about summary refs log tree commit diff
path: root/ops/nixos/tvl-slapd
diff options
context:
space:
mode:
authorVincent Ambo <mail@tazj.in>2020-06-13T20·52+0100
committertazjin <mail@tazj.in>2020-06-13T23·52+0000
commit268729083eb80c93aa402883085c37e32c8a08cf (patch)
tree0916bace8073d30976ec752bb9de8c19a06027ae /ops/nixos/tvl-slapd
parent9658e96a87178e972b656db0acf3219937013b88 (diff)
refactor(ops/nixos): Move my NixOS configurations to //users/tazjin r/941
NixOS modules move one level up because it's unlikely that //ops/nixos
will contain actual systems at this point (they're user-specific).

This is the first users folder, so it is also added to the root
readTree invocation for the repository.

Change-Id: I546c701145fa204b7ba7518a8a56a783588629e0
Reviewed-on: https://cl.tvl.fyi/c/depot/+/244
Reviewed-by: tazjin <mail@tazj.in>
Diffstat (limited to 'ops/nixos/tvl-slapd')
-rw-r--r--ops/nixos/tvl-slapd/contents.ldif92
-rw-r--r--ops/nixos/tvl-slapd/default.nix30
-rw-r--r--ops/nixos/tvl-slapd/genpasswd.rb5
3 files changed, 127 insertions, 0 deletions
diff --git a/ops/nixos/tvl-slapd/contents.ldif b/ops/nixos/tvl-slapd/contents.ldif
new file mode 100644
index 000000000000..4ac5bcecdf01
--- /dev/null
+++ b/ops/nixos/tvl-slapd/contents.ldif
@@ -0,0 +1,92 @@
+dn: dc=tvl,dc=fyi
+dc: tvl
+o: TVL LDAP server
+description: Root entry for tvl.fyi
+objectClass: top
+objectClass: dcObject
+objectClass: organization
+
+dn: ou=users,dc=tvl,dc=fyi
+ou: users
+description: All users in TVL
+objectClass: top
+objectClass: organizationalUnit
+
+dn: ou=groups,dc=tvl,dc=fyi
+ou: groups
+description: All groups in TVL
+objectClass: top
+objectClass: organizationalUnit
+
+# Users in tvl.fyi
+dn: cn=edef,ou=users,dc=tvl,dc=fyi
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+cn: edef
+sn: edef
+title: edef
+mail: edef@edef.eu
+userPassword: {SSHA}7w2XC6xxuhlUX2KvBpK4fD/X7ZCpfN/E
+
+dn: cn=eta,ou=users,dc=tvl,dc=fyi
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+cn: eta
+sn: eta
+title: eta
+mail: eta@theta.eu.org
+userPassword: {SSHA}sOR5xzi7Lfv376XGQA8Hf6jyhTvo0XYc
+
+dn: cn=isomer,ou=users,dc=tvl,dc=fyi
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+cn: isomer
+sn: isomer
+title: isomer
+mail: isomer@tvl.fyi
+userPassword: {SSHA}OhWQkPJgH1rRJqYIaMUbbKC4iLEzvCev
+
+dn: cn=lukegb,ou=users,dc=tvl,dc=fyi
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+cn: lukegb
+sn: lukegb
+title: lukegb
+mail: lukegb@tvl.fyi
+userPassword: {SSHA}7a85VNhpFElFw+N5xcjgGmt4HnBsaGp4
+
+dn: cn=nyanotech,ou=users,dc=tvl,dc=fyi
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+cn: nyanotech
+sn: nyanotech
+title: nyanotech
+mail: nyanotechnology@gmail.com
+userPassword: {SSHA}NIJ2RCRb1+Q4Bs63cyE91VZyiN47DG6y
+
+dn: cn=q3k,ou=users,dc=tvl,dc=fyi
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+cn: q3k
+sn: q3k
+title: q3k
+mail: q3k@q3k.org
+userPassword: {SSHA}BEccJdtnhVLDzOn+pxNfayNi3QFcEABE
+
+dn: cn=riking,ou=users,dc=tvl,dc=fyi
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+cn: riking
+sn: Kane York
+title: riking
+mail: rikingcoding@gmail.com
+userPassword: {SSHA}6rPxMOofHMGNTEYdyBOYbza7NT/RmiGz
+
+dn: cn=tazjin,ou=users,dc=tvl,dc=fyi
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+cn: tazjin
+sn: tazjin
+title: tazjin
+mail: mail@tazj.in
+userPassword: {SSHA}67H341jRfAFBDz/R9+T3fHQiPfjwTbpQ
diff --git a/ops/nixos/tvl-slapd/default.nix b/ops/nixos/tvl-slapd/default.nix
new file mode 100644
index 000000000000..294a6636d719
--- /dev/null
+++ b/ops/nixos/tvl-slapd/default.nix
@@ -0,0 +1,30 @@
+# Configures an OpenLDAP instance for TVL
+#
+# TODO(tazjin): Configure ldaps://
+{ pkgs, config, ... }:
+
+{
+  services.openldap = {
+    enable = true;
+    dataDir = "/var/lib/openldap";
+    suffix = "dc=tvl,dc=fyi";
+    rootdn = "cn=admin,dc=tvl,dc=fyi";
+    rootpw = "{SSHA}yEEO6Ol2W3ritdiJzPSsjOtyPGxWF2JW";
+
+    # Contents are immutable at runtime, and adding user accounts etc.
+    # is done statically in the LDIF-formatted contents in this folder.
+    declarativeContents = builtins.readFile ./contents.ldif;
+
+    # ACL configuration
+    extraDatabaseConfig = ''
+      # Allow users to change their own password
+      access to attrs=userPassword
+        by self write
+        by anonymous auth
+        by users none
+
+      # Allow default read access to other directory elements
+      access to * by * read
+    '';
+  };
+}
diff --git a/ops/nixos/tvl-slapd/genpasswd.rb b/ops/nixos/tvl-slapd/genpasswd.rb
new file mode 100644
index 000000000000..8f6f8d75842e
--- /dev/null
+++ b/ops/nixos/tvl-slapd/genpasswd.rb
@@ -0,0 +1,5 @@
+require 'securerandom'
+
+passwd = SecureRandom.urlsafe_base64(15)
+
+puts "your password: [[#{passwd}]]"