From 1a64deeb894dc95e2645a75771732c6cc53a79ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Wed, 4 Oct 2023 01:35:06 +0200 Subject: Squash changes containing private information There were a lot of changes since the previous commit, but a lot of them contained personnal information about users. All thos changes got stashed into a single commit (history is kept in a different place) and private information was moved in a separate private repository --- modules/private/databases/openldap/default.nix | 147 ----------------- .../private/databases/openldap/eldiron_schemas.nix | 21 --- modules/private/databases/openldap/immae.schema | 179 --------------------- 3 files changed, 347 deletions(-) delete mode 100644 modules/private/databases/openldap/default.nix delete mode 100644 modules/private/databases/openldap/eldiron_schemas.nix delete mode 100644 modules/private/databases/openldap/immae.schema (limited to 'modules/private/databases/openldap') diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix deleted file mode 100644 index d35aca0..0000000 --- a/modules/private/databases/openldap/default.nix +++ /dev/null @@ -1,147 +0,0 @@ -{ lib, pkgs, config, ... }: -let - cfg = config.myServices.databases.openldap; - ldapConfig = let - eldiron_schemas = pkgs.callPackage ./eldiron_schemas.nix {}; - in '' - ${eldiron_schemas} - - pidfile ${cfg.pids.pid} - argsfile ${cfg.pids.args} - - moduleload back_hdb - backend hdb - - TLSCertificateFile ${config.security.acme.certs.ldap.directory}/cert.pem - TLSCertificateKeyFile ${config.security.acme.certs.ldap.directory}/key.pem - TLSCACertificateFile ${config.security.acme.certs.ldap.directory}/fullchain.pem - TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/ - #This makes openldap crash - #TLSCipherSuite DEFAULT - - sasl-host kerberos.immae.eu - ''; -in -{ - options.myServices.databases = { - openldap = { - enable = lib.mkOption { - default = false; - example = true; - description = "Whether to enable ldap"; - type = lib.types.bool; - }; - baseDn = lib.mkOption { - type = lib.types.str; - description = '' - Base DN for LDAP - ''; - }; - rootDn = lib.mkOption { - type = lib.types.str; - description = '' - Root DN - ''; - }; - rootPw = lib.mkOption { - type = lib.types.str; - description = '' - Root (Hashed) password - ''; - }; - accessFile = lib.mkOption { - type = lib.types.path; - description = '' - The file path that defines the access - ''; - }; - dataDir = lib.mkOption { - type = lib.types.path; - default = "/var/lib/openldap"; - description = '' - The directory where Openldap stores its data. - ''; - }; - socketsDir = lib.mkOption { - type = lib.types.path; - default = "/run/slapd"; - description = '' - The directory where Openldap puts sockets and pid files. - ''; - }; - # Output variables - pids = lib.mkOption { - type = lib.types.attrsOf lib.types.path; - default = { - pid = "${cfg.socketsDir}/slapd.pid"; - args = "${cfg.socketsDir}/slapd.args"; - }; - readOnly = true; - description = '' - Slapd pid files - ''; - }; - }; - }; - - config = lib.mkIf cfg.enable { - secrets.keys = { - "ldap/password" = { - permissions = "0400"; - user = "openldap"; - group = "openldap"; - text = "rootpw ${cfg.rootPw}"; - }; - "ldap/access" = { - permissions = "0400"; - user = "openldap"; - group = "openldap"; - text = builtins.readFile cfg.accessFile; - }; - "ldap" = { - permissions = "0500"; - user = "openldap"; - group = "openldap"; - isDir = true; - }; - }; - users.users.openldap.extraGroups = [ "keys" ]; - networking.firewall.allowedTCPPorts = [ 636 389 ]; - - security.acme.certs."ldap" = config.myServices.databasesCerts // { - user = "openldap"; - group = "openldap"; - domain = "ldap.immae.eu"; - postRun = '' - systemctl restart openldap.service - ''; - }; - - services.filesWatcher.openldap = { - restart = true; - paths = [ config.secrets.fullPaths."ldap" ]; - }; - - services.openldap = { - enable = true; - dataDir = cfg.dataDir; - urlList = [ "ldap://" "ldaps://" ]; - logLevel = "none"; - extraConfig = ldapConfig; - extraDatabaseConfig = '' - moduleload memberof - overlay memberof - - moduleload syncprov - overlay syncprov - syncprov-checkpoint 100 10 - - include ${config.secrets.fullPaths."ldap/access"} - ''; - rootpwFile = config.secrets.fullPaths."ldap/password"; - suffix = cfg.baseDn; - rootdn = cfg.rootDn; - database = "hdb"; - }; - }; -} diff --git a/modules/private/databases/openldap/eldiron_schemas.nix b/modules/private/databases/openldap/eldiron_schemas.nix deleted file mode 100644 index cf45ebe..0000000 --- a/modules/private/databases/openldap/eldiron_schemas.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ fetchurl, openldap }: -let - kerberosSchema = fetchurl { - url = "https://raw.githubusercontent.com/krb5/krb5/0bdd3b8058ed4ec9acc050e316bea86f6830b15f/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"; - sha256 = "17fnkkf6s3lznsl7wp6914pqsc78d038rh38l638big8z608ksww"; - }; - puppetSchema = fetchurl { - url = "https://raw.githubusercontent.com/puppetlabs/puppet/bf7c108825ffdb5ea89cf3e500d55d27ab64b8d2/ext/ldap/puppet.schema"; - sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh"; - }; - schemas = [ - #"${openldap}/etc/schema/core.schema" - #"${openldap}/etc/schema/cosine.schema" - #"${openldap}/etc/schema/inetorgperson.schema" - #"${openldap}/etc/schema/nis.schema" - puppetSchema - kerberosSchema - ./immae.schema - ]; -in - builtins.concatStringsSep "\n" (map (v: "include ${v}") schemas) diff --git a/modules/private/databases/openldap/immae.schema b/modules/private/databases/openldap/immae.schema deleted file mode 100644 index d2ef972..0000000 --- a/modules/private/databases/openldap/immae.schema +++ /dev/null @@ -1,179 +0,0 @@ -# vim: set filetype=slapd: -objectIdentifier Immaeroot 1.3.6.1.4.1.50071 - -objectIdentifier Immae Immaeroot:2 -objectIdentifier ImmaeattributeType Immae:3 -objectIdentifier ImmaeobjectClass Immae:4 - -# TT-RSS -attributetype ( ImmaeattributeType:1 NAME 'immaeTtrssLogin' - DESC 'login for TTRSS' - EQUALITY caseIgnoreMatch - SUBSTR caseIgnoreSubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) - -objectclass ( ImmaeobjectClass:1 NAME 'immaeTtrssClass' - DESC 'Expansion of the existing object classes for ttrss' - SUP top AUXILIARY - MUST ( immaeTtrssLogin ) ) - -# FTP -attributetype ( ImmaeattributeType:2 NAME 'immaeFtpDirectory' - DESC 'home directory for ftp' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -attributetype ( ImmaeattributeType:3 NAME 'immaeFtpUid' - DESC 'user id for ftp' - EQUALITY integerMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) - -attributetype ( ImmaeattributeType:4 NAME 'immaeFtpGid' - DESC 'group id for ftp' - EQUALITY integerMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) - -objectclass ( ImmaeobjectClass:2 NAME 'immaeFtpClass' - DESC 'Expansion of the existing object classes for ftp' - SUP top AUXILIARY - MUST ( immaeFtpDirectory $ immaeFtpGid $ immaeFtpUid ) ) - - -# SSH keys -attributetype ( ImmaeattributeType:5 NAME 'immaeSshKey' - DESC 'OpenSSH Public key' - EQUALITY octetStringMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) - -objectClass ( ImmaeobjectClass:3 NAME 'immaeSshClass' - DESC 'OpenSSH class' - SUP top AUXILIARY - MAy ( immaeSSHKey ) ) - -# Specific access -attributetype (ImmaeattributeType:6 NAME 'immaeAccessDn' - EQUALITY distinguishedNameMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) - -attributetype (ImmaeattributeType:17 NAME 'immaeAccessWriteDn' - EQUALITY distinguishedNameMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) - -attributetype (ImmaeattributeType:18 NAME 'immaeAccessReadSubtree' - EQUALITY distinguishedNameMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) - -objectClass ( ImmaeobjectClass:4 NAME 'immaeAccessClass' - DESC 'Access class' - SUP top AUXILIARY - MAY ( immaeAccessDn $ immaeAccessWriteDn $ immaeAccessReadSubtree ) ) - -# Xmpp uid -attributetype ( ImmaeattributeType:7 NAME 'immaeXmppUid' - DESC 'user part for Xmpp' - EQUALITY caseIgnoreMatch - SUBSTR caseIgnoreSubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) - -objectclass ( ImmaeobjectClass:5 NAME 'immaeXmppClass' - DESC 'Expansion of the existing object classes for XMPP' - SUP top AUXILIARY - MUST ( immaeXmppUid ) ) - -# Postfix accounts -attributetype ( ImmaeattributeType:8 NAME 'immaePostfixAddress' - DESC 'the dovecot address to match as username' - EQUALITY caseIgnoreIA5Match - SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) - -attributetype ( ImmaeattributeType:9 NAME 'immaePostfixHome' - DESC 'the postfix home directory' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) - -attributetype ( ImmaeattributeType:10 NAME 'immaePostfixMail' - DESC 'the dovecot mail location' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) - -attributetype ( ImmaeattributeType:11 NAME 'immaePostfixUid' - DESC 'the dovecot uid' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) - -attributetype ( ImmaeattributeType:12 NAME 'immaePostfixGid' - DESC 'the dovecot gid' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) - -objectclass ( ImmaeobjectClass:6 NAME 'immaePostfixClass' - DESC 'Expansion of the existing object classes for Postfix' - SUP top AUXILIARY - MUST ( immaePostfixAddress $ immaePostfixHome $ - immaePostfixMail $ immaePostfixUid $ immaePostfixGid ) - ) - -# Tinc informations -# Domaine = une classe a part ou une partie du dn ? -# attributetype ( ImmaeattributeType:13 NAME 'immaeTincIpSegment' -# DESC 'the internal ip segment in tinc' -# EQUALITY caseIgnoreIA5Match -# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) -# -# attributetype ( ImmaeattributeType:14 NAME 'immaeTincSubdomain' -# DESC 'the host subdomain' -# EQUALITY caseIgnoreIA5Match -# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) -# -# attributetype ( ImmaeattributeType:15 NAME 'immaeTincHostname' -# DESC 'the host name' -# EQUALITY caseIgnoreIA5Match -# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) -# -# objectclass ( ImmaeobjectClass:7 NAME 'immaeTincHostClass' -# DESC 'Expansion of the existing object classes for Tinc' -# SUP top AUXILIARY -# MUST ( immaeTincInternalIp $ immaeTincSubdomain $ -# immaeTincHostname ) -# ) - -attributetype (ImmaeattributeType:16 NAME 'immaePuppetJson' - DESC 'Puppet hiera json' - EQUALITY octetStringMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) - -objectclass ( ImmaeobjectClass:8 NAME 'immaePuppetClass' - DESC 'Expansion of the existing object classes for Puppet' - SUP top AUXILIARY - MUST ( immaePuppetJson ) - ) - -attributetype (ImmaeattributeType:19 NAME 'immaeTaskId' - DESC 'Taskwarrior server Org:Name:Key' - EQUALITY caseIgnoreMatch - SUBSTR caseIgnoreSubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) - -objectclass ( ImmaeobjectClass:9 NAME 'immaeTaskClass' - DESC 'Expansion of the existing object classes for Task' - SUP top AUXILIARY - MUST ( immaeTaskId ) - ) - -# Peertube uid -attributetype ( ImmaeattributeType:20 NAME 'immaePeertubeId' - DESC 'login for Peertube' - EQUALITY caseIgnoreMatch - SUBSTR caseIgnoreSubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) - -objectclass ( ImmaeobjectClass:10 NAME 'immaePeertubeClass' - DESC 'Expansion of the existing object classes for peertube' - SUP top AUXILIARY - MUST ( immaePeertubeId ) ) - - -# Last: -# attributetype ( ImmaeattributeType:20 NAME 'immaePeertubeId' -# objectclass ( ImmaeobjectClass:10 NAME 'immaePeertubeClass' -- cgit v1.2.3