 130           "0 3 * * * root ${cleanup_script}"
 131         ]) cfg.hosts);
 132     };
 133
 134     system.activationScripts = lib.attrsets.mapAttrs' (name: hcfg:
 135       lib.attrsets.nameValuePair "openldap_replication_${name}" {
 136         deps = [ "users" "groups" ];
 137         text = ''
 138           install -m 0700 -o openldap -g openldap -d ${cfg.base}/${name}/openldap
 139           install -m 0700 -o openldap -g openldap -d ${cfg.base}/${name}/openldap_backup
 140           '';
 141       }) cfg.hosts;
 142
 143     systemd.services = lib.attrsets.mapAttrs' (name: hcfg:
 144       let
 145         dataDir = "${cfg.base}/${name}/openldap";
 146       in
 147       lib.attrsets.nameValuePair "openldap_backup_${name}" {
 148         description = "Openldap replication for ${name}";
 149         wantedBy = [ "multi-user.target" ];
 150         after = [ "network.target" ];
 151         unitConfig.RequiresMountsFor = dataDir;
 152
 153         preStart = ''
 154           mkdir -p /run/slapd_${name}
 155           chown -R "openldap:openldap" /run/slapd_${name}
 156         '';
 157
 158         serviceConfig = {
 159           ExecStart = "${hcfg.package}/libexec/slapd -d 0 -u openldap -g openldap -f ${ldapConfig hcfg name}";
 160         };
 161     }) cfg.hosts;
 162   };
 163 }
 164
 165