diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-12-08 16:22:56 +0100 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-12-08 16:22:56 +0100 |
commit | 16b80abd57bb215d0e72f3983f997a007743b8fb (patch) | |
tree | 19b24a9c9e2334c069721671e4e2a5d53d8efaec /modules/private/databases/openldap/default.nix | |
parent | 6015a3b52c3b155ac444aeb39950c38a5e653101 (diff) | |
download | Nix-16b80abd57bb215d0e72f3983f997a007743b8fb.tar.gz Nix-16b80abd57bb215d0e72f3983f997a007743b8fb.tar.zst Nix-16b80abd57bb215d0e72f3983f997a007743b8fb.zip |
Add openldap replication
Diffstat (limited to 'modules/private/databases/openldap/default.nix')
-rw-r--r-- | modules/private/databases/openldap/default.nix | 29 |
1 files changed, 6 insertions, 23 deletions
diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix index 9f72b29..22f6f7b 100644 --- a/modules/private/databases/openldap/default.nix +++ b/modules/private/databases/openldap/default.nix | |||
@@ -2,22 +2,9 @@ | |||
2 | let | 2 | let |
3 | cfg = config.myServices.databases.openldap; | 3 | cfg = config.myServices.databases.openldap; |
4 | ldapConfig = let | 4 | ldapConfig = let |
5 | kerberosSchema = pkgs.fetchurl { | 5 | eldiron_schemas = pkgs.callPackage ./eldiron_schemas.nix {}; |
6 | url = "https://raw.githubusercontent.com/krb5/krb5/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"; | ||
7 | sha256 = "17fnkkf6s3lznsl7wp6914pqsc78d038rh38l638big8z608ksww"; | ||
8 | }; | ||
9 | puppetSchema = pkgs.fetchurl { | ||
10 | url = "https://raw.githubusercontent.com/puppetlabs/puppet/master/ext/ldap/puppet.schema"; | ||
11 | sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh"; | ||
12 | }; | ||
13 | in '' | 6 | in '' |
14 | include ${pkgs.openldap}/etc/schema/core.schema | 7 | ${eldiron_schemas} |
15 | include ${pkgs.openldap}/etc/schema/cosine.schema | ||
16 | include ${pkgs.openldap}/etc/schema/inetorgperson.schema | ||
17 | include ${pkgs.openldap}/etc/schema/nis.schema | ||
18 | include ${puppetSchema} | ||
19 | include ${kerberosSchema} | ||
20 | include ${./immae.schema} | ||
21 | 8 | ||
22 | pidfile ${cfg.pids.pid} | 9 | pidfile ${cfg.pids.pid} |
23 | argsfile ${cfg.pids.args} | 10 | argsfile ${cfg.pids.args} |
@@ -33,6 +20,10 @@ let | |||
33 | directory ${cfg.dataDir} | 20 | directory ${cfg.dataDir} |
34 | overlay memberof | 21 | overlay memberof |
35 | 22 | ||
23 | moduleload syncprov | ||
24 | overlay syncprov | ||
25 | syncprov-checkpoint 100 10 | ||
26 | |||
36 | TLSCertificateFile ${config.security.acme.directory}/ldap/cert.pem | 27 | TLSCertificateFile ${config.security.acme.directory}/ldap/cert.pem |
37 | TLSCertificateKeyFile ${config.security.acme.directory}/ldap/key.pem | 28 | TLSCertificateKeyFile ${config.security.acme.directory}/ldap/key.pem |
38 | TLSCACertificateFile ${config.security.acme.directory}/ldap/fullchain.pem | 29 | TLSCACertificateFile ${config.security.acme.directory}/ldap/fullchain.pem |
@@ -126,14 +117,6 @@ in | |||
126 | users.users.openldap.extraGroups = [ "keys" ]; | 117 | users.users.openldap.extraGroups = [ "keys" ]; |
127 | networking.firewall.allowedTCPPorts = [ 636 389 ]; | 118 | networking.firewall.allowedTCPPorts = [ 636 389 ]; |
128 | 119 | ||
129 | services.cron = { | ||
130 | systemCronJobs = [ | ||
131 | '' | ||
132 | 35 1,13 * * * root ${pkgs.openldap}/bin/slapcat -v -b "dc=immae,dc=eu" -f ${pkgs.writeText "slapd.conf" ldapConfig} -l ${cfg.dataDir}/backup.ldif | ${pkgs.gnugrep}/bin/grep -v "^# id=[0-9a-f]*$" | ||
133 | '' | ||
134 | ]; | ||
135 | }; | ||
136 | |||
137 | security.acme.certs."ldap" = config.myServices.databasesCerts // { | 120 | security.acme.certs."ldap" = config.myServices.databasesCerts // { |
138 | user = "openldap"; | 121 | user = "openldap"; |
139 | group = "openldap"; | 122 | group = "openldap"; |