diff options
| author | Vincent Ambo <tazjin@google.com> | 2020-06-08T00·08+0100 |
|---|---|---|
| committer | Vincent Ambo <tazjin@google.com> | 2020-06-11T21·13+0000 |
| commit | 740b4b37fcfbe3d212c67ea855a8c3d3a0a2197b (patch) | |
| tree | b9d098657a94b5109d434324702eee9fe92ae3fd | |
| parent | afe0841e9d696d3ac8ff447909c416c48ba90836 (diff) | |
feat(ops/nixos/modules): Add TVL slapd module r/898
This initialises an OpenLDAP server for tvl.fyi This is the least annoying way to bootstrap Gerrit. Yep.
| -rw-r--r-- | ops/nixos/camden/default.nix | 1 | ||||
| -rw-r--r-- | ops/nixos/modules/tvl-slapd/contents.ldif | 29 | ||||
| -rw-r--r-- | ops/nixos/modules/tvl-slapd/default.nix | 30 |
3 files changed, 60 insertions, 0 deletions
diff --git a/ops/nixos/camden/default.nix b/ops/nixos/camden/default.nix index 5db84ef50e..bed32d2b32 100644 --- a/ops/nixos/camden/default.nix +++ b/ops/nixos/camden/default.nix @@ -10,6 +10,7 @@ in lib.fix(self: { ../modules/depot.nix ../modules/hound.nix ../modules/monorepo-gerrit.nix + ../modules/tvl-slapd/default.nix "${pkgs.nixpkgsSrc}/nixos/modules/services/web-apps/gerrit.nix" ]; depot = depot; diff --git a/ops/nixos/modules/tvl-slapd/contents.ldif b/ops/nixos/modules/tvl-slapd/contents.ldif new file mode 100644 index 0000000000..4f883926f6 --- /dev/null +++ b/ops/nixos/modules/tvl-slapd/contents.ldif @@ -0,0 +1,29 @@ +dn: dc=tvl,dc=fyi +dc: tvl +o: TVL LDAP server +description: Root entry for tvl.fyi +objectClass: top +objectClass: dcObject +objectClass: organization + +dn: ou=users,dc=tvl,dc=fyi +ou: users +description: All users in TVL +objectClass: top +objectClass: organizationalUnit + +dn: ou=groups,dc=tvl,dc=fyi +ou: groups +description: All groups in TVL +objectClass: top +objectClass: organizationalUnit + +# Users in tvl.fyi +dn: cn=tazjin,ou=users,dc=tvl,dc=fyi +objectClass: organizationalPerson +objectClass: inetOrgPerson +cn: tazjin +sn: tazjin +title: tazjin +mail: mail@tazj.in +userPassword: {SSHA}67H341jRfAFBDz/R9+T3fHQiPfjwTbpQ diff --git a/ops/nixos/modules/tvl-slapd/default.nix b/ops/nixos/modules/tvl-slapd/default.nix new file mode 100644 index 0000000000..294a6636d7 --- /dev/null +++ b/ops/nixos/modules/tvl-slapd/default.nix @@ -0,0 +1,30 @@ +# Configures an OpenLDAP instance for TVL +# +# TODO(tazjin): Configure ldaps:// +{ pkgs, config, ... }: + +{ + services.openldap = { + enable = true; + dataDir = "/var/lib/openldap"; + suffix = "dc=tvl,dc=fyi"; + rootdn = "cn=admin,dc=tvl,dc=fyi"; + rootpw = "{SSHA}yEEO6Ol2W3ritdiJzPSsjOtyPGxWF2JW"; + + # Contents are immutable at runtime, and adding user accounts etc. + # is done statically in the LDIF-formatted contents in this folder. + declarativeContents = builtins.readFile ./contents.ldif; + + # ACL configuration + extraDatabaseConfig = '' + # Allow users to change their own password + access to attrs=userPassword + by self write + by anonymous auth + by users none + + # Allow default read access to other directory elements + access to * by * read + ''; + }; +} |