diff options
| author | Vincent Ambo <mail@tazj.in> | 2021-04-11T20·50+0200 |
|---|---|---|
| committer | tazjin <mail@tazj.in> | 2021-04-11T22·18+0000 |
| commit | 90281c4eac4cd25045ed80c5f8f27c74898a02b3 (patch) | |
| tree | 804425642af16b9e299d469ad6e21c6a23a400e9 /ops/nixos/tvl-slapd | |
| parent | 7deabb8c8d6f4c7e58e2b16548b8a1895795963b (diff) | |
refactor(ops): Split //ops/nixos into different locations r/2482
Splits //ops/nixos into: * //ops/nixos.nix - utility functions for building systems * //ops/machines - shared machine definitions (read by readTree) * //ops/modules - shared NixOS modules (skipped by readTree) This simplifies working with the configuration fixpoint in whitby, and is overall a bit more in line with how NixOS systems in user folders currently work. Change-Id: I1322ec5cc76c0207c099c05d44828a3df0b3ffc1 Reviewed-on: https://cl.tvl.fyi/c/depot/+/2931 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: glittershark <grfn@gws.fyi>
Diffstat (limited to 'ops/nixos/tvl-slapd')
| -rw-r--r-- | ops/nixos/tvl-slapd/default.nix | 89 |
1 files changed, 0 insertions, 89 deletions
diff --git a/ops/nixos/tvl-slapd/default.nix b/ops/nixos/tvl-slapd/default.nix deleted file mode 100644 index ae99fced7499..000000000000 --- a/ops/nixos/tvl-slapd/default.nix +++ /dev/null @@ -1,89 +0,0 @@ -# Configures an OpenLDAP instance for TVL -# -# TODO(tazjin): Configure ldaps:// -{ depot, lib, pkgs, ... }: - -with depot.nix.yants; - -let - user = struct { - username = string; - email = string; - password = string; - displayName = option string; - }; - - toLdif = defun [ user string ] (u: '' - dn: cn=${u.username},ou=users,dc=tvl,dc=fyi - objectClass: organizationalPerson - objectClass: inetOrgPerson - sn: ${u.username} - cn: ${u.username} - displayName: ${u.displayName or u.username} - mail: ${u.email} - userPassword: ${u.password} - ''); - - inherit (depot.ops) users; - -in { - # Use our patched OpenLDAP derivation which enables stronger password hashing. - # - # Unfortunately the module for OpenLDAP has no package option, so we - # need to override it system-wide. Be aware that this triggers a - # *large* number of rebuilds of packages such as GPG and Python. - nixpkgs.overlays = [ - (_: _: { - inherit (depot.third_party) openldap; - }) - ]; - - services.openldap = { - enable = true; - dataDir = "/var/lib/openldap"; - database = "mdb"; - suffix = "dc=tvl,dc=fyi"; - rootdn = "cn=admin,dc=tvl,dc=fyi"; - rootpw = "{ARGON2}$argon2id$v=19$m=65536,t=2,p=1$OfcgkOQ96VQ3aJj7NfA9vQ$oS6HQOkYl/bUYg4SejpltQYy7kvqx/RUxvoR4zo1vXU"; - - settings.children = { - "olcDatabase={1}mdb".attrs = { - objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; - olcDatabase = "{1}mdb"; - olcSuffix = "dc=tvl,dc=fyi"; - olcAccess = "to * by * read"; - }; - - "cn=module{0}".attrs = { - objectClass = "olcModuleList"; - olcModuleLoad = "pw-argon2"; - }; - }; - - # Contents are immutable at runtime, and adding user accounts etc. - # is done statically in the LDIF-formatted contents in this folder. - declarativeContents."dc=tvl,dc=fyi" = '' - dn: dc=tvl,dc=fyi - dc: tvl - o: TVL LDAP server - description: Root entry for tvl.fyi - objectClass: top - objectClass: dcObject - objectClass: organization - - dn: ou=users,dc=tvl,dc=fyi - ou: users - description: All users in TVL - objectClass: top - objectClass: organizationalUnit - - dn: ou=groups,dc=tvl,dc=fyi - ou: groups - description: All groups in TVL - objectClass: top - objectClass: organizationalUnit - - ${lib.concatStringsSep "\n" (map toLdif users)} - ''; - }; -} |