diff options
Diffstat (limited to 'modules/private/databases/openldap')
-rw-r--r-- | modules/private/databases/openldap/default.nix | 147 | ||||
-rw-r--r-- | modules/private/databases/openldap/eldiron_schemas.nix | 21 | ||||
-rw-r--r-- | modules/private/databases/openldap/immae.schema | 179 |
3 files changed, 0 insertions, 347 deletions
diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix deleted file mode 100644 index d35aca0..0000000 --- a/modules/private/databases/openldap/default.nix +++ /dev/null | |||
@@ -1,147 +0,0 @@ | |||
1 | { lib, pkgs, config, ... }: | ||
2 | let | ||
3 | cfg = config.myServices.databases.openldap; | ||
4 | ldapConfig = let | ||
5 | eldiron_schemas = pkgs.callPackage ./eldiron_schemas.nix {}; | ||
6 | in '' | ||
7 | ${eldiron_schemas} | ||
8 | |||
9 | pidfile ${cfg.pids.pid} | ||
10 | argsfile ${cfg.pids.args} | ||
11 | |||
12 | moduleload back_hdb | ||
13 | backend hdb | ||
14 | |||
15 | TLSCertificateFile ${config.security.acme.certs.ldap.directory}/cert.pem | ||
16 | TLSCertificateKeyFile ${config.security.acme.certs.ldap.directory}/key.pem | ||
17 | TLSCACertificateFile ${config.security.acme.certs.ldap.directory}/fullchain.pem | ||
18 | TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/ | ||
19 | #This makes openldap crash | ||
20 | #TLSCipherSuite DEFAULT | ||
21 | |||
22 | sasl-host kerberos.immae.eu | ||
23 | ''; | ||
24 | in | ||
25 | { | ||
26 | options.myServices.databases = { | ||
27 | openldap = { | ||
28 | enable = lib.mkOption { | ||
29 | default = false; | ||
30 | example = true; | ||
31 | description = "Whether to enable ldap"; | ||
32 | type = lib.types.bool; | ||
33 | }; | ||
34 | baseDn = lib.mkOption { | ||
35 | type = lib.types.str; | ||
36 | description = '' | ||
37 | Base DN for LDAP | ||
38 | ''; | ||
39 | }; | ||
40 | rootDn = lib.mkOption { | ||
41 | type = lib.types.str; | ||
42 | description = '' | ||
43 | Root DN | ||
44 | ''; | ||
45 | }; | ||
46 | rootPw = lib.mkOption { | ||
47 | type = lib.types.str; | ||
48 | description = '' | ||
49 | Root (Hashed) password | ||
50 | ''; | ||
51 | }; | ||
52 | accessFile = lib.mkOption { | ||
53 | type = lib.types.path; | ||
54 | description = '' | ||
55 | The file path that defines the access | ||
56 | ''; | ||
57 | }; | ||
58 | dataDir = lib.mkOption { | ||
59 | type = lib.types.path; | ||
60 | default = "/var/lib/openldap"; | ||
61 | description = '' | ||
62 | The directory where Openldap stores its data. | ||
63 | ''; | ||
64 | }; | ||
65 | socketsDir = lib.mkOption { | ||
66 | type = lib.types.path; | ||
67 | default = "/run/slapd"; | ||
68 | description = '' | ||
69 | The directory where Openldap puts sockets and pid files. | ||
70 | ''; | ||
71 | }; | ||
72 | # Output variables | ||
73 | pids = lib.mkOption { | ||
74 | type = lib.types.attrsOf lib.types.path; | ||
75 | default = { | ||
76 | pid = "${cfg.socketsDir}/slapd.pid"; | ||
77 | args = "${cfg.socketsDir}/slapd.args"; | ||
78 | }; | ||
79 | readOnly = true; | ||
80 | description = '' | ||
81 | Slapd pid files | ||
82 | ''; | ||
83 | }; | ||
84 | }; | ||
85 | }; | ||
86 | |||
87 | config = lib.mkIf cfg.enable { | ||
88 | secrets.keys = { | ||
89 | "ldap/password" = { | ||
90 | permissions = "0400"; | ||
91 | user = "openldap"; | ||
92 | group = "openldap"; | ||
93 | text = "rootpw ${cfg.rootPw}"; | ||
94 | }; | ||
95 | "ldap/access" = { | ||
96 | permissions = "0400"; | ||
97 | user = "openldap"; | ||
98 | group = "openldap"; | ||
99 | text = builtins.readFile cfg.accessFile; | ||
