blob: 9f72b297df0383abff8ad15102133a8ac288fcd6 (
plain) (
tree)
|
|
{ lib, pkgs, config, ... }:
let
cfg = config.myServices.databases.openldap;
ldapConfig = let
kerberosSchema = pkgs.fetchurl {
url = "https://raw.githubusercontent.com/krb5/krb5/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema";
sha256 = "17fnkkf6s3lznsl7wp6914pqsc78d038rh38l638big8z608ksww";
};
puppetSchema = pkgs.fetchurl {
url = "https://raw.githubusercontent.com/puppetlabs/puppet/master/ext/ldap/puppet.schema";
sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh";
};
in ''
include ${pkgs.openldap}/etc/schema/core.schema
include ${pkgs.openldap}/etc/schema/cosine.schema
include ${pkgs.openldap}/etc/schema/inetorgperson.schema
include ${pkgs.openldap}/etc/schema/nis.schema
include ${puppetSchema}
include ${kerberosSchema}
include ${./immae.schema}
pidfile ${cfg.pids.pid}
argsfile ${cfg.pids.args}
moduleload back_hdb
backend hdb
moduleload memberof
database hdb
suffix "${cfg.baseDn}"
rootdn "${cfg.rootDn}"
include ${config.secrets.location}/ldap/password
directory ${cfg.dataDir}
overlay memberof
TLSCertificateFile ${config.security.acme.directory}/ldap/cert.pem
TLSCertificateKeyFile ${config.security.acme.directory}/ldap/key.pem
TLSCACertificateFile ${config.security.acme.directory}/ldap/fullchain.pem
TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/
#This makes openldap crash
#TLSCipherSuite DEFAULT
sasl-host kerberos.immae.eu
include ${config.secrets.location}/ldap/access
'';
in
{
options.myServices.databases = {
openldap = {
enable = lib.mkOption {
default = false;
example = true;
description = "Whether to enable ldap";
type = lib.types.bool;
};
baseDn = lib.mkOption {
type = lib.types.str;
description = ''
Base DN for LDAP
'';
};
rootDn = lib.mkOption {
type = lib.types.str;
description = ''
Root DN
'';
};
rootPw = lib.mkOption {
type = lib.types.str;
description = ''
Root (Hashed) password
'';
};
accessFile = lib.mkOption {
type = lib.types.path;
description = ''
The file path that defines the access
'';
};
dataDir = lib.mkOption {
type = lib.types.path;
default = "/var/lib/openldap";
description = ''
The directory where Openldap stores its data.
'';
};
socketsDir = lib.mkOption {
type = lib.types.path;
default = "/run/slapd";
description = ''
The directory where Openldap puts sockets and pid files.
'';
};
# Output variables
pids = lib.mkOption {
type = lib.types.attrsOf lib.types.path;
default = {
pid = "${cfg.socketsDir}/slapd.pid";
args = "${cfg.socketsDir}/slapd.args";
};
readOnly = true;
description = ''
Slapd pid files
'';
};
};
};
config = lib.mkIf cfg.enable {
secrets.keys = [
{
dest = "ldap/password";
permissions = "0400";
user = "openldap";
group = "openldap";
text = "rootpw ${cfg.rootPw}";
}
{
dest = "ldap/access";
permissions = "0400";
user = "openldap";
group = "openldap";
text = builtins.readFile "${cfg.accessFile}";
}
];
users.users.openldap.extraGroups = [ "keys" ];
networking.firewall.allowedTCPPorts = [ 636 389 ];
services.cron = {
systemCronJobs = [
''
35 1,13 * * * root ${pkgs.openldap}/bin/slapcat -v -b "dc=immae,dc=eu" -f ${pkgs.writeText "slapd.conf" ldapConfig} -l ${cfg.dataDir}/backup.ldif | ${pkgs.gnugrep}/bin/grep -v "^# id=[0-9a-f]*$"
''
];
};
security.acme.certs."ldap" = config.myServices.databasesCerts // {
user = "openldap";
group = "openldap";
plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ];
domain = "ldap.immae.eu";
postRun = ''
systemctl restart openldap.service
'';
};
services.filesWatcher.openldap = {
restart = true;
paths = [ "${config.secrets.location}/ldap/" ];
};
services.openldap = {
enable = true;
dataDir = cfg.dataDir;
urlList = [ "ldap://" "ldaps://" ];
extraConfig = ldapConfig;
};
};
}
|