aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2019-02-22 21:09:52 +0100
committerIsmaël Bouya <ismael.bouya@normalesup.org>2019-02-22 22:17:43 +0100
commit1bb448839addbb1d66ee81141d21d08b1e925faf (patch)
tree3651af17dc13a5ab0131269bd2c5a1626099bb91
parent9690acd9e5ff473fdc88ef13bcc98bb698cfb269 (diff)
downloadNix-1bb448839addbb1d66ee81141d21d08b1e925faf.tar.gz
Nix-1bb448839addbb1d66ee81141d21d08b1e925faf.tar.zst
Nix-1bb448839addbb1d66ee81141d21d08b1e925faf.zip
Add ldap
Fixes https://git.immae.eu/mantisbt/view.php?id=78
-rw-r--r--nixops/modules/databases/default.nix69
-rw-r--r--nixops/modules/databases/immae.schema155
2 files changed, 223 insertions, 1 deletions
diff --git a/nixops/modules/databases/default.nix b/nixops/modules/databases/default.nix
index 1115a29..1940b62 100644
--- a/nixops/modules/databases/default.nix
+++ b/nixops/modules/databases/default.nix
@@ -30,6 +30,15 @@ in {
30 type = lib.types.bool; 30 type = lib.types.bool;
31 }; 31 };
32 }; 32 };
33
34 ldap = {
35 enable = lib.mkOption {
36 default = cfg.enable;
37 example = true;
38 description = "Whether to enable ldap";
39 type = lib.types.bool;
40 };
41 };
33 }; 42 };
34 43
35 config = lib.mkIf cfg.enable { 44 config = lib.mkIf cfg.enable {
@@ -55,7 +64,7 @@ in {
55 }); 64 });
56 }; 65 };
57 66
58 networking.firewall.allowedTCPPorts = [ 3306 5432 ]; 67 networking.firewall.allowedTCPPorts = [ 3306 5432 636 389 ];
59 68
60 # for adminer, ssl is implemented with mysqli only, which is 69 # for adminer, ssl is implemented with mysqli only, which is
61 # currently disabled because it’s not compatible with pam. 70 # currently disabled because it’s not compatible with pam.
@@ -94,6 +103,16 @@ in {
94 ''; 103 '';
95 }; 104 };
96 105
106 security.acme.certs."ldap" = config.services.myCertificates.certConfig // {
107 user = "openldap";
108 group = "openldap";
109 plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ];
110 domain = "ldap.immae.eu";
111 postRun = ''
112 systemctl restart openldap.service
113 '';
114 };
115
97 system.activationScripts.postgresql = '' 116 system.activationScripts.postgresql = ''
98 install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket} 117 install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket}
99 ''; 118 '';
@@ -202,5 +221,53 @@ in {
202 mkdir -p $(dirname ${myconfig.env.databases.redis.socket}) 221 mkdir -p $(dirname ${myconfig.env.databases.redis.socket})
203 chown redis $(dirname ${myconfig.env.databases.redis.socket}) 222 chown redis $(dirname ${myconfig.env.databases.redis.socket})
204 ''; 223 '';
224
225 services.openldap = let
226 kerberosSchema = pkgs.fetchurl {
227 url = "https://raw.githubusercontent.com/krb5/krb5/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema";
228 sha256 = "17fnkkf6s3lznsl7wp6914pqsc78d038rh38l638big8z608ksww";
229 };
230 puppetSchema = pkgs.fetchurl {
231 url = "https://raw.githubusercontent.com/puppetlabs/puppet/master/ext/ldap/puppet.schema";
232 sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh";
233 };
234 in {
235 enable = config.services.myDatabases.ldap.enable;
236 dataDir = "/var/lib/openldap";
237 urlList = [ "ldap://" "ldaps://" ];
238 extraConfig = ''
239 include ${pkgs.openldap}/etc/schema/core.schema
240 include ${pkgs.openldap}/etc/schema/cosine.schema
