refactor(ops/nixos): Move my NixOS configurations to //users/tazjin r/941

NixOS modules move one level up because it's unlikely that //ops/nixos
will contain actual systems at this point (they're user-specific).

This is the first users folder, so it is also added to the root
readTree invocation for the repository.

Change-Id: I546c701145fa204b7ba7518a8a56a783588629e0
Reviewed-on: https://cl.tvl.fyi/c/depot/+/244
Reviewed-by: tazjin <mail@tazj.in>

1 files changed, 30 insertions, 0 deletions

diff --git a/ops/nixos/tvl-slapd/default.nix b/ops/nixos/tvl-slapd/default.nix
new file mode 100644
index 000000000000..294a6636d719
--- /dev/null
+++ b/ops/nixos/tvl-slapd/default.nix
@@ -0,0 +1,30 @@
+# Configures an OpenLDAP instance for TVL
+#
+# TODO(tazjin): Configure ldaps://
+{ pkgs, config, ... }:
+
+{
+  services.openldap = {
+    enable = true;
+    dataDir = "/var/lib/openldap";
+    suffix = "dc=tvl,dc=fyi";
+    rootdn = "cn=admin,dc=tvl,dc=fyi";
+    rootpw = "{SSHA}yEEO6Ol2W3ritdiJzPSsjOtyPGxWF2JW";
+
+    # Contents are immutable at runtime, and adding user accounts etc.
+    # is done statically in the LDIF-formatted contents in this folder.
+    declarativeContents = builtins.readFile ./contents.ldif;
+
+    # ACL configuration
+    extraDatabaseConfig = ''
+      # Allow users to change their own password
+      access to attrs=userPassword
+        by self write
+        by anonymous auth
+        by users none
+
+      # Allow default read access to other directory elements
+      access to * by * read
+    '';
+  };
+}