diff options
Diffstat (limited to 'systems/eldiron/databases/openldap')
-rw-r--r-- | systems/eldiron/databases/openldap/default.nix | 304 |
1 files changed, 304 insertions, 0 deletions
diff --git a/systems/eldiron/databases/openldap/default.nix b/systems/eldiron/databases/openldap/default.nix new file mode 100644 index 0000000..7cd15da --- /dev/null +++ b/systems/eldiron/databases/openldap/default.nix | |||
@@ -0,0 +1,304 @@ | |||
1 | { lib, pkgs, config, openldap, ... }: | ||
2 | let | ||
3 | cfg = config.myServices.databases.openldap; | ||
4 | in | ||
5 | { | ||
6 | options.myServices.databases = { | ||
7 | openldap = { | ||
8 | enable = lib.mkOption { | ||
9 | default = false; | ||
10 | example = true; | ||
11 | description = "Whether to enable ldap"; | ||
12 | type = lib.types.bool; | ||
13 | }; | ||
14 | baseDn = lib.mkOption { | ||
15 | type = lib.types.str; | ||
16 | description = '' | ||
17 | Base DN for LDAP | ||
18 | ''; | ||
19 | }; | ||
20 | rootDn = lib.mkOption { | ||
21 | type = lib.types.str; | ||
22 | description = '' | ||
23 | Root DN | ||
24 | ''; | ||
25 | }; | ||
26 | rootPw = lib.mkOption { | ||
27 | type = lib.types.str; | ||
28 | description = '' | ||
29 | Root (Hashed) password | ||
30 | ''; | ||
31 | }; | ||
32 | accessFile = lib.mkOption { | ||
33 | type = lib.types.path; | ||
34 | description = '' | ||
35 | The file path that defines the access | ||
36 | ''; | ||
37 | }; | ||
38 | dataDir = lib.mkOption { | ||
39 | type = lib.types.path; | ||
40 | default = "/var/lib/openldap/mdb"; | ||
41 | description = '' | ||
42 | The directory where Openldap stores its data. | ||
43 | ''; | ||
44 | }; | ||
45 | socketsDir = lib.mkOption { | ||
46 | type = lib.types.path; | ||
47 | default = "/run/openldap"; | ||
48 | description = '' | ||
49 | The directory where Openldap puts sockets and pid files. | ||
50 | ''; | ||
51 | }; | ||
52 | # Output variables | ||
53 | pids = lib.mkOption { | ||
54 | type = lib.types.attrsOf lib.types.path; | ||
55 | default = { | ||
56 | pid = "${cfg.socketsDir}/slapd.pid"; | ||
57 | args = "${cfg.socketsDir}/slapd.args"; | ||
58 | }; | ||
59 | readOnly = true; | ||
60 | description = '' | ||
61 | Slapd pid files | ||
62 | ''; | ||
63 | }; | ||
64 | }; | ||
65 | }; | ||
66 | |||
67 | config = lib.mkIf cfg.enable { | ||
68 | myServices.dns.zones."immae.eu".subdomains.ldap = | ||
69 | with config.myServices.dns.helpers; ips servers.eldiron.ips.main; | ||
70 | |||
71 | nixpkgs.overlays = [ | ||
72 | (self: super: { | ||
73 | openldap_libressl_cyrus = (self.openldap.override { | ||
74 | openssl = self.libressl; | ||
75 | cyrus_sasl = self.cyrus_sasl.overrideAttrs (old: { | ||
76 | configureFlags = old.configureFlags ++ [ "--with-configdir=/etc/sasl2" ]; | ||
77 | }); | ||
78 | }).overrideAttrs (old: { | ||
79 | configureFlags = old.configureFlags ++ [ "--with-cyrus-sasl" "--enable-spasswd" ]; | ||
80 | }); | ||
81 | }) | ||
82 | ]; | ||
83 | |||
84 | secrets.keys = { | ||
85 | "ldap/password" = { | ||
86 | permissions = "0400"; | ||
87 | user = "openldap"; | ||
88 | group = "openldap"; | ||
89 | text = "${cfg.rootPw}"; | ||
90 | }; | ||
91 | "ldap/access" = { | ||
92 | permissions = "0400"; | ||
93 | user = "openldap"; | ||
94 | group = "openldap"; | ||
95 | text = builtins.readFile cfg.accessFile; | ||
96 | }; | ||
97 | "ldap" = { | ||
98 | permissions = "0500"; | ||
99 | user = "openldap"; | ||
100 | group = "openldap"; | ||
101 | isDir = true; | ||
102 | }; | ||
103 | }; | ||
104 | users.users.openldap.extraGroups = [ "keys" ]; | ||
105 | networking.firewall.allowedTCPPorts = [ 636 389 ]; | ||
106 | |||
107 | security.acme.certs."ldap" = { | ||
108 | group = "openldap"; | ||