100 | }; | ||
101 | "ldap" = { | ||
102 | permissions = "0500"; | ||
103 | user = "openldap"; | ||
104 | group = "openldap"; | ||
105 | isDir = true; | ||
106 | }; | ||
107 | }; | ||
108 | users.users.openldap.extraGroups = [ "keys" ]; | ||
109 | networking.firewall.allowedTCPPorts = [ 636 389 ]; | ||
110 | |||
111 | security.acme.certs."ldap" = config.myServices.databasesCerts // { | ||
112 | user = "openldap"; | ||
113 | group = "openldap"; | ||
114 | domain = "ldap.immae.eu"; | ||
115 | postRun = '' | ||
116 | systemctl restart openldap.service | ||
117 | ''; | ||
118 | }; | ||
119 | |||
120 | services.filesWatcher.openldap = { | ||
121 | restart = true; | ||
122 | paths = [ config.secrets.fullPaths."ldap" ]; | ||
123 | }; | ||
124 | |||
125 | services.openldap = { | ||
126 | enable = true; | ||
127 | dataDir = cfg.dataDir; | ||
128 | urlList = [ "ldap://" "ldaps://" ]; | ||
129 | logLevel = "none"; | ||
130 | extraConfig = ldapConfig; | ||
131 | extraDatabaseConfig = '' | ||
132 | moduleload memberof | ||
133 | overlay memberof | ||
134 | |||
135 | moduleload syncprov | ||
136 | overlay syncprov | ||
137 | syncprov-checkpoint 100 10 | ||
138 | |||
139 | include ${config.secrets.fullPaths."ldap/access"} | ||
140 | ''; | ||
141 | rootpwFile = config.secrets.fullPaths."ldap/password"; | ||
142 | suffix = cfg.baseDn; | ||
143 | rootdn = cfg.rootDn; | ||
144 | database = "hdb"; | ||
145 | }; | ||
146 | }; | ||
147 | } | ||
diff --git a/modules/private/databases/openldap/eldiron_schemas.nix b/modules/private/databases/openldap/eldiron_schemas.nix deleted file mode 100644 index cf45ebe..0000000 --- a/modules/private/databases/openldap/eldiron_schemas.nix +++ /dev/null | |||
@@ -1,21 +0,0 @@ | |||
1 | { fetchurl, openldap }: | ||
2 | let | ||
3 | kerberosSchema = fetchurl { | ||
4 | url = "https://raw.githubusercontent.com/krb5/krb5/0bdd3b8058ed4ec9acc050e316bea86f6830b15f/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"; | ||
5 | sha256 = "17fnkkf6s3lznsl7wp6914pqsc78d038rh38l638big8z608ksww"; | ||
6 | }; | ||
7 | puppetSchema = fetchurl { | ||
8 | url = "https://raw.githubusercontent.com/puppetlabs/puppet/bf7c108825ffdb5ea89cf3e500d55d27ab64b8d2/ext/ldap/puppet.schema"; | ||
9 | sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh"; | ||
10 | }; | ||
11 | schemas = [ | ||
12 | #"${openldap}/etc/schema/core.schema" | ||
13 | #"${openldap}/etc/schema/cosine.schema" | ||
14 | #"${openldap}/etc/schema/inetorgperson.schema" | ||
15 | #"${openldap}/etc/schema/nis.schema" | ||
16 | puppetSchema | ||
17 | kerberosSchema | ||
18 | ./immae.schema | ||
19 | ]; | ||
20 | in | ||
21 | builtins.concatStringsSep "\n" (map (v: "include ${v}") schemas) | ||
diff --git a/modules/private/databases/openldap/immae.schema b/modules/private/databases/openldap/immae.schema deleted file mode 100644 index d2ef972..0000000 --- a/modules/private/databases/openldap/immae.schema +++ /dev/null | |||
@@ -1,179 +0,0 @@ | |||
1 | # vim: set filetype=slapd: | ||
2 | objectIdentifier Immaeroot 1.3.6.1.4.1.50071 | ||
3 | |||
4 | objectIdentifier Immae Immaeroot:2 | ||
5 | objectIdentifier ImmaeattributeType Immae:3 | ||
6 | objectIdentifier ImmaeobjectClass Immae:4 | ||
7 | |||
8 | # TT-RSS | ||
9 | attributetype ( ImmaeattributeType:1 NAME 'immaeTtrssLogin' | ||
10 | DESC 'login for TTRSS' | ||
11 | EQUALITY caseIgnoreMatch | ||
12 | SUBSTR caseIgnoreSubstringsMatch | ||
13 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) | ||
14 | |||
