diff options
Diffstat (limited to 'nixops')
-rw-r--r-- | nixops/modules/databases/default.nix | 69 | ||||
-rw-r--r-- | nixops/modules/databases/immae.schema | 155 |
2 files changed, 223 insertions, 1 deletions
diff --git a/nixops/modules/databases/default.nix b/nixops/modules/databases/default.nix index 1115a29..1940b62 100644 --- a/nixops/modules/databases/default.nix +++ b/nixops/modules/databases/default.nix | |||
@@ -30,6 +30,15 @@ in { | |||
30 | type = lib.types.bool; | 30 | type = lib.types.bool; |
31 | }; | 31 | }; |
32 | }; | 32 | }; |
33 | |||
34 | ldap = { | ||
35 | enable = lib.mkOption { | ||
36 | default = cfg.enable; | ||
37 | example = true; | ||
38 | description = "Whether to enable ldap"; | ||
39 | type = lib.types.bool; | ||
40 | }; | ||
41 | }; | ||
33 | }; | 42 | }; |
34 | 43 | ||
35 | config = lib.mkIf cfg.enable { | 44 | config = lib.mkIf cfg.enable { |
@@ -55,7 +64,7 @@ in { | |||
55 | }); | 64 | }); |
56 | }; | 65 | }; |
57 | 66 | ||
58 | networking.firewall.allowedTCPPorts = [ 3306 5432 ]; | 67 | networking.firewall.allowedTCPPorts = [ 3306 5432 636 389 ]; |
59 | 68 | ||
60 | # for adminer, ssl is implemented with mysqli only, which is | 69 | # for adminer, ssl is implemented with mysqli only, which is |
61 | # currently disabled because it’s not compatible with pam. | 70 | # currently disabled because it’s not compatible with pam. |
@@ -94,6 +103,16 @@ in { | |||
94 | ''; | 103 | ''; |
95 | }; | 104 | }; |
96 | 105 | ||
106 | security.acme.certs."ldap" = config.services.myCertificates.certConfig // { | ||
107 | user = "openldap"; | ||
108 | group = "openldap"; | ||
109 | plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ]; | ||
110 | domain = "ldap.immae.eu"; | ||
111 | postRun = '' | ||
112 | systemctl restart openldap.service | ||
113 | ''; | ||
114 | }; | ||
115 | |||
97 | system.activationScripts.postgresql = '' | 116 | system.activationScripts.postgresql = '' |
98 | install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket} | 117 | install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket} |
99 | ''; | 118 | ''; |
@@ -202,5 +221,53 @@ in { | |||
202 | mkdir -p $(dirname ${myconfig.env.databases.redis.socket}) | 221 | mkdir -p $(dirname ${myconfig.env.databases.redis.socket}) |
203 | chown redis $(dirname ${myconfig.env.databases.redis.socket}) | 222 | chown redis $(dirname ${myconfig.env.databases.redis.socket}) |
204 | ''; | 223 | ''; |
224 | |||
225 | services.openldap = let | ||
226 | kerberosSchema = pkgs.fetchurl { | ||
227 | url = "https://raw.githubusercontent.com/krb5/krb5/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"; | ||
228 | sha256 = "17fnkkf6s3lznsl7wp6914pqsc78d038rh38l638big8z608ksww"; | ||
229 | }; | ||
230 | puppetSchema = pkgs.fetchurl { | ||
231 | url = "https://raw.githubusercontent.com/puppetlabs/puppet/master/ext/ldap/puppet.schema"; | ||
232 | sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh"; | ||
233 | }; | ||
234 | in { | ||
235 | enable = config.services.myDatabases.ldap.enable; | ||
236 | dataDir = "/var/lib/openldap"; | ||
237 | urlList = [ "ldap://" "ldaps://" ]; | ||
238 | extraConfig = '' | ||
239 | include ${pkgs.openldap}/etc/schema/core.schema | ||
240 | include ${pkgs.openldap}/etc/schema/cosine.schema | ||
241 | include ${pkgs.openldap}/etc/schema/inetorgperson.schema | ||
242 | include ${pkgs.openldap}/etc/schema/nis.schema | ||
243 | include ${puppetSchema} | ||
244 | include ${kerberosSchema} | ||
245 | include ${./immae.schema} | ||
246 | |||
247 | pidfile /run/slapd/slapd.pid | ||
248 | argsfile /run/slapd/slapd.args | ||
249 | |||
250 | moduleload back_hdb | ||
251 | backend hdb | ||
252 | |||
253 | moduleload memberof | ||
254 | database hdb | ||