109 | domain = "ldap.immae.eu"; | ||
110 | postRun = '' | ||
111 | systemctl restart openldap.service | ||
112 | ''; | ||
113 | }; | ||
114 | |||
115 | services.filesWatcher.openldap = { | ||
116 | restart = true; | ||
117 | paths = [ config.secrets.fullPaths."ldap" ]; | ||
118 | }; | ||
119 | |||
120 | services.openldap = { | ||
121 | enable = true; | ||
122 | urlList = [ "ldap://" "ldaps://" ]; | ||
123 | package = pkgs.openldap_libressl_cyrus; | ||
124 | settings = { | ||
125 | attrs = { | ||
126 | olcPidFile = cfg.pids.pid; | ||
127 | olcArgsFile = cfg.pids.args; | ||
128 | olcLogLevel = "none"; | ||
129 | olcTLSCertificateFile = "${config.security.acme.certs.ldap.directory}/cert.pem"; | ||
130 | olcTLSCertificateKeyFile = "${config.security.acme.certs.ldap.directory}/key.pem"; | ||
131 | olcTLSCACertificateFile = "${config.security.acme.certs.ldap.directory}/fullchain.pem"; | ||
132 | olcTLSCACertificatePath = "${pkgs.cacert.unbundled}/etc/ssl/certs/"; | ||
133 | # This makes openldap crash | ||
134 | # olcTLSCipherSuite = "DEFAULT"; | ||
135 | #olcSaslHost = "kerberos.immae.eu"; | ||
136 | # Map sasl "dn" to ldap dn | ||
137 | #olcAuthzRegexp = ''{0}"uid=([^,]*)(,cn=IMMAE.EU)?,cn=(gssapi|gss-spnego),cn=auth" "uid=$1,ou=users,dc=immae,dc=eu"''; | ||
138 | }; | ||
139 | children = { | ||
140 | "cn=module{0}" = { | ||
141 | attrs = { | ||
142 | cn = "module{0}"; | ||
143 | objectClass = [ "olcModuleList" ]; | ||
144 | olcModuleLoad = [ "{0}back_mdb" "{1}memberof" "{2}syncprov" ]; | ||
145 | }; | ||
146 | }; | ||
147 | "cn=schema".includes = map (schema: | ||
148 | "${config.services.openldap.package}/etc/schema/${schema}.ldif" | ||
149 | ) [ "core" "cosine" "inetorgperson" "nis" ] ++ [ | ||
150 | "${openldap.immae-ldif}" | ||
151 | ]; | ||
152 | "olcDatabase={0}config" = { | ||
153 | attrs = { | ||
154 | objectClass = "olcDatabaseConfig"; | ||
155 | olcDatabase = "{0}config"; | ||
156 | olcAccess = ["{0}to * by * none"]; | ||
157 | }; | ||
158 | }; | ||
159 | "olcDatabase={1}mdb" = { | ||
160 | attrs = { | ||
161 | objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; | ||
162 | olcDatabase = "{1}mdb"; | ||
163 | olcDbIndex = [ | ||
164 | "objectClass eq" | ||
165 | "uid pres,eq" | ||
166 | "mail pres,eq,sub" | ||
167 | "cn pres,eq,sub" | ||
168 | "sn pres,eq,sub" | ||
169 | "dc eq" | ||
170 | "member eq" | ||
171 | "memberOf eq" | ||
172 | ]; | ||
173 | olcAccess = let | ||
174 | join = builtins.replaceStrings ["\n"] [" "]; | ||
175 | in [ | ||
176 | # First matching "to" + "by" wins | ||
177 | #### Replication needs full access | ||
178 | (join ''{0}to * | ||
179 | by dn.base="uid=ldap_replication,cn=ldap,ou=services,dc=immae,dc=eu" read | ||
180 | by * break | ||
181 | '') | ||
182 | #### Prevent modification of SASL passwords | ||
183 | (join ''{1}to attrs=userPassword val.regex="^.SASL..+" | ||
184 | by self read | ||
185 | by anonymous auth | ||
186 | by * none | ||
187 | '') | ||
188 | #### Oneself needs access to users password | ||
189 | (join ''{2}to attrs=userPassword,shadowLastChange | ||
190 | by self write | ||
191 | by anonymous auth | ||
192 | by * none | ||
193 | '') | ||
194 | #### Should be write, but disabled during migration to psql | ||
195 | (join ''{3}to attrs=immaeSshKey | ||
196 | by self read | ||
197 | by * break | ||
198 | '') | ||
199 | |||
200 | #### Anyone can auth, and I can see myself | ||
201 | (join ''{4}to * | ||
202 | by self read | ||
203 | by anonymous auth | ||
204 | by * break | ||
205 | '') | ||
206 | |||
207 | #### Specific access for phpldapadmin | ||
208 | (join ''{5}to filter="(uid=*)" attrs=entry,uid | ||
209 | by dn.base="cn=phpldapadmin,ou=services,dc=immae,dc=eu" read | ||
210 | by * break | ||
