about summary refs log tree commit diff
diff options
context:
space:
mode:
authorVincent Ambo <mail@tazj.in>2020-06-17T02·48+0100
committertazjin <mail@tazj.in>2020-06-17T03·03+0000
commit27db1fc86b30fd159935633b367c713d20f8c3c8 (patch)
treecc41edde1a480a0ce47e779ca6501f81324cc139
parentb27239b60a5babcdb71999e9c6a5da68231549a8 (diff)
refactor(tvl-slapd): Move user definitions into Nix code r/1007
Implements a function that generates the LDIF record for each user and
templates it into the configuration.

This is slightly more user-friendly and less error-prone (people kept
getting the DNs wrong) than editing the contents manually.

Change-Id: Ic419d2ef464f9a94be5d54b666f7d53134b53eed
Reviewed-on: https://cl.tvl.fyi/c/depot/+/447
Reviewed-by: riking <rikingcoding@gmail.com>
-rw-r--r--ops/nixos/tvl-slapd/contents.ldif119
-rw-r--r--ops/nixos/tvl-slapd/default.nix113
2 files changed, 107 insertions, 125 deletions
diff --git a/ops/nixos/tvl-slapd/contents.ldif b/ops/nixos/tvl-slapd/contents.ldif
deleted file mode 100644
index 5c715efb9fa3..000000000000
--- a/ops/nixos/tvl-slapd/contents.ldif
+++ /dev/null
@@ -1,119 +0,0 @@
-dn: dc=tvl,dc=fyi
-dc: tvl
-o: TVL LDAP server
-description: Root entry for tvl.fyi
-objectClass: top
-objectClass: dcObject
-objectClass: organization
-
-dn: ou=users,dc=tvl,dc=fyi
-ou: users
-description: All users in TVL
-objectClass: top
-objectClass: organizationalUnit
-
-dn: ou=groups,dc=tvl,dc=fyi
-ou: groups
-description: All groups in TVL
-objectClass: top
-objectClass: organizationalUnit
-
-# Users in tvl.fyi
-dn: cn=cynthia,ou=users,dc=tvl,dc=fyi
-objectClass: organizationalPerson
-objectClass: inetOrgPerson
-cn: cynthia
-sn: Cynthia
-title: cynthia
-mail: cynthia@tvl.fyi
-userPassword: {SSHA}aHx2keEnXv6u6oiV2xxqfXdxjom/K8CP
-
-dn: cn=edef,ou=users,dc=tvl,dc=fyi
-objectClass: organizationalPerson
-objectClass: inetOrgPerson
-cn: edef
-sn: edef
-title: edef
-mail: edef@edef.eu
-userPassword: {SSHA}7w2XC6xxuhlUX2KvBpK4fD/X7ZCpfN/E
-
-dn: cn=eta,ou=users,dc=tvl,dc=fyi
-objectClass: organizationalPerson
-objectClass: inetOrgPerson
-cn: eta
-sn: eta
-title: eta
-mail: eta@theta.eu.org
-userPassword: {SSHA}sOR5xzi7Lfv376XGQA8Hf6jyhTvo0XYc
-
-dn: cn=glittershark,ou=users,dc=tvl,dc=fyi
-objectClass: organizationalPerson
-objectClass: inetOrgPerson
-cn: glittershark
-sn: glittershark
-title: glittershark
-mail: grfn@gws.fyi
-userPassword: {SSHA}i7PSAsXwJT3jjmmvU77aar/tU/YPDCEO
-
-dn: cn=isomer,ou=users,dc=tvl,dc=fyi
-objectClass: organizationalPerson
-objectClass: inetOrgPerson
-cn: isomer
-sn: isomer
-title: isomer
-mail: isomer@tvl.fyi
-userPassword: {SSHA}OhWQkPJgH1rRJqYIaMUbbKC4iLEzvCev
-
-dn: cn=lukegb,ou=users,dc=tvl,dc=fyi
-objectClass: organizationalPerson
-objectClass: inetOrgPerson
-cn: lukegb
-sn: lukegb
-title: lukegb
-mail: lukegb@tvl.fyi
-userPassword: {SSHA}7a85VNhpFElFw+N5xcjgGmt4HnBsaGp4
-
-dn: cn=nyanotech,ou=users,dc=tvl,dc=fyi
-objectClass: organizationalPerson
-objectClass: inetOrgPerson
-cn: nyanotech
-sn: nyanotech
-title: nyanotech
-mail: nyanotechnology@gmail.com
-userPassword: {SSHA}NIJ2RCRb1+Q4Bs63cyE91VZyiN47DG6y
-
-dn: cn=q3k,ou=users,dc=tvl,dc=fyi
-objectClass: organizationalPerson
-objectClass: inetOrgPerson
-cn: q3k
-sn: q3k
-title: q3k
-mail: q3k@q3k.org
-userPassword: {SSHA}BEccJdtnhVLDzOn+pxNfayNi3QFcEABE
-
-dn: cn=ericvolp12,ou=users,dc=tvl,dc=fyi
-objectClass: organizationalPerson
-objectClass: inetOrgPerson
-cn: ericvolp12
-sn: ericvolp12
-title: ericvolp12
-mail: ericvolp12@gmail.com
-userPassword: {SSHA}pSepaQ+/5KBLfJtRR5rfxGU8goAsXgvk
-
-dn: cn=riking,ou=users,dc=tvl,dc=fyi
-objectClass: organizationalPerson
-objectClass: inetOrgPerson
-cn: riking
-sn: Kane York
-title: riking
-mail: rikingcoding@gmail.com
-userPassword: {SSHA}6rPxMOofHMGNTEYdyBOYbza7NT/RmiGz
-
-dn: cn=tazjin,ou=users,dc=tvl,dc=fyi
-objectClass: organizationalPerson
-objectClass: inetOrgPerson
-cn: tazjin
-sn: tazjin
-title: tazjin
-mail: mail@tazj.in
-userPassword: {SSHA}67H341jRfAFBDz/R9+T3fHQiPfjwTbpQ
diff --git a/ops/nixos/tvl-slapd/default.nix b/ops/nixos/tvl-slapd/default.nix
index 294a6636d719..33e47179f3f1 100644
--- a/ops/nixos/tvl-slapd/default.nix
+++ b/ops/nixos/tvl-slapd/default.nix
@@ -1,9 +1,88 @@
 # Configures an OpenLDAP instance for TVL
 #
 # TODO(tazjin): Configure ldaps://
-{ pkgs, config, ... }:
+{ config, lib, pkgs, ... }:
 
