about summary refs log tree commit diff
path: root/ops/modules/tvl-slapd/default.nix
diff options
context:
space:
mode:
authorVincent Ambo <mail@tazj.in>2021-04-11T20·50+0200
committertazjin <mail@tazj.in>2021-04-11T22·18+0000
commit90281c4eac4cd25045ed80c5f8f27c74898a02b3 (patch)
tree804425642af16b9e299d469ad6e21c6a23a400e9 /ops/modules/tvl-slapd/default.nix
parent7deabb8c8d6f4c7e58e2b16548b8a1895795963b (diff)
refactor(ops): Split //ops/nixos into different locations r/2482
Splits //ops/nixos into:

* //ops/nixos.nix - utility functions for building systems
* //ops/machines - shared machine definitions (read by readTree)
* //ops/modules - shared NixOS modules (skipped by readTree)

This simplifies working with the configuration fixpoint in whitby, and
is overall a bit more in line with how NixOS systems in user folders
currently work.

Change-Id: I1322ec5cc76c0207c099c05d44828a3df0b3ffc1
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2931
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: glittershark <grfn@gws.fyi>
Diffstat (limited to 'ops/modules/tvl-slapd/default.nix')
-rw-r--r--ops/modules/tvl-slapd/default.nix89
1 files changed, 89 insertions, 0 deletions
diff --git a/ops/modules/tvl-slapd/default.nix b/ops/modules/tvl-slapd/default.nix
new file mode 100644
index 000000000000..ae99fced7499
--- /dev/null
+++ b/ops/modules/tvl-slapd/default.nix
@@ -0,0 +1,89 @@
+# Configures an OpenLDAP instance for TVL
+#
+# TODO(tazjin): Configure ldaps://
+{ depot, lib, pkgs, ... }:
+
+with depot.nix.yants;
+
+let
+  user = struct {
+    username = string;
+    email = string;
+    password = string;
+    displayName = option string;
+  };
+
+  toLdif = defun [ user string ] (u: ''
+    dn: cn=${u.username},ou=users,dc=tvl,dc=fyi
+    objectClass: organizationalPerson
+    objectClass: inetOrgPerson
+    sn: ${u.username}
+    cn: ${u.username}
+    displayName: ${u.displayName or u.username}
+    mail: ${u.email}
+    userPassword: ${u.password}
+  '');
+
+  inherit (depot.ops) users;
+
+in {
+  # Use our patched OpenLDAP derivation which enables stronger password hashing.
+  #
+  # Unfortunately the module for OpenLDAP has no package option, so we
+  # need to override it system-wide. Be aware that this triggers a
+  # *large* number of rebuilds of packages such as GPG and Python.
+  nixpkgs.overlays = [
+    (_: _: {
+      inherit (depot.third_party) openldap;
+    })
+  ];
+
+  services.openldap = {
+    enable = true;
+    dataDir = "/var/lib/openldap";
+    database = "mdb";
+    suffix = "dc=tvl,dc=fyi";
+    rootdn = "cn=admin,dc=tvl,dc=fyi";
+    rootpw = "{ARGON2}$argon2id$v=19$m=65536,t=2,p=1$OfcgkOQ96VQ3aJj7NfA9vQ$oS6HQOkYl/bUYg4SejpltQYy7kvqx/RUxvoR4zo1vXU";
+
+    settings.children = {
+      "olcDatabase={1}mdb".attrs = {
+        objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
+        olcDatabase = "{1}mdb";
+        olcSuffix = "dc=tvl,dc=fyi";
+        olcAccess = "to *  by * read";
+      };
+
+      "cn=module{0}".attrs = {
+        objectClass = "olcModuleList";
+        olcModuleLoad = "pw-argon2";
+      };
+    };
+
+    # Contents are immutable at runtime, and adding user accounts etc.
+    # is done statically in the LDIF-formatted contents in this folder.
+    declarativeContents."dc=tvl,dc=fyi" = ''
+      dn: dc=tvl,dc=fyi
+      dc: tvl
+      o: TVL LDAP server
+      description: Root entry for tvl.fyi
+      objectClass: top
+      objectClass: dcObject
+      objectClass: organization
+
+      dn: ou=users,dc=tvl,dc=fyi
+      ou: users
+      description: All users in TVL
+      objectClass: top
+      objectClass: organizationalUnit
+
+      dn: ou=groups,dc=tvl,dc=fyi
+      ou: groups
+      description: All groups in TVL
+      objectClass: top
+      objectClass: organizationalUnit
+
+      ${lib.concatStringsSep "\n" (map toLdif users)}
+    '';
+  };
+}