255 | suffix "${myconfig.env.ldap.base}" | ||
256 | rootdn "${myconfig.env.ldap.root_dn}" | ||
257 | rootpw ${myconfig.env.ldap.root_pw} | ||
258 | directory /var/lib/openldap | ||
259 | overlay memberof | ||
260 | |||
261 | TLSCertificateFile /var/lib/acme/ldap/cert.pem | ||
262 | TLSCertificateKeyFile /var/lib/acme/ldap/key.pem | ||
263 | TLSCACertificateFile /var/lib/acme/ldap/fullchain.pem | ||
264 | TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/ | ||
265 | #This makes openldap crash | ||
266 | #TLSCipherSuite DEFAULT | ||
267 | |||
268 | sasl-host kerberos.immae.eu | ||
269 | ${builtins.readFile "${myconfig.privateFiles}/ldap.conf"} | ||
270 | ''; | ||
271 | }; | ||
205 | }; | 272 | }; |
206 | } | 273 | } |
diff --git a/nixops/modules/databases/immae.schema b/nixops/modules/databases/immae.schema new file mode 100644 index 0000000..f0e12bc --- /dev/null +++ b/nixops/modules/databases/immae.schema | |||
@@ -0,0 +1,155 @@ | |||
1 | # vim: set filetype=slapd: | ||
2 | objectIdentifier Immaeroot 1.3.6.1.4.1.50071 | ||
3 | |||
4 | objectIdentifier Immae Immaeroot:2 | ||
5 | objectIdentifier ImmaeattributeType Immae:3 | ||
6 | objectIdentifier ImmaeobjectClass Immae:4 | ||
7 | |||
8 | # TT-RSS | ||
9 | attributetype ( ImmaeattributeType:1 NAME 'immaeTtrssLogin' | ||
10 | DESC 'login for TTRSS' | ||
11 | EQUALITY caseIgnoreMatch | ||
12 | SUBSTR caseIgnoreSubstringsMatch | ||
13 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) | ||
14 | |||
15 | objectclass ( ImmaeobjectClass:1 NAME 'immaeTtrssClass' | ||
16 | DESC 'Expansion of the existing object classes for ttrss' | ||
17 | SUP top AUXILIARY | ||
18 | MUST ( immaeTtrssLogin ) ) | ||
19 | |||
20 | # FTP | ||
21 | attributetype ( ImmaeattributeType:2 NAME 'immaeFtpDirectory' | ||
22 | DESC 'home directory for ftp' | ||
23 | EQUALITY caseExactIA5Match | ||
24 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) | ||
25 | |||
26 | attributetype ( ImmaeattributeType:3 NAME 'immaeFtpUid' | ||
27 | DESC 'user id for ftp' | ||
28 | EQUALITY integerMatch | ||
29 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) | ||
30 | |||
31 | attributetype ( ImmaeattributeType:4 NAME 'immaeFtpGid' | ||
32 | DESC 'group id for ftp' | ||
33 | EQUALITY integerMatch | ||
34 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) | ||
35 | |||
36 | objectclass ( ImmaeobjectClass:2 NAME 'immaeFtpClass' | ||
37 | DESC 'Expansion of the existing object classes for ftp' | ||
38 | SUP top AUXILIARY | ||
39 | MUST ( immaeFtpDirectory $ immaeFtpGid $ immaeFtpUid ) ) | ||
40 | |||
41 | |||
42 | # SSH keys | ||
43 | attributetype ( ImmaeattributeType:5 NAME 'immaeSshKey' | ||
44 | DESC 'OpenSSH Public key' | ||
45 | EQUALITY octetStringMatch | ||
46 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) | ||
47 | |||
48 | objectClass ( ImmaeobjectClass:3 NAME 'immaeSshClass' | ||
49 | DESC 'OpenSSH class' | ||
50 | SUP top AUXILIARY | ||
51 | MAy ( immaeSSHKey ) ) | ||
52 | |||
53 | # Specific access | ||
54 | attributetype (ImmaeattributeType:6 NAME 'immaeAccessDn' | ||
55 | EQUALITY distinguishedNameMatch | ||
56 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) | ||
57 | |||
58 | attributetype (ImmaeattributeType:17 NAME 'immaeAccessWriteDn' | ||
59 | EQUALITY distinguishedNameMatch | ||
60 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) | ||
61 | |||
62 | attributetype (ImmaeattributeType:18 NAME 'immaeAccessReadSubtree' | ||
63 | EQUALITY distinguishedNameMatch | ||
64 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) | ||
65 | |||
66 | objectClass ( ImmaeobjectClass:4 NAME 'immaeAccessClass' | ||
67 | DESC 'Access class' | ||
68 | SUP top AUXILIARY | ||
69 | MAY ( immaeAccessDn $ immaeAccessWriteDn $ immaeAccessReadSubtree ) ) | ||