211 | '') | ||
212 | |||
213 | #### Hosts | ||
214 | # The attributes are available to every host | ||
215 | (join ''{6}to dn.one="ou=hosts,dc=immae,dc=eu" | ||
216 | by dn.subtree="ou=hosts,dc=immae,dc=eu" read | ||
217 | by dn.base="dc=immae,dc=eu" search | ||
218 | by * break | ||
219 | '') | ||
220 | #### /Hosts | ||
221 | |||
222 | #### Local services | ||
223 | # this/-* & user : all your ancestors have access to you | ||
224 | # this/memberOf/-* & user : all those whom you belong to (in a group), | ||
225 | # and their ancestors, have access to you | ||
226 | # user/immaeAccessWriteDn*/member & this : you have write access to the | ||
227 | # members of your immaeAccessDn | ||
228 | # attributes | ||
229 | # user/immaeAccessDn*/member & this : you have access to the members | ||
230 | # of your immaeAccessDn attributes | ||
231 | # user/immaeAccessReadSubtree* & this/-* : you have access to the | ||
232 | # childrens of your immaeAccessReadSubtree | ||
233 | # attributes | ||
234 | # this/memberOf/-* & user/immaeAccessReadSubtree*: you have access to | ||
235 | # the members of the childrens of your | ||
236 | # immaeAccessReadSubtree attributes | ||
237 | # http://www.openldap.org/faq/data/cache/1133.html | ||
238 | (join ''{7}to dn.subtree="dc=immae,dc=eu" | ||
239 | by dn.subtree="ou=external_services,dc=immae,dc=eu" break | ||
240 | by set.exact="this/-* & user" read | ||
241 | by set.exact="this/memberOf/-* & user" read | ||
242 | by set.exact="user/immaeAccessWriteDn*/member & this" write | ||
243 | by set.exact="user/immaeAccessDn*/member & this" read | ||
244 | by set.exact="user/immaeAccessReadSubtree* & this/-*" read | ||
245 | by set.exact="this/memberOf/-* & user/immaeAccessReadSubtree*" read | ||
246 | by users search | ||
247 | by * break | ||
248 | '') | ||
249 | #### /Local services | ||
250 | |||
251 | #### External services | ||
252 | # http://www.openldap.org/faq/data/cache/429.html | ||
253 | # FIXME: Find a way to whitelist? | ||
254 | (join ''{8}to attrs=immaeSshKey | ||
255 | by dn.subtree="ou=external_services,dc=immae,dc=eu" none | ||
256 | '') | ||
257 | (join ''{9}to dn.subtree="dc=immae,dc=eu" | ||
258 | by set.exact="this/-* & user" read | ||
259 | by set.exact="this/memberOf/-* & user" read | ||
260 | by set.exact="user/immaeAccessDn*/member & this/-*" read | ||
261 | by users search | ||
262 | by * none | ||
263 | '') | ||
264 | #### /External services | ||
265 | ]; | ||
266 | olcDbDirectory = cfg.dataDir; | ||
267 | olcRootDN = cfg.rootDn; | ||
268 | olcRootPW.path = config.secrets.fullPaths."ldap/password"; | ||
269 | olcSuffix = cfg.baseDn; | ||
270 | }; | ||
271 | children = { | ||
272 | "olcOverlay={0}memberof" = { | ||
273 | attrs = { | ||
274 | objectClass = [ "olcOverlayConfig" "olcMemberOf" ]; | ||
275 | olcOverlay = "{0}memberof"; | ||
276 | }; | ||
277 | }; | ||
278 | "olcOverlay={1}syncprov" = { | ||
279 | attrs = { | ||
280 | objectClass = [ "olcOverlayConfig" "olcSyncProvConfig" ]; | ||
281 | olcOverlay = "{1}syncprov"; | ||
282 | olcSpCheckpoint = "100 10"; | ||
283 | }; | ||
284 | }; | ||
285 | }; | ||
286 | }; | ||
287 | }; | ||
288 | }; | ||
289 | }; | ||
290 | myServices.monitoring.fromMasterActivatedPlugins = [ "tcp" ]; | ||
291 | myServices.monitoring.fromMasterObjects.service = [ | ||
292 | { | ||
293 | service_description = "ldap SSL is up to date"; | ||
294 | host_name = config.hostEnv.fqdn; | ||
295 | use = "external-service"; | ||
296 | check_command = ["check_tcp_ssl" "636"]; | ||
297 | |||
298 | servicegroups = "webstatus-ssl"; | ||
299 | _webstatus_name = "LDAP"; | ||
300 | _webstatus_url = "ldap.immae.eu"; | ||
301 | } | ||
302 | ]; | ||
303 | }; | ||
304 | } | ||