15 | objectclass ( ImmaeobjectClass:1 NAME 'immaeTtrssClass' | ||
16 | DESC 'Expansion of the existing object classes for ttrss' | ||
17 | SUP top AUXILIARY | ||
18 | MUST ( immaeTtrssLogin ) ) | ||
19 | |||
20 | # FTP | ||
21 | attributetype ( ImmaeattributeType:2 NAME 'immaeFtpDirectory' | ||
22 | DESC 'home directory for ftp' | ||
23 | EQUALITY caseExactIA5Match | ||
24 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) | ||
25 | |||
26 | attributetype ( ImmaeattributeType:3 NAME 'immaeFtpUid' | ||
27 | DESC 'user id for ftp' | ||
28 | EQUALITY integerMatch | ||
29 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) | ||
30 | |||
31 | attributetype ( ImmaeattributeType:4 NAME 'immaeFtpGid' | ||
32 | DESC 'group id for ftp' | ||
33 | EQUALITY integerMatch | ||
34 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) | ||
35 | |||
36 | objectclass ( ImmaeobjectClass:2 NAME 'immaeFtpClass' | ||
37 | DESC 'Expansion of the existing object classes for ftp' | ||
38 | SUP top AUXILIARY | ||
39 | MUST ( immaeFtpDirectory $ immaeFtpGid $ immaeFtpUid ) ) | ||
40 | |||
41 | |||
42 | # SSH keys | ||
43 | attributetype ( ImmaeattributeType:5 NAME 'immaeSshKey' | ||
44 | DESC 'OpenSSH Public key' | ||
45 | EQUALITY octetStringMatch | ||
46 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) | ||
47 | |||
48 | objectClass ( ImmaeobjectClass:3 NAME 'immaeSshClass' | ||
49 | DESC 'OpenSSH class' | ||
50 | SUP top AUXILIARY | ||
51 | MAy ( immaeSSHKey ) ) | ||
52 | |||
53 | # Specific access | ||
54 | attributetype (ImmaeattributeType:6 NAME 'immaeAccessDn' | ||
55 | EQUALITY distinguishedNameMatch | ||
56 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) | ||
57 | |||
58 | attributetype (ImmaeattributeType:17 NAME 'immaeAccessWriteDn' | ||
59 | EQUALITY distinguishedNameMatch | ||
60 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) | ||
61 | |||
62 | attributetype (ImmaeattributeType:18 NAME 'immaeAccessReadSubtree' | ||
63 | EQUALITY distinguishedNameMatch | ||
64 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) | ||
65 | |||
66 | objectClass ( ImmaeobjectClass:4 NAME 'immaeAccessClass' | ||
67 | DESC 'Access class' | ||
68 | SUP top AUXILIARY | ||
69 | MAY ( immaeAccessDn $ immaeAccessWriteDn $ immaeAccessReadSubtree ) ) | ||
70 | |||
71 | # Xmpp uid | ||
72 | attributetype ( ImmaeattributeType:7 NAME 'immaeXmppUid' | ||
73 | DESC 'user part for Xmpp' | ||
74 | EQUALITY caseIgnoreMatch | ||
75 | SUBSTR caseIgnoreSubstringsMatch | ||
76 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) | ||
77 | |||
78 | objectclass ( ImmaeobjectClass:5 NAME 'immaeXmppClass' | ||
79 | DESC 'Expansion of the existing object classes for XMPP' | ||
80 | SUP top AUXILIARY | ||
81 | MUST ( immaeXmppUid ) ) | ||
82 | |||
83 | # Postfix accounts | ||
84 | attributetype ( ImmaeattributeType:8 NAME 'immaePostfixAddress' | ||
85 | DESC 'the dovecot address to match as username' | ||
86 | EQUALITY caseIgnoreIA5Match | ||
87 | SUBSTR caseIgnoreIA5SubstringsMatch | ||
88 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) | ||
89 | |||
90 | attributetype ( ImmaeattributeType:9 NAME 'immaePostfixHome' | ||
91 | DESC 'the postfix home directory' | ||
92 | EQUALITY caseExactIA5Match | ||
93 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | ||
94 | |||
95 | attributetype ( ImmaeattributeType:10 NAME 'immaePostfixMail' | ||
96 | DESC 'the dovecot mail location' | ||
97 | EQUALITY caseExactIA5Match | ||
98 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | ||
