diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2023-10-04 01:35:06 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2023-10-04 02:11:48 +0200 |
commit | 1a64deeb894dc95e2645a75771732c6cc53a79ad (patch) | |
tree | 1b9df4838f894577a09b9b260151756272efeb53 /systems/backup-2/databases/openldap_replication.nix | |
parent | fa25ffd4583cc362075cd5e1b4130f33306103f0 (diff) | |
download | Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.gz Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.zst Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.zip |
Squash changes containing private information
There were a lot of changes since the previous commit, but a lot of them
contained personnal information about users. All thos changes got
stashed into a single commit (history is kept in a different place) and
private information was moved in a separate private repository
Diffstat (limited to 'systems/backup-2/databases/openldap_replication.nix')
-rw-r--r-- | systems/backup-2/databases/openldap_replication.nix | 165 |
1 files changed, 165 insertions, 0 deletions
diff --git a/systems/backup-2/databases/openldap_replication.nix b/systems/backup-2/databases/openldap_replication.nix new file mode 100644 index 0000000..b962224 --- /dev/null +++ b/systems/backup-2/databases/openldap_replication.nix | |||
@@ -0,0 +1,165 @@ | |||
1 | { pkgs, config, lib, openldap, ... }: | ||
2 | let | ||
3 | cfg = config.myServices.databasesReplication.openldap; | ||
4 | ldapConfig = hcfg: name: pkgs.writeText "slapd.conf" '' | ||
5 | include ${pkgs.openldap}/etc/schema/core.schema | ||
6 | include ${pkgs.openldap}/etc/schema/cosine.schema | ||
7 | include ${pkgs.openldap}/etc/schema/inetorgperson.schema | ||
8 | include ${pkgs.openldap}/etc/schema/nis.schema | ||
9 | include ${openldap.immae-schema} | ||
10 | pidfile /run/slapd_${name}/slapd.pid | ||
11 | argsfile /run/slapd_${name}/slapd.args | ||
12 | |||
13 | moduleload back_mdb | ||
14 | backend mdb | ||
15 | database mdb | ||
16 | |||
17 | suffix "${hcfg.base}" | ||
18 | rootdn "cn=root,${hcfg.base}" | ||
19 | directory ${cfg.base}/${name}/openldap | ||
20 | |||
21 | index objectClass eq | ||
22 | index uid pres,eq | ||
23 | index entryUUID eq | ||
24 | |||
25 | include ${config.secrets.fullPaths."openldap_replication/${name}/replication_config"} | ||
26 | ''; | ||
27 | in | ||
28 | { | ||
29 | options.myServices.databasesReplication.openldap = { | ||
30 | enable = lib.mkEnableOption "Enable openldap replication"; | ||
31 | base = lib.mkOption { | ||
32 | type = lib.types.path; | ||
33 | description = '' | ||
34 | Base path to put the replications | ||
35 | ''; | ||
36 | }; | ||
37 | hosts = lib.mkOption { | ||
38 | default = {}; | ||
39 | description = '' | ||
40 | Hosts to backup | ||
41 | ''; | ||
42 | type = lib.types.attrsOf (lib.types.submodule { | ||
43 | options = { | ||
44 | package = lib.mkOption { | ||
45 | type = lib.types.package; | ||
46 | default = pkgs.openldap; | ||
47 | description = '' | ||
48 | Openldap package for this host | ||
49 | ''; | ||
50 | }; | ||
51 | url = lib.mkOption { | ||
52 | type = lib.types.str; | ||
53 | description = '' | ||
54 | Host to connect to | ||
55 | ''; | ||
56 | }; | ||
57 | base = lib.mkOption { | ||
58 | type = lib.types.str; | ||
59 | description = '' | ||
60 | Base DN to replicate | ||
61 | ''; | ||
62 | }; | ||
63 | dn = lib.mkOption { | ||
64 | type = lib.types.str; | ||
65 | description = '' | ||
66 | DN to use | ||
67 | ''; | ||
68 | }; | ||
