about summary refs log tree commit diff
path: root/ops/nixos/tvl-slapd
diff options
context:
space:
mode:
Diffstat (limited to 'ops/nixos/tvl-slapd')
-rw-r--r--ops/nixos/tvl-slapd/default.nix29
1 files changed, 14 insertions, 15 deletions
diff --git a/ops/nixos/tvl-slapd/default.nix b/ops/nixos/tvl-slapd/default.nix
index cb47d8b33eeb..3f3ec6789319 100644
--- a/ops/nixos/tvl-slapd/default.nix
+++ b/ops/nixos/tvl-slapd/default.nix
@@ -164,29 +164,28 @@ in {
   services.openldap = {
     enable = true;
     dataDir = "/var/lib/openldap";
+    database = "mdb";
     suffix = "dc=tvl,dc=fyi";
     rootdn = "cn=admin,dc=tvl,dc=fyi";
     rootpw = "{ARGON2}$argon2id$v=19$m=65536,t=2,p=1$OfcgkOQ96VQ3aJj7NfA9vQ$oS6HQOkYl/bUYg4SejpltQYy7kvqx/RUxvoR4zo1vXU";
 
-    # ACL configuration
-    extraDatabaseConfig = ''
-      # Allow users to change their own password
-      access to attrs=userPassword
-        by self write
-        by anonymous auth
-        by users none
+    settings.children = {
+      "olcDatabase={1}mdb".attrs = {
+        objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
+        olcDatabase = "{1}mdb";
+        olcSuffix = "dc=tvl,dc=fyi";
+        olcAccess = "to *  by * read";
+      };
 
-      # Allow default read access to other directory elements
-      access to * by * read
-    '';
-
-    extraConfig = ''
-      moduleload pw-argon2
-    '';
+      "cn=module{0}".attrs = {
+        objectClass = "olcModuleList";
+        olcModuleLoad = "pw-argon2";
+      };
+    };
 
     # Contents are immutable at runtime, and adding user accounts etc.
     # is done statically in the LDIF-formatted contents in this folder.
-    declarativeContents = ''
+    declarativeContents."dc=tvl,dc=fyi" = ''
       dn: dc=tvl,dc=fyi
       dc: tvl
       o: TVL LDAP server