241 include ${pkgs.openldap}/etc/schema/inetorgperson.schema
242 include ${pkgs.openldap}/etc/schema/nis.schema
243 include ${puppetSchema}
244 include ${kerberosSchema}
245 include ${./immae.schema}
246
247 pidfile /run/slapd/slapd.pid
248 argsfile /run/slapd/slapd.args
249
250 moduleload back_hdb
251 backend hdb
252
253 moduleload memberof
254 database hdb
255 suffix "${myconfig.env.ldap.base}"
256 rootdn "${myconfig.env.ldap.root_dn}"
257 rootpw ${myconfig.env.ldap.root_pw}
258 directory /var/lib/openldap
259 overlay memberof
260
261 TLSCertificateFile /var/lib/acme/ldap/cert.pem
262 TLSCertificateKeyFile /var/lib/acme/ldap/key.pem
263 TLSCACertificateFile /var/lib/acme/ldap/fullchain.pem
264 TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/
265 #This makes openldap crash
266 #TLSCipherSuite DEFAULT
267
268 sasl-host kerberos.immae.eu
269 ${builtins.readFile "${myconfig.privateFiles}/ldap.conf"}
270 '';
271 };
205 }; 272 };
206} 273}
diff --git a/nixops/modules/databases/immae.schema b/nixops/modules/databases/immae.schema
new file mode 100644
index 0000000..f0e12bc
--- /dev/null
+++ b/nixops/modules/databases/immae.schema
@@ -0,0 +1,155 @@
1# vim: set filetype=slapd:
2objectIdentifier Immaeroot 1.3.6.1.4.1.50071
3
4objectIdentifier Immae Immaeroot:2
5objectIdentifier ImmaeattributeType Immae:3
6objectIdentifier ImmaeobjectClass Immae:4
7
8# TT-RSS
9attributetype ( ImmaeattributeType:1 NAME 'immaeTtrssLogin'
10 DESC 'login for TTRSS'
11 EQUALITY caseIgnoreMatch
12 SUBSTR caseIgnoreSubstringsMatch
13 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
14
15objectclass ( ImmaeobjectClass:1 NAME 'immaeTtrssClass'
16 DESC 'Expansion of the existing object classes for ttrss'
17 SUP top AUXILIARY
18 MUST ( immaeTtrssLogin ) )
19
20# FTP
21attributetype ( ImmaeattributeType:2 NAME 'immaeFtpDirectory'
22 DESC 'home directory for ftp'
23 EQUALITY caseExactIA5Match
24 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
25
26attributetype ( ImmaeattributeType:3 NAME 'immaeFtpUid'
27 DESC 'user id for ftp'
28 EQUALITY integerMatch
29 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
30
31attributetype ( ImmaeattributeType:4 NAME 'immaeFtpGid'
32 DESC 'group id for ftp'
33 EQUALITY integerMatch
34 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
35
36objectclass ( ImmaeobjectClass:2 NAME 'immaeFtpClass'
37 DESC 'Expansion of the existing object classes for ftp'
38 SUP top AUXILIARY
39 MUST ( immaeFtpDirectory $ immaeFtpGid $ immaeFtpUid ) )
40
41
42# SSH keys
43attributetype ( ImmaeattributeType:5 NAME 'immaeSshKey'
44 DESC 'OpenSSH Public key'
45 EQUALITY octetStringMatch
46 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
47
48objectClass ( ImmaeobjectClass:3 NAME 'immaeSshClass'
49 DESC 'OpenSSH class'
50 SUP top AUXILIARY
51 MAy ( immaeSSHKey ) )
52
53# Specific access
54attributetype (ImmaeattributeType:6 NAME 'immaeAccessDn'
55 EQUALITY distinguishedNameMatch
56 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
57
58attributetype (ImmaeattributeType:17 NAME 'immaeAccessWriteDn'
59 EQUALITY distinguishedNameMatch
60 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
61
62attributetype (ImmaeattributeType:18 NAME 'immaeAccessReadSubtree'
63 EQUALITY distinguishedNameMatch
64 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
