From 27db1fc86b30fd159935633b367c713d20f8c3c8 Mon Sep 17 00:00:00 2001 From: Vincent Ambo Date: Wed, 17 Jun 2020 03:48:21 +0100 Subject: refactor(tvl-slapd): Move user definitions into Nix code Implements a function that generates the LDIF record for each user and templates it into the configuration. This is slightly more user-friendly and less error-prone (people kept getting the DNs wrong) than editing the contents manually. Change-Id: Ic419d2ef464f9a94be5d54b666f7d53134b53eed Reviewed-on: https://cl.tvl.fyi/c/depot/+/447 Reviewed-by: riking --- ops/nixos/tvl-slapd/contents.ldif | 119 -------------------------------------- ops/nixos/tvl-slapd/default.nix | 113 ++++++++++++++++++++++++++++++++++-- 2 files changed, 107 insertions(+), 125 deletions(-) delete mode 100644 ops/nixos/tvl-slapd/contents.ldif diff --git a/ops/nixos/tvl-slapd/contents.ldif b/ops/nixos/tvl-slapd/contents.ldif deleted file mode 100644 index 5c715efb9f..0000000000 --- a/ops/nixos/tvl-slapd/contents.ldif +++ /dev/null @@ -1,119 +0,0 @@ -dn: dc=tvl,dc=fyi -dc: tvl -o: TVL LDAP server -description: Root entry for tvl.fyi -objectClass: top -objectClass: dcObject -objectClass: organization - -dn: ou=users,dc=tvl,dc=fyi -ou: users -description: All users in TVL -objectClass: top -objectClass: organizationalUnit - -dn: ou=groups,dc=tvl,dc=fyi -ou: groups -description: All groups in TVL -objectClass: top -objectClass: organizationalUnit - -# Users in tvl.fyi -dn: cn=cynthia,ou=users,dc=tvl,dc=fyi -objectClass: organizationalPerson -objectClass: inetOrgPerson -cn: cynthia -sn: Cynthia -title: cynthia -mail: cynthia@tvl.fyi -userPassword: {SSHA}aHx2keEnXv6u6oiV2xxqfXdxjom/K8CP - -dn: cn=edef,ou=users,dc=tvl,dc=fyi -objectClass: organizationalPerson -objectClass: inetOrgPerson -cn: edef -sn: edef -title: edef -mail: edef@edef.eu -userPassword: {SSHA}7w2XC6xxuhlUX2KvBpK4fD/X7ZCpfN/E - -dn: cn=eta,ou=users,dc=tvl,dc=fyi -objectClass: organizationalPerson -objectClass: inetOrgPerson -cn: eta -sn: eta -title: eta -mail: eta@theta.eu.org -userPassword: {SSHA}sOR5xzi7Lfv376XGQA8Hf6jyhTvo0XYc - -dn: cn=glittershark,ou=users,dc=tvl,dc=fyi -objectClass: organizationalPerson -objectClass: inetOrgPerson -cn: glittershark -sn: glittershark -title: glittershark -mail: grfn@gws.fyi -userPassword: {SSHA}i7PSAsXwJT3jjmmvU77aar/tU/YPDCEO - -dn: cn=isomer,ou=users,dc=tvl,dc=fyi -objectClass: organizationalPerson -objectClass: inetOrgPerson -cn: isomer -sn: isomer -title: isomer -mail: isomer@tvl.fyi -userPassword: {SSHA}OhWQkPJgH1rRJqYIaMUbbKC4iLEzvCev - -dn: cn=lukegb,ou=users,dc=tvl,dc=fyi -objectClass: organizationalPerson -objectClass: inetOrgPerson -cn: lukegb -sn: lukegb -title: lukegb -mail: lukegb@tvl.fyi -userPassword: {SSHA}7a85VNhpFElFw+N5xcjgGmt4HnBsaGp4 - -dn: cn=nyanotech,ou=users,dc=tvl,dc=fyi -objectClass: organizationalPerson -objectClass: inetOrgPerson -cn: nyanotech -sn: nyanotech -title: nyanotech -mail: nyanotechnology@gmail.com -userPassword: {SSHA}NIJ2RCRb1+Q4Bs63cyE91VZyiN47DG6y - -dn: cn=q3k,ou=users,dc=tvl,dc=fyi -objectClass: organizationalPerson -objectClass: inetOrgPerson -cn: q3k -sn: q3k -title: q3k -mail: q3k@q3k.org -userPassword: {SSHA}BEccJdtnhVLDzOn+pxNfayNi3QFcEABE - -dn: cn=ericvolp12,ou=users,dc=tvl,dc=fyi -objectClass: organizationalPerson -objectClass: inetOrgPerson -cn: ericvolp12 -sn: ericvolp12 -title: ericvolp12 -mail: ericvolp12@gmail.com -userPassword: {SSHA}pSepaQ+/5KBLfJtRR5rfxGU8goAsXgvk - -dn: cn=riking,ou=users,dc=tvl,dc=fyi -objectClass: organizationalPerson -objectClass: inetOrgPerson -cn: riking -sn: Kane York -title: riking -mail: rikingcoding@gmail.com -userPassword: {SSHA}6rPxMOofHMGNTEYdyBOYbza7NT/RmiGz - -dn: cn=tazjin,ou=users,dc=tvl,dc=fyi -objectClass: organizationalPerson -objectClass: inetOrgPerson -cn: tazjin -sn: tazjin -title: tazjin -mail: mail@tazj.in -userPassword: {SSHA}67H341jRfAFBDz/R9+T3fHQiPfjwTbpQ diff --git a/ops/nixos/tvl-slapd/default.nix b/ops/nixos/tvl-slapd/default.nix index 294a6636d7..33e47179f3 100644 --- a/ops/nixos/tvl-slapd/default.nix +++ b/ops/nixos/tvl-slapd/default.nix @@ -1,9 +1,88 @@ # Configures an OpenLDAP instance for TVL # # TODO(tazjin): Configure ldaps:// -{ pkgs, config, ... }: +{ config, lib, pkgs, ... }: -{ +with config.depot.nix.yants; + +let + user = struct { + username = string; + email = string; + password = string; + displayName = option string; + }; + + toLdif = defun [ user string ] (u: '' + dn: cn=${u.username},ou=users,dc=tvl,dc=fyi + objectClass: organizationalPerson + objectClass: inetOrgPerson + sn: ${u.username} + cn: ${u.username} + displayName: ${u.displayName or u.username} + mail: ${u.email} + userPassword: ${u.password} + ''); + + users = [ + { + username = "cynthia"; + email = "cynthia@tvl.fyi"; + password = "{SSHA}aHx2keEnXv6u6oiV2xxqfXdxjom/K8CP"; + } + { + username = "edef"; + email = "edef@edef.eu"; + password = "{SSHA}7w2XC6xxuhlUX2KvBpK4fD/X7ZCpfN/E"; + } + { + username = "eta"; + email = "eta@theta.eu.org"; + password = "{SSHA}sOR5xzi7Lfv376XGQA8Hf6jyhTvo0XYc"; + } + { + username = "glittershark"; + email = "grfn@gws.fyi"; + password = "{SSHA}i7PSAsXwJT3jjmmvU77aar/tU/YPDCEO"; + } + { + username = "isomer"; + email = "isomer@tvl.fyi"; + password = "{SSHA}OhWQkPJgH1rRJqYIaMUbbKC4iLEzvCev"; + } + { + username = "lukegb"; + email = "lukegb@tvl.fyi"; + password = "{SSHA}7a85VNhpFElFw+N5xcjgGmt4HnBsaGp4"; + } + { + username = "nyanotech"; + email = "nyanotechnology@gmail.com"; + password = "{SSHA}NIJ2RCRb1+Q4Bs63cyE91VZyiN47DG6y"; + } + { + username = "q3k"; + email = "q3k@q3k.org"; + password = "{SSHA}BEccJdtnhVLDzOn+pxNfayNi3QFcEABE"; + } + { + username = "ericvolp12"; + email = "ericvolp12@gmail.com"; + password = "{SSHA}pSepaQ+/5KBLfJtRR5rfxGU8goAsXgvk"; + } + { + username = "riking"; + displayName = "Kane York"; + email = "rikingcoding@gmail.com"; + password = "{SSHA}6rPxMOofHMGNTEYdyBOYbza7NT/RmiGz"; + } + { + username = "tazjin"; + email = "mail@tazj.in"; + password = "{SSHA}67H341jRfAFBDz/R9+T3fHQiPfjwTbpQ"; + } + ]; +in { services.openldap = { enable = true; dataDir = "/var/lib/openldap"; @@ -11,10 +90,6 @@ rootdn = "cn=admin,dc=tvl,dc=fyi"; rootpw = "{SSHA}yEEO6Ol2W3ritdiJzPSsjOtyPGxWF2JW"; - # Contents are immutable at runtime, and adding user accounts etc. - # is done statically in the LDIF-formatted contents in this folder. - declarativeContents = builtins.readFile ./contents.ldif; - # ACL configuration extraDatabaseConfig = '' # Allow users to change their own password @@ -26,5 +101,31 @@ # Allow default read access to other directory elements access to * by * read ''; + + # Contents are immutable at runtime, and adding user accounts etc. + # is done statically in the LDIF-formatted contents in this folder. + declarativeContents = '' + dn: dc=tvl,dc=fyi + dc: tvl + o: TVL LDAP server + description: Root entry for tvl.fyi + objectClass: top + objectClass: dcObject + objectClass: organization + + dn: ou=users,dc=tvl,dc=fyi + ou: users + description: All users in TVL + objectClass: top + objectClass: organizationalUnit + + dn: ou=groups,dc=tvl,dc=fyi + ou: groups + description: All groups in TVL + objectClass: top + objectClass: organizationalUnit + + ${lib.concatStringsSep "\n" (map toLdif users)} + ''; }; } -- cgit 1.4.1