feat(tvl-slapd): Load Argon2 password module in OpenLDAP r/1149

This makes it possible to use {ARGON2} hashes instead of the current
salted SHA hashes, which is a much better idea.

Unfortunately the nixpkgs module does not have an option for
overridding the package used, so it is overlaid into the system
package set - this causes widespread rebuilds.

This is fine for us for now, but I have opened a PR upstream to add a
package option: https://github.com/NixOS/nixpkgs/pull/91963

Change-Id: Ib4be931d88e74b91566639f8656742cf096f6cc3
Reviewed-on: https://cl.tvl.fyi/c/depot/+/831
Reviewed-by: BuildkiteCI
Reviewed-by: isomer <isomer@tvl.fyi>
Tested-by: BuildkiteCI

1 files changed, 15 insertions, 0 deletions

diff --git a/ops/nixos/tvl-slapd/default.nix b/ops/nixos/tvl-slapd/default.nix
index a85f9019cebe..2c0f2fd5a15e 100644
--- a/ops/nixos/tvl-slapd/default.nix
+++ b/ops/nixos/tvl-slapd/default.nix
@@ -98,6 +98,17 @@ let
     }
   ];
 in {
+  # Use our patched OpenLDAP derivation which enables stronger password hashing.
+  #
+  # Unfortunately the module for OpenLDAP has no package option, so we
+  # need to override it system-wide. Be aware that this triggers a
+  # *large* number of rebuilds of packages such as GPG and Python.
+  nixpkgs.overlays = [
+    (_: _: {
+      inherit (config.depot.third_party) openldap;
+    })
+  ];
+
   services.openldap = {
     enable = true;
     dataDir = "/var/lib/openldap";
@@ -117,6 +128,10 @@ in {
       access to * by * read
     '';
 
+    extraConfig = ''
+      moduleload pw-argon2
+    '';
+
     # Contents are immutable at runtime, and adding user accounts etc.
     # is done statically in the LDIF-formatted contents in this folder.
     declarativeContents = ''