about summary refs log blame commit diff
path: root/ops/modules/tvl-slapd/default.nix
blob: cbfdeff31eb0cf549f57366caa0bf05a5c37c7a6 (plain) (tree)
1
2
3
4
5
6


                                         
                          
 
                     



















                                               
                            
 
    






                                                                                
                                           


      

                       
 



                                                             
                                             

                                      

                                                                                                                                
        
 



                                      



                                                                               
      
 

                                                                       
                                            





















                                                     

    
# Configures an OpenLDAP instance for TVL
#
# TODO(tazjin): Configure ldaps://
{ depot, lib, pkgs, ... }:

with depot.nix.yants;

let
  user = struct {
    username = string;
    email = string;
    password = string;
    displayName = option string;
  };

  toLdif = defun [ user string ] (u: ''
    dn: cn=${u.username},ou=users,dc=tvl,dc=fyi
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    sn: ${u.username}
    cn: ${u.username}
    displayName: ${u.displayName or u.username}
    mail: ${u.email}
    userPassword: ${u.password}
  '');

  inherit (depot.ops) users;

in {
  # Use our patched OpenLDAP derivation which enables stronger password hashing.
  #
  # Unfortunately the module for OpenLDAP has no package option, so we
  # need to override it system-wide. Be aware that this triggers a
  # *large* number of rebuilds of packages such as GPG and Python.
  nixpkgs.overlays = [
    (_: _: {
      inherit (depot.third_party) openldap;
    })
  ];

  services.openldap = {
    enable = true;

    settings.children = {
      "olcDatabase={1}mdb".attrs = {
        objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
        olcDatabase = "{1}mdb";
        olcDbDirectory = "/var/lib/openldap";
        olcSuffix = "dc=tvl,dc=fyi";
        olcAccess = "to *  by * read";
        olcRootDN = "cn=admin,dc=tvl,dc=fyi";
        olcRootPW = "{ARGON2}$argon2id$v=19$m=65536,t=2,p=1$OfcgkOQ96VQ3aJj7NfA9vQ$oS6HQOkYl/bUYg4SejpltQYy7kvqx/RUxvoR4zo1vXU";
      };

      "cn=module{0}".attrs = {
        objectClass = "olcModuleList";
        olcModuleLoad = "pw-argon2";
      };

      "cn=schema".includes =
        map (schema: "${depot.third_party.openldap}/etc/schema/${schema}.ldif")
            [ "core" "cosine" "inetorgperson" "nis" ];
    };

    # Contents are immutable at runtime, and adding user accounts etc.
    # is done statically in the LDIF-formatted contents in this folder.
    declarativeContents."dc=tvl,dc=fyi" = ''
      dn: dc=tvl,dc=fyi
      dc: tvl
      o: TVL LDAP server
      description: Root entry for tvl.fyi
      objectClass: top
      objectClass: dcObject
      objectClass: organization

      dn: ou=users,dc=tvl,dc=fyi
      ou: users
      description: All users in TVL
      objectClass: top
      objectClass: organizationalUnit

      dn: ou=groups,dc=tvl,dc=fyi
      ou: groups
      description: All groups in TVL
      objectClass: top
      objectClass: organizationalUnit

      ${lib.concatStringsSep "\n" (map toLdif users)}
    '';
  };
}