diff options
| author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-12-08 16:22:56 +0100 |
|---|---|---|
| committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-12-08 16:22:56 +0100 |
| commit | 16b80abd57bb215d0e72f3983f997a007743b8fb (patch) | |
| tree | 19b24a9c9e2334c069721671e4e2a5d53d8efaec /modules/private/databases/openldap | |
| parent | 6015a3b52c3b155ac444aeb39950c38a5e653101 (diff) | |
| download | Nix-16b80abd57bb215d0e72f3983f997a007743b8fb.tar.gz Nix-16b80abd57bb215d0e72f3983f997a007743b8fb.tar.zst Nix-16b80abd57bb215d0e72f3983f997a007743b8fb.zip | |
Add openldap replication
Diffstat (limited to 'modules/private/databases/openldap')
| -rw-r--r-- | modules/private/databases/openldap/default.nix | 29 | ||||
| -rw-r--r-- | modules/private/databases/openldap/eldiron_schemas.nix | 21 |
2 files changed, 27 insertions, 23 deletions
diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix index 9f72b29..22f6f7b 100644 --- a/modules/private/databases/openldap/default.nix +++ b/modules/private/databases/openldap/default.nix | |||
| @@ -2,22 +2,9 @@ | |||
| 2 | let | 2 | let |
| 3 | cfg = config.myServices.databases.openldap; | 3 | cfg = config.myServices.databases.openldap; |
| 4 | ldapConfig = let | 4 | ldapConfig = let |
| 5 | kerberosSchema = pkgs.fetchurl { | 5 | eldiron_schemas = pkgs.callPackage ./eldiron_schemas.nix {}; |
| 6 | url = "https://raw.githubusercontent.com/krb5/krb5/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"; | ||
| 7 | sha256 = "17fnkkf6s3lznsl7wp6914pqsc78d038rh38l638big8z608ksww"; | ||
| 8 | }; | ||
| 9 | puppetSchema = pkgs.fetchurl { | ||
| 10 | url = "https://raw.githubusercontent.com/puppetlabs/puppet/master/ext/ldap/puppet.schema"; | ||
| 11 | sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh"; | ||
| 12 | }; | ||
| 13 | in '' | 6 | in '' |
| 14 | include ${pkgs.openldap}/etc/schema/core.schema | 7 | ${eldiron_schemas} |
| 15 | include ${pkgs.openldap}/etc/schema/cosine.schema | ||
| 16 | include ${pkgs.openldap}/etc/schema/inetorgperson.schema | ||
| 17 | include ${pkgs.openldap}/etc/schema/nis.schema | ||
| 18 | include ${puppetSchema} | ||
| 19 | include ${kerberosSchema} | ||
| 20 | include ${./immae.schema} | ||
| 21 | 8 | ||
| 22 | pidfile ${cfg.pids.pid} | 9 | pidfile ${cfg.pids.pid} |
| 23 | argsfile ${cfg.pids.args} | 10 | argsfile ${cfg.pids.args} |
| @@ -33,6 +20,10 @@ let | |||
| 33 | directory ${cfg.dataDir} | 20 | directory ${cfg.dataDir} |
| 34 | overlay memberof | 21 | overlay memberof |
| 35 | 22 | ||
| 23 | moduleload syncprov | ||
| 24 | overlay syncprov | ||
| 25 | syncprov-checkpoint 100 10 | ||
| 26 | |||
| 36 | TLSCertificateFile ${config.security.acme.directory}/ldap/cert.pem | 27 | TLSCertificateFile ${config.security.acme.directory}/ldap/cert.pem |
| 37 | TLSCertificateKeyFile ${config.security.acme.directory}/ldap/key.pem | 28 | TLSCertificateKeyFile ${config.security.acme.directory}/ldap/key.pem |
| 38 | TLSCACertificateFile ${config.security.acme.directory}/ldap/fullchain.pem | 29 | TLSCACertificateFile ${config.security.acme.directory}/ldap/fullchain.pem |
| @@ -126,14 +117,6 @@ in | |||
| 126 | users.users.openldap.extraGroups = [ "keys" ]; | 117 | users.users.openldap.extraGroups = [ "keys" ]; |
| 127 | networking.firewall.allowedTCPPorts = [ 636 389 ]; | 118 | networking.firewall.allowedTCPPorts = [ 636 389 ]; |
| 128 | 119 | ||
| 129 | services.cron = { | ||
| 130 | systemCronJobs = [ | ||
| 131 | '' | ||
| 132 | 35 1,13 * * * root ${pkgs.openldap}/bin/slapcat -v -b "dc=immae,dc=eu" -f ${pkgs.writeText "slapd.conf" ldapConfig} -l ${cfg.dataDir}/backup.ldif | ${pkgs.gnugrep}/bin/grep -v "^# id=[0-9a-f]*$" | ||
| 133 | '' | ||
| 134 | ]; | ||
| 135 | }; | ||
| 136 | |||
| 137 | security.acme.certs."ldap" = config.myServices.databasesCerts // { | 120 | security.acme.certs."ldap" = config.myServices.databasesCerts // { |
| 138 | user = "openldap"; | 121 | user = "openldap"; |
| 139 | group = "openldap"; | 122 | group = "openldap"; |
diff --git a/modules/private/databases/openldap/eldiron_schemas.nix b/modules/private/databases/openldap/eldiron_schemas.nix new file mode 100644 index 0000000..7a29988 --- /dev/null +++ b/modules/private/databases/openldap/eldiron_schemas.nix | |||
| @@ -0,0 +1,21 @@ | |||
| 1 | { fetchurl, openldap }: | ||
| 2 | let | ||
| 3 | kerberosSchema = fetchurl { | ||
| 4 | url = "https://raw.githubusercontent.com/krb5/krb5/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"; | ||
| 5 | sha256 = "17fnkkf6s3lznsl7wp6914pqsc78d038rh38l638big8z608ksww"; | ||
| 6 | }; | ||
| 7 | puppetSchema = fetchurl { | ||
| 8 | url = "https://raw.githubusercontent.com/puppetlabs/puppet/master/ext/ldap/puppet.schema"; | ||
| 9 | sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh"; | ||
| 10 | }; | ||
| 11 | schemas = [ | ||
| 12 | "${openldap}/etc/schema/core.schema" | ||
| 13 | "${openldap}/etc/schema/cosine.schema" | ||
| 14 | "${openldap}/etc/schema/inetorgperson.schema" | ||
| 15 | "${openldap}/etc/schema/nis.schema" | ||
| 16 | puppetSchema | ||
| 17 | kerberosSchema | ||
| 18 | ./immae.schema | ||
| 19 | ]; | ||
| 20 | in | ||
| 21 | builtins.concatStringsSep "\n" (map (v: "include ${v}") schemas) | ||