69 | password = lib.mkOption { | ||
70 | type = lib.types.str; | ||
71 | description = '' | ||
72 | Password to use | ||
73 | ''; | ||
74 | }; | ||
75 | }; | ||
76 | }); | ||
77 | }; | ||
78 | }; | ||
79 | |||
80 | config = lib.mkIf cfg.enable { | ||
81 | users.users.openldap = { | ||
82 | description = "Openldap database user"; | ||
83 | group = "openldap"; | ||
84 | uid = config.ids.uids.openldap; | ||
85 | extraGroups = [ "keys" ]; | ||
86 | }; | ||
87 | users.groups.openldap.gid = config.ids.gids.openldap; | ||
88 | |||
89 | secrets.keys = lib.listToAttrs (lib.flatten (lib.mapAttrsToList (name: hcfg: [ | ||
90 | (lib.nameValuePair "openldap_replication/${name}/replication_config" { | ||
91 | user = "openldap"; | ||
92 | group = "openldap"; | ||
93 | permissions = "0400"; | ||
94 | text = '' | ||
95 | syncrepl rid=000 | ||
96 | provider=${hcfg.url} | ||
97 | type=refreshAndPersist | ||
98 | searchbase="${hcfg.base}" | ||
99 | retry="5 10 300 +" | ||
100 | attrs="*,+" | ||
101 | schemachecking=off | ||
102 | bindmethod=simple | ||
103 | binddn="${hcfg.dn}" | ||
104 | credentials="${hcfg.password}" | ||
105 | ''; | ||
106 | }) | ||
107 | (lib.nameValuePair "openldap_replication/${name}/replication_password" { | ||
108 | user = "openldap"; | ||
109 | group = "openldap"; | ||
110 | permissions = "0400"; | ||
111 | text = hcfg.password; | ||
112 | }) | ||
113 | ]) cfg.hosts)); | ||
114 | |||
115 | services.cron = { | ||
116 | enable = true; | ||
117 | systemCronJobs = lib.flatten (lib.mapAttrsToList (name: hcfg: | ||
118 | let | ||
119 | dataDir = "${cfg.base}/${name}/openldap"; | ||
120 | backupDir = "${cfg.base}/${name}/openldap_backup"; | ||
121 | backup_script = pkgs.writeScript "backup_openldap_${name}" '' | ||
122 | #!${pkgs.stdenv.shell} | ||
123 | |||
124 | ${hcfg.package}/bin/slapcat -b "${hcfg.base}" -f ${ldapConfig hcfg name} -l ${backupDir}/$(${pkgs.coreutils}/bin/date -Iminutes).ldif | ||
125 | ''; | ||
126 | u = pkgs.callPackage ./utils.nix {}; | ||
127 | cleanup_script = pkgs.writeScript "cleanup_openldap_${name}" (u.exponentialDumps "ldif" backupDir); | ||
128 | in [ | ||
129 | "0 22,4,10,16 * * * root ${backup_script}" | ||
130 | "0 3 * * * root ${cleanup_script}" | ||
131 | ]) cfg.hosts); | ||
132 | }; | ||
133 | |||
134 | system.activationScripts = lib.attrsets.mapAttrs' (name: hcfg: | ||
135 | lib.attrsets.nameValuePair "openldap_replication_${name}" { | ||
136 | deps = [ "users" "groups" ]; | ||
137 | text = '' | ||
138 | install -m 0700 -o openldap -g openldap -d ${cfg.base}/${name}/openldap | ||
139 | install -m 0700 -o openldap -g openldap -d ${cfg.base}/${name}/openldap_backup | ||
140 | ''; | ||
141 | }) cfg.hosts; | ||
142 | |||
143 | systemd.services = lib.attrsets.mapAttrs' (name: hcfg: | ||
144 | let | ||
145 | dataDir = "${cfg.base}/${name}/openldap"; | ||
146 | in | ||
147 | lib.attrsets.nameValuePair "openldap_backup_${name}" { | ||
148 | description = "Openldap replication for ${name}"; | ||
149 | wantedBy = [ "multi-user.target" ]; | ||
150 | after = [ "network.target" ]; | ||
151 | unitConfig.RequiresMountsFor = dataDir; | ||
152 | |||
153 | preStart = '' | ||
154 | mkdir -p /run/slapd_${name} | ||
155 | chown -R "openldap:openldap" /run/slapd_${name} | ||
156 | ''; | ||
157 | |||
158 | serviceConfig = { | ||
159 | ExecStart = "${hcfg.package}/libexec/slapd -d 0 -u openldap -g openldap -f ${ldapConfig hcfg name}"; | ||
160 | }; | ||
161 | }) cfg.hosts; | ||
162 | }; | ||
163 | } | ||
164 | |||
165 | |||