99 | |||
100 | attributetype ( ImmaeattributeType:11 NAME 'immaePostfixUid' | ||
101 | DESC 'the dovecot uid' | ||
102 | EQUALITY caseExactIA5Match | ||
103 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | ||
104 | |||
105 | attributetype ( ImmaeattributeType:12 NAME 'immaePostfixGid' | ||
106 | DESC 'the dovecot gid' | ||
107 | EQUALITY caseExactIA5Match | ||
108 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | ||
109 | |||
110 | objectclass ( ImmaeobjectClass:6 NAME 'immaePostfixClass' | ||
111 | DESC 'Expansion of the existing object classes for Postfix' | ||
112 | SUP top AUXILIARY | ||
113 | MUST ( immaePostfixAddress $ immaePostfixHome $ | ||
114 | immaePostfixMail $ immaePostfixUid $ immaePostfixGid ) | ||
115 | ) | ||
116 | |||
117 | # Tinc informations | ||
118 | # Domaine = une classe a part ou une partie du dn ? | ||
119 | # attributetype ( ImmaeattributeType:13 NAME 'immaeTincIpSegment' | ||
120 | # DESC 'the internal ip segment in tinc' | ||
121 | # EQUALITY caseIgnoreIA5Match | ||
122 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) | ||
123 | # | ||
124 | # attributetype ( ImmaeattributeType:14 NAME 'immaeTincSubdomain' | ||
125 | # DESC 'the host subdomain' | ||
126 | # EQUALITY caseIgnoreIA5Match | ||
127 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) | ||
128 | # | ||
129 | # attributetype ( ImmaeattributeType:15 NAME 'immaeTincHostname' | ||
130 | # DESC 'the host name' | ||
131 | # EQUALITY caseIgnoreIA5Match | ||
132 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) | ||
133 | # | ||
134 | # objectclass ( ImmaeobjectClass:7 NAME 'immaeTincHostClass' | ||
135 | # DESC 'Expansion of the existing object classes for Tinc' | ||
136 | # SUP top AUXILIARY | ||
137 | # MUST ( immaeTincInternalIp $ immaeTincSubdomain $ | ||
138 | # immaeTincHostname ) | ||
139 | # ) | ||
140 | |||
141 | attributetype (ImmaeattributeType:16 NAME 'immaePuppetJson' | ||
142 | DESC 'Puppet hiera json' | ||
143 | EQUALITY octetStringMatch | ||
144 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) | ||
145 | |||
146 | objectclass ( ImmaeobjectClass:8 NAME 'immaePuppetClass' | ||
147 | DESC 'Expansion of the existing object classes for Puppet' | ||
148 | SUP top AUXILIARY | ||
149 | MUST ( immaePuppetJson ) | ||
150 | ) | ||
151 | |||
152 | attributetype (ImmaeattributeType:19 NAME 'immaeTaskId' | ||
153 | DESC 'Taskwarrior server Org:Name:Key' | ||
154 | EQUALITY caseIgnoreMatch | ||
155 | SUBSTR caseIgnoreSubstringsMatch | ||
156 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) | ||
157 | |||
158 | objectclass ( ImmaeobjectClass:9 NAME 'immaeTaskClass' | ||
159 | DESC 'Expansion of the existing object classes for Task' | ||
160 | SUP top AUXILIARY | ||
161 | MUST ( immaeTaskId ) | ||
162 | ) | ||
163 | |||
164 | # Peertube uid | ||
165 | attributetype ( ImmaeattributeType:20 NAME 'immaePeertubeId' | ||
166 | DESC 'login for Peertube' | ||
167 | EQUALITY caseIgnoreMatch | ||
168 | SUBSTR caseIgnoreSubstringsMatch | ||
169 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) | ||
170 | |||
171 | objectclass ( ImmaeobjectClass:10 NAME 'immaePeertubeClass' | ||
172 | DESC 'Expansion of the existing object classes for peertube' | ||
173 | SUP top AUXILIARY | ||
174 | MUST ( immaePeertubeId ) ) | ||
175 | |||
176 | |||
177 | # Last: | ||
178 | # attributetype ( ImmaeattributeType:20 NAME 'immaePeertubeId' | ||
179 | # objectclass ( ImmaeobjectClass:10 NAME 'immaePeertubeClass' | ||