diff options
author | Vincent Ambo <mail@tazj.in> | 2021-04-11T20·50+0200 |
---|---|---|
committer | tazjin <mail@tazj.in> | 2021-04-11T22·18+0000 |
commit | 90281c4eac4cd25045ed80c5f8f27c74898a02b3 (patch) | |
tree | 804425642af16b9e299d469ad6e21c6a23a400e9 /ops/modules/tvl-slapd | |
parent | 7deabb8c8d6f4c7e58e2b16548b8a1895795963b (diff) |
refactor(ops): Split //ops/nixos into different locations r/2482
Splits //ops/nixos into: * //ops/nixos.nix - utility functions for building systems * //ops/machines - shared machine definitions (read by readTree) * //ops/modules - shared NixOS modules (skipped by readTree) This simplifies working with the configuration fixpoint in whitby, and is overall a bit more in line with how NixOS systems in user folders currently work. Change-Id: I1322ec5cc76c0207c099c05d44828a3df0b3ffc1 Reviewed-on: https://cl.tvl.fyi/c/depot/+/2931 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: glittershark <grfn@gws.fyi>
Diffstat (limited to 'ops/modules/tvl-slapd')
-rw-r--r-- | ops/modules/tvl-slapd/default.nix | 89 |
1 files changed, 89 insertions, 0 deletions
diff --git a/ops/modules/tvl-slapd/default.nix b/ops/modules/tvl-slapd/default.nix new file mode 100644 index 000000000000..ae99fced7499 --- /dev/null +++ b/ops/modules/tvl-slapd/default.nix @@ -0,0 +1,89 @@ +# Configures an OpenLDAP instance for TVL +# +# TODO(tazjin): Configure ldaps:// +{ depot, lib, pkgs, ... }: + +with depot.nix.yants; + +let + user = struct { + username = string; + email = string; + password = string; + displayName = option string; + }; + + toLdif = defun [ user string ] (u: '' + dn: cn=${u.username},ou=users,dc=tvl,dc=fyi + objectClass: organizationalPerson + objectClass: inetOrgPerson + sn: ${u.username} + cn: ${u.username} + displayName: ${u.displayName or u.username} + mail: ${u.email} + userPassword: ${u.password} + ''); + + inherit (depot.ops) users; + +in { + # Use our patched OpenLDAP derivation which enables stronger password hashing. + # + # Unfortunately the module for OpenLDAP has no package option, so we + # need to override it system-wide. Be aware that this triggers a + # *large* number of rebuilds of packages such as GPG and Python. + nixpkgs.overlays = [ + (_: _: { + inherit (depot.third_party) openldap; + }) + ]; + + services.openldap = { + enable = true; + dataDir = "/var/lib/openldap"; + database = "mdb"; + suffix = "dc=tvl,dc=fyi"; + rootdn = "cn=admin,dc=tvl,dc=fyi"; + rootpw = "{ARGON2}$argon2id$v=19$m=65536,t=2,p=1$OfcgkOQ96VQ3aJj7NfA9vQ$oS6HQOkYl/bUYg4SejpltQYy7kvqx/RUxvoR4zo1vXU"; + + settings.children = { + "olcDatabase={1}mdb".attrs = { + objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; + olcDatabase = "{1}mdb"; + olcSuffix = "dc=tvl,dc=fyi"; + olcAccess = "to * by * read"; + }; + + "cn=module{0}".attrs = { + objectClass = "olcModuleList"; + olcModuleLoad = "pw-argon2"; + }; + }; + + # Contents are immutable at runtime, and adding user accounts etc. + # is done statically in the LDIF-formatted contents in this folder. + declarativeContents."dc=tvl,dc=fyi" = '' + dn: dc=tvl,dc=fyi + dc: tvl + o: TVL LDAP server + description: Root entry for tvl.fyi + objectClass: top + objectClass: dcObject + objectClass: organization + + dn: ou=users,dc=tvl,dc=fyi + ou: users + description: All users in TVL + objectClass: top + objectClass: organizationalUnit + + dn: ou=groups,dc=tvl,dc=fyi + ou: groups + description: All groups in TVL + objectClass: top + objectClass: organizationalUnit + + ${lib.concatStringsSep "\n" (map toLdif users)} + ''; + }; +} |