]> git.immae.eu Git - perso/Immae/Config/Nix.git/blobdiff - modules/private/databases/openldap/default.nix
projects / perso / Immae / Config / Nix.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Upgrade nixos
[perso/Immae/Config/Nix.git] / modules / private / databases / openldap / default.nix
diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix
index 46f85d26f0ca6f1da3358690ee5eee78334e97cb..efe93795c79f1901c03ff0c737230e4ff4eb61a4 100644 (file)
--- a/modules/private/databases/openldap/default.nix
+++ b/modules/private/databases/openldap/default.nix
@@ -1,23 +1,10 @@
-{ lib, pkgs, config, myconfig,  ... }:
+{ lib, pkgs, config, ... }:
 let
   cfg = config.myServices.databases.openldap;
   ldapConfig = let
-    kerberosSchema = pkgs.fetchurl {
-      url = "https://raw.githubusercontent.com/krb5/krb5/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema";
-      sha256 = "17fnkkf6s3lznsl7wp6914pqsc78d038rh38l638big8z608ksww";
-    };
-    puppetSchema = pkgs.fetchurl {
-      url = "https://raw.githubusercontent.com/puppetlabs/puppet/master/ext/ldap/puppet.schema";
-      sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh";
-    };
+    eldiron_schemas = pkgs.callPackage ./eldiron_schemas.nix {};
   in ''
-    include         ${pkgs.openldap}/etc/schema/core.schema
-    include         ${pkgs.openldap}/etc/schema/cosine.schema
-    include         ${pkgs.openldap}/etc/schema/inetorgperson.schema
-    include         ${pkgs.openldap}/etc/schema/nis.schema
-    include         ${puppetSchema}
-    include         ${kerberosSchema}
-    include         ${./immae.schema}
+    ${eldiron_schemas}
 
     pidfile         ${cfg.pids.pid}
     argsfile        ${cfg.pids.args}
@@ -25,34 +12,49 @@ let
     moduleload      back_hdb
     backend         hdb
 
-    moduleload      memberof
-    database        hdb
-    suffix          "${myconfig.env.ldap.base}"
-    rootdn          "${myconfig.env.ldap.root_dn}"
-    include         ${config.secrets.location}/ldap/password
-    directory       ${cfg.dataDir}
-    overlay         memberof
-
-    TLSCertificateFile    ${config.security.acme.directory}/ldap/cert.pem
-    TLSCertificateKeyFile ${config.security.acme.directory}/ldap/key.pem
-    TLSCACertificateFile  ${config.security.acme.directory}/ldap/fullchain.pem
+    TLSCertificateFile    ${config.security.acme.certs.ldap.directory}/cert.pem
+    TLSCertificateKeyFile ${config.security.acme.certs.ldap.directory}/key.pem
+    TLSCACertificateFile  ${config.security.acme.certs.ldap.directory}/fullchain.pem
     TLSCACertificatePath  ${pkgs.cacert.unbundled}/etc/ssl/certs/
     #This makes openldap crash
     #TLSCipherSuite        DEFAULT
 
     sasl-host kerberos.immae.eu
-    include ${config.secrets.location}/ldap/access
     '';
 in
 {
   options.myServices.databases = {
     openldap = {
       enable = lib.mkOption {
-        default = cfg.enable;
+        default = false;
         example = true;
         description = "Whether to enable ldap";
         type = lib.types.bool;
       };
+      baseDn = lib.mkOption {
+        type = lib.types.str;
+        description = ''
+          Base DN for LDAP
+        '';
+      };
+      rootDn = lib.mkOption {
+        type = lib.types.str;
+        description = ''
+          Root DN
+        '';
+      };
+      rootPw = lib.mkOption {
+        type = lib.types.str;
+        description = ''
+          Root (Hashed) password
+        '';
+      };
+      accessFile = lib.mkOption {
+        type = lib.types.path;
+        description = ''
+          The file path that defines the access
+        '';
+      };
       dataDir = lib.mkOption {
         type = lib.types.path;
         default = "/var/lib/openldap";
@@ -89,42 +91,53 @@ in
         permissions = "0400";
         user = "openldap";
         group = "openldap";
-        text = "rootpw          ${myconfig.env.ldap.root_pw}";
+        text = "rootpw          ${cfg.rootPw}";
       }
       {
-        dest = "ldap/access ";
+        dest = "ldap/access";
         permissions = "0400";
         user = "openldap";
         group = "openldap";
-        text = builtins.readFile "${myconfig.privateFiles}/ldap.conf";
+        text = builtins.readFile "${cfg.accessFile}";
       }
     ];
     users.users.openldap.extraGroups = [ "keys" ];
     networking.firewall.allowedTCPPorts = [ 636 389 ];
 
-    services.cron = {
-      systemCronJobs = [
-        ''
-          35 1,13 * * * root ${pkgs.openldap}/bin/slapcat -v -b "dc=immae,dc=eu" -f ${pkgs.writeText "slapd.conf" ldapConfig} -l ${cfg.dataDir}/backup.ldif | ${pkgs.gnugrep}/bin/grep -v "^# id=[0-9a-f]*$"
-        ''
-      ];
-    };
-
     security.acme.certs."ldap" = config.myServices.databasesCerts // {
       user = "openldap";
       group = "openldap";
-      plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ];
+      plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ];
       domain = "ldap.immae.eu";
       postRun = ''
         systemctl restart openldap.service
       '';
     };
 
+    services.filesWatcher.openldap = {
+      restart = true;
+      paths = [ "${config.secrets.location}/ldap/" ];
+    };
+
     services.openldap = {
       enable = true;
       dataDir = cfg.dataDir;
       urlList = [ "ldap://" "ldaps://" ];
       extraConfig = ldapConfig;
+      extraDatabaseConfig = ''
+        moduleload      memberof
+        overlay         memberof
+
+        moduleload      syncprov
+        overlay         syncprov
+        syncprov-checkpoint 100 10
+
+        include ${config.secrets.location}/ldap/access
+        '';
+      rootpwFile = "${config.secrets.location}/ldap/password";
+      suffix = cfg.baseDn;
+      rootdn = cfg.rootDn;
+      database = "hdb";
     };
   };
 }
My infrastructure configuration