let
cfg = config.services.myDatabases;
in {
+ imports = [
+ ./openldap.nix
+ ];
options.services.myDatabases = {
enable = lib.mkEnableOption "my databases service";
postgresql = {
type = lib.types.bool;
};
};
-
- ldap = {
- enable = lib.mkOption {
- default = cfg.enable;
- example = true;
- description = "Whether to enable ldap";
- type = lib.types.bool;
- };
- };
};
config = lib.mkIf cfg.enable {
});
};
- networking.firewall.allowedTCPPorts = [ 3306 5432 636 389 ];
+ networking.firewall.allowedTCPPorts = [ 3306 5432 ];
# for adminer, ssl is implemented with mysqli only, which is
# currently disabled because it’s not compatible with pam.
'';
};
- security.acme.certs."ldap" = config.services.myCertificates.certConfig // {
- user = "openldap";
- group = "openldap";
- plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ];
- domain = "ldap.immae.eu";
- postRun = ''
- systemctl restart openldap.service
- '';
- };
-
system.activationScripts.postgresql = ''
install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket}
'';
chown redis $(dirname ${myconfig.env.databases.redis.socket})
'';
- services.openldap = let
- kerberosSchema = pkgs.fetchurl {
- url = "https://raw.githubusercontent.com/krb5/krb5/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema";
- sha256 = "17fnkkf6s3lznsl7wp6914pqsc78d038rh38l638big8z608ksww";
- };
- puppetSchema = pkgs.fetchurl {
- url = "https://raw.githubusercontent.com/puppetlabs/puppet/master/ext/ldap/puppet.schema";
- sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh";
- };
- in {
- enable = config.services.myDatabases.ldap.enable;
- dataDir = "/var/lib/openldap";
- urlList = [ "ldap://" "ldaps://" ];
- extraConfig = ''
- include ${pkgs.openldap}/etc/schema/core.schema
- include ${pkgs.openldap}/etc/schema/cosine.schema
- include ${pkgs.openldap}/etc/schema/inetorgperson.schema
- include ${pkgs.openldap}/etc/schema/nis.schema
- include ${puppetSchema}
- include ${kerberosSchema}
- include ${./immae.schema}
-
- pidfile /run/slapd/slapd.pid
- argsfile /run/slapd/slapd.args
-
- moduleload back_hdb
- backend hdb
-
- moduleload memberof
- database hdb
- suffix "${myconfig.env.ldap.base}"
- rootdn "${myconfig.env.ldap.root_dn}"
- rootpw ${myconfig.env.ldap.root_pw}
- directory /var/lib/openldap
- overlay memberof
-
- TLSCertificateFile /var/lib/acme/ldap/cert.pem
- TLSCertificateKeyFile /var/lib/acme/ldap/key.pem
- TLSCACertificateFile /var/lib/acme/ldap/fullchain.pem
- TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/
- #This makes openldap crash
- #TLSCipherSuite DEFAULT
-
- sasl-host kerberos.immae.eu
- ${builtins.readFile "${myconfig.privateFiles}/ldap.conf"}
- '';
- };
};
}
--- /dev/null
+{ lib, pkgs, config, myconfig, mylibs, ... }:
+let
+ cfg = config.services.myDatabases;
+ ldapConfig = let
+ kerberosSchema = pkgs.fetchurl {
+ url = "https://raw.githubusercontent.com/krb5/krb5/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema";
+ sha256 = "17fnkkf6s3lznsl7wp6914pqsc78d038rh38l638big8z608ksww";
+ };
+ puppetSchema = pkgs.fetchurl {
+ url = "https://raw.githubusercontent.com/puppetlabs/puppet/master/ext/ldap/puppet.schema";
+ sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh";
+ };
+ in ''
+ include ${pkgs.openldap}/etc/schema/core.schema
+ include ${pkgs.openldap}/etc/schema/cosine.schema
+ include ${pkgs.openldap}/etc/schema/inetorgperson.schema
+ include ${pkgs.openldap}/etc/schema/nis.schema
+ include ${puppetSchema}
+ include ${kerberosSchema}
+ include ${./immae.schema}
+
+ pidfile /run/slapd/slapd.pid
+ argsfile /run/slapd/slapd.args
+
+ moduleload back_hdb
+ backend hdb
+
+ moduleload memberof
+ database hdb
+ suffix "${myconfig.env.ldap.base}"
+ rootdn "${myconfig.env.ldap.root_dn}"
+ rootpw ${myconfig.env.ldap.root_pw}
+ directory /var/lib/openldap
+ overlay memberof
+
+ TLSCertificateFile /var/lib/acme/ldap/cert.pem
+ TLSCertificateKeyFile /var/lib/acme/ldap/key.pem
+ TLSCACertificateFile /var/lib/acme/ldap/fullchain.pem
+ TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/
+ #This makes openldap crash
+ #TLSCipherSuite DEFAULT
+
+ sasl-host kerberos.immae.eu
+ ${builtins.readFile "${myconfig.privateFiles}/ldap.conf"}
+ '';
+in {
+ options.services.myDatabases = {
+ ldap = {
+ enable = lib.mkOption {
+ default = cfg.enable;
+ example = true;
+ description = "Whether to enable ldap";
+ type = lib.types.bool;
+ };
+ };
+ };
+
+ config = lib.mkIf cfg.enable {
+ networking.firewall.allowedTCPPorts = [ 636 389 ];
+
+ services.cron = {
+ systemCronJobs = [
+ ''
+ 35 1,13 * * * root ${pkgs.openldap}/bin/slapcat -v -b "dc=immae,dc=eu" -f ${pkgs.writeText "slapd.conf" ldapConfig} -l /var/lib/openldap/backup.ldif
+ ''
+ ];
+ };
+
+ security.acme.certs."ldap" = config.services.myCertificates.certConfig // {
+ user = "openldap";
+ group = "openldap";
+ plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ];
+ domain = "ldap.immae.eu";
+ postRun = ''
+ systemctl restart openldap.service
+ '';
+ };
+
+ services.openldap = {
+ enable = config.services.myDatabases.ldap.enable;
+ dataDir = "/var/lib/openldap";
+ urlList = [ "ldap://" "ldaps://" ];
+ extraConfig = ldapConfig;
+ };
+ };
+}
+