70 | |||
71 | # Xmpp uid | ||
72 | attributetype ( ImmaeattributeType:7 NAME 'immaeXmppUid' | ||
73 | DESC 'user part for Xmpp' | ||
74 | EQUALITY caseIgnoreMatch | ||
75 | SUBSTR caseIgnoreSubstringsMatch | ||
76 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) | ||
77 | |||
78 | objectclass ( ImmaeobjectClass:5 NAME 'immaeXmppClass' | ||
79 | DESC 'Expansion of the existing object classes for XMPP' | ||
80 | SUP top AUXILIARY | ||
81 | MUST ( immaeXmppUid ) ) | ||
82 | |||
83 | # Postfix accounts | ||
84 | attributetype ( ImmaeattributeType:8 NAME 'immaePostfixAddress' | ||
85 | DESC 'the dovecot address to match as username' | ||
86 | EQUALITY caseIgnoreIA5Match | ||
87 | SUBSTR caseIgnoreIA5SubstringsMatch | ||
88 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) | ||
89 | |||
90 | attributetype ( ImmaeattributeType:9 NAME 'immaePostfixHome' | ||
91 | DESC 'the postfix home directory' | ||
92 | EQUALITY caseExactIA5Match | ||
93 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | ||
94 | |||
95 | attributetype ( ImmaeattributeType:10 NAME 'immaePostfixMail' | ||
96 | DESC 'the dovecot mail location' | ||
97 | EQUALITY caseExactIA5Match | ||
98 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | ||
99 | |||
100 | attributetype ( ImmaeattributeType:11 NAME 'immaePostfixUid' | ||
101 | DESC 'the dovecot uid' | ||
102 | EQUALITY caseExactIA5Match | ||
103 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | ||
104 | |||
105 | attributetype ( ImmaeattributeType:12 NAME 'immaePostfixGid' | ||
106 | DESC 'the dovecot gid' | ||
107 | EQUALITY caseExactIA5Match | ||
108 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | ||
109 | |||
110 | objectclass ( ImmaeobjectClass:6 NAME 'immaePostfixClass' | ||
111 | DESC 'Expansion of the existing object classes for Postfix' | ||
112 | SUP top AUXILIARY | ||
113 | MUST ( immaePostfixAddress $ immaePostfixHome $ | ||
114 | immaePostfixMail $ immaePostfixUid $ immaePostfixGid ) | ||
115 | ) | ||
116 | |||
117 | # Tinc informations | ||
118 | # Domaine = une classe a part ou une partie du dn ? | ||
119 | # attributetype ( ImmaeattributeType:13 NAME 'immaeTincIpSegment' | ||
120 | # DESC 'the internal ip segment in tinc' | ||
121 | # EQUALITY caseIgnoreIA5Match | ||
122 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) | ||
123 | # | ||
124 | # attributetype ( ImmaeattributeType:14 NAME 'immaeTincSubdomain' | ||
125 | # DESC 'the host subdomain' | ||
126 | # EQUALITY caseIgnoreIA5Match | ||
127 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) | ||
128 | # | ||
129 | # attributetype ( ImmaeattributeType:15 NAME 'immaeTincHostname' | ||
130 | # DESC 'the host name' | ||
131 | # EQUALITY caseIgnoreIA5Match | ||
132 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) | ||
133 | # | ||
134 | # objectclass ( ImmaeobjectClass:7 NAME 'immaeTincHostClass' | ||
135 | # DESC 'Expansion of the existing object classes for Tinc' | ||
136 | # SUP top AUXILIARY | ||
137 | # MUST ( immaeTincInternalIp $ immaeTincSubdomain $ | ||
138 | # immaeTincHostname ) | ||
139 | # ) | ||
140 | |||
141 | attributetype (ImmaeattributeType:16 NAME 'immaePuppetJson' | ||
142 | DESC 'Puppet hiera json' | ||
143 | EQUALITY octetStringMatch | ||
144 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) | ||
145 | |||
146 | objectclass ( ImmaeobjectClass:8 NAME 'immaePuppetClass' | ||
147 | DESC 'Expansion of the existing object classes for Puppet' | ||
148 | SUP top AUXILIARY | ||
149 | MUST ( immaePuppetJson ) | ||
150 | ) | ||
151 | |||
152 | # Last: | ||
153 | # attributetype (ImmaeattributeType:18 NAME 'immaeAccessReadSubtree' | ||
154 | # objectclass ( ImmaeobjectClass:8 NAME 'immaePuppetClass' | ||
155 | |||