65
66objectClass ( ImmaeobjectClass:4 NAME 'immaeAccessClass'
67 DESC 'Access class'
68 SUP top AUXILIARY
69 MAY ( immaeAccessDn $ immaeAccessWriteDn $ immaeAccessReadSubtree ) )
70
71# Xmpp uid
72attributetype ( ImmaeattributeType:7 NAME 'immaeXmppUid'
73 DESC 'user part for Xmpp'
74 EQUALITY caseIgnoreMatch
75 SUBSTR caseIgnoreSubstringsMatch
76 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
77
78objectclass ( ImmaeobjectClass:5 NAME 'immaeXmppClass'
79 DESC 'Expansion of the existing object classes for XMPP'
80 SUP top AUXILIARY
81 MUST ( immaeXmppUid ) )
82
83# Postfix accounts
84attributetype ( ImmaeattributeType:8 NAME 'immaePostfixAddress'
85 DESC 'the dovecot address to match as username'
86 EQUALITY caseIgnoreIA5Match
87 SUBSTR caseIgnoreIA5SubstringsMatch
88 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
89
90attributetype ( ImmaeattributeType:9 NAME 'immaePostfixHome'
91 DESC 'the postfix home directory'
92 EQUALITY caseExactIA5Match
93 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
94
95attributetype ( ImmaeattributeType:10 NAME 'immaePostfixMail'
96 DESC 'the dovecot mail location'
97 EQUALITY caseExactIA5Match
98 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
99
100attributetype ( ImmaeattributeType:11 NAME 'immaePostfixUid'
101 DESC 'the dovecot uid'
102 EQUALITY caseExactIA5Match
103 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
104
105attributetype ( ImmaeattributeType:12 NAME 'immaePostfixGid'
106 DESC 'the dovecot gid'
107 EQUALITY caseExactIA5Match
108 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
109
110objectclass ( ImmaeobjectClass:6 NAME 'immaePostfixClass'
111 DESC 'Expansion of the existing object classes for Postfix'
112 SUP top AUXILIARY
113 MUST ( immaePostfixAddress $ immaePostfixHome $
114 immaePostfixMail $ immaePostfixUid $ immaePostfixGid )
115 )
116
117# Tinc informations
118# Domaine = une classe a part ou une partie du dn ?
119# attributetype ( ImmaeattributeType:13 NAME 'immaeTincIpSegment'
120# DESC 'the internal ip segment in tinc'
121# EQUALITY caseIgnoreIA5Match
122# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
123#
124# attributetype ( ImmaeattributeType:14 NAME 'immaeTincSubdomain'
125# DESC 'the host subdomain'
126# EQUALITY caseIgnoreIA5Match
127# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
128#
129# attributetype ( ImmaeattributeType:15 NAME 'immaeTincHostname'
130# DESC 'the host name'
131# EQUALITY caseIgnoreIA5Match
132# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
133#
134# objectclass ( ImmaeobjectClass:7 NAME 'immaeTincHostClass'
135# DESC 'Expansion of the existing object classes for Tinc'
136# SUP top AUXILIARY
137# MUST ( immaeTincInternalIp $ immaeTincSubdomain $
138# immaeTincHostname )
139# )
140
141attributetype (ImmaeattributeType:16 NAME 'immaePuppetJson'
142 DESC 'Puppet hiera json'
143 EQUALITY octetStringMatch
144 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
145
146objectclass ( ImmaeobjectClass:8 NAME 'immaePuppetClass'
147 DESC 'Expansion of the existing object classes for Puppet'
148 SUP top AUXILIARY
149 MUST ( immaePuppetJson )
150 )
151
152# Last:
153# attributetype (ImmaeattributeType:18 NAME 'immaeAccessReadSubtree'
154# objectclass ( ImmaeobjectClass:8 NAME 'immaePuppetClass'
155