-{
+with config.depot.nix.yants;
+
+let
+  user = struct {
+    username = string;
+    email = string;
+    password = string;
+    displayName = option string;
+  };
+
+  toLdif = defun [ user string ] (u: ''
+    dn: cn=${u.username},ou=users,dc=tvl,dc=fyi
+    objectClass: organizationalPerson
+    objectClass: inetOrgPerson
+    sn: ${u.username}
+    cn: ${u.username}
+    displayName: ${u.displayName or u.username}
+    mail: ${u.email}
+    userPassword: ${u.password}
+  '');
+
+  users = [
+    {
+      username = "cynthia";
+      email = "cynthia@tvl.fyi";
+      password = "{SSHA}aHx2keEnXv6u6oiV2xxqfXdxjom/K8CP";
+    }
+    {
+      username = "edef";
+      email = "edef@edef.eu";
+      password = "{SSHA}7w2XC6xxuhlUX2KvBpK4fD/X7ZCpfN/E";
+    }
+    {
+      username = "eta";
+      email = "eta@theta.eu.org";
+      password = "{SSHA}sOR5xzi7Lfv376XGQA8Hf6jyhTvo0XYc";
+    }
+    {
+      username = "glittershark";
+      email = "grfn@gws.fyi";
+      password = "{SSHA}i7PSAsXwJT3jjmmvU77aar/tU/YPDCEO";
+    }
+    {
+      username = "isomer";
+      email = "isomer@tvl.fyi";
+      password = "{SSHA}OhWQkPJgH1rRJqYIaMUbbKC4iLEzvCev";
+    }
+    {
+      username = "lukegb";
+      email = "lukegb@tvl.fyi";
+      password = "{SSHA}7a85VNhpFElFw+N5xcjgGmt4HnBsaGp4";
+    }
+    {
+      username = "nyanotech";
+      email = "nyanotechnology@gmail.com";
+      password = "{SSHA}NIJ2RCRb1+Q4Bs63cyE91VZyiN47DG6y";
+    }
+    {
+      username = "q3k";
+      email = "q3k@q3k.org";
+      password = "{SSHA}BEccJdtnhVLDzOn+pxNfayNi3QFcEABE";
+    }
+    {
+      username = "ericvolp12";
+      email = "ericvolp12@gmail.com";
+      password = "{SSHA}pSepaQ+/5KBLfJtRR5rfxGU8goAsXgvk";
+    }
+    {
+      username = "riking";
+      displayName = "Kane York";
+      email = "rikingcoding@gmail.com";
+      password = "{SSHA}6rPxMOofHMGNTEYdyBOYbza7NT/RmiGz";
+    }
+    {
+      username = "tazjin";
+      email = "mail@tazj.in";
+      password = "{SSHA}67H341jRfAFBDz/R9+T3fHQiPfjwTbpQ";
+    }
+  ];
+in {
   services.openldap = {
     enable = true;
     dataDir = "/var/lib/openldap";
@@ -11,10 +90,6 @@
     rootdn = "cn=admin,dc=tvl,dc=fyi";
     rootpw = "{SSHA}yEEO6Ol2W3ritdiJzPSsjOtyPGxWF2JW";
 
-    # Contents are immutable at runtime, and adding user accounts etc.
-    # is done statically in the LDIF-formatted contents in this folder.
-    declarativeContents = builtins.readFile ./contents.ldif;
-
     # ACL configuration
     extraDatabaseConfig = ''
       # Allow users to change their own password
@@ -26,5 +101,31 @@
       # Allow default read access to other directory elements
       access to * by * read
     '';
+
+    # Contents are immutable at runtime, and adding user accounts etc.
+    # is done statically in the LDIF-formatted contents in this folder.
+    declarativeContents = ''
+      dn: dc=tvl,dc=fyi
+      dc: tvl
+      o: TVL LDAP server
+      description: Root entry for tvl.fyi
+      objectClass: top
+      objectClass: dcObject
+      objectClass: organization
+
+      dn: ou=users,dc=tvl,dc=fyi
+      ou: users
+      description: All users in TVL
+      objectClass: top
+      objectClass: organizationalUnit
+
+      dn: ou=groups,dc=tvl,dc=fyi
+      ou: groups
+      description: All groups in TVL
+      objectClass: top
+      objectClass: organizationalUnit
+
+      ${lib.concatStringsSep "\n" (map toLdif users)}
+    '';
   };
 }