From 740b4b37fcfbe3d212c67ea855a8c3d3a0a2197b Mon Sep 17 00:00:00 2001
From: Vincent Ambo <tazjin@google.com>
Date: Mon, 8 Jun 2020 01:08:41 +0100
Subject: feat(ops/nixos/modules): Add TVL slapd module

This initialises an OpenLDAP server for tvl.fyi

This is the least annoying way to bootstrap Gerrit. Yep.
---
 ops/nixos/modules/tvl-slapd/default.nix | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 ops/nixos/modules/tvl-slapd/default.nix

(limited to 'ops/nixos/modules/tvl-slapd/default.nix')

diff --git a/ops/nixos/modules/tvl-slapd/default.nix b/ops/nixos/modules/tvl-slapd/default.nix
new file mode 100644
index 0000000000..294a6636d7
--- /dev/null
+++ b/ops/nixos/modules/tvl-slapd/default.nix
@@ -0,0 +1,30 @@
+# Configures an OpenLDAP instance for TVL
+#
+# TODO(tazjin): Configure ldaps://
+{ pkgs, config, ... }:
+
+{
+  services.openldap = {
+    enable = true;
+    dataDir = "/var/lib/openldap";
+    suffix = "dc=tvl,dc=fyi";
+    rootdn = "cn=admin,dc=tvl,dc=fyi";
+    rootpw = "{SSHA}yEEO6Ol2W3ritdiJzPSsjOtyPGxWF2JW";
+
+    # Contents are immutable at runtime, and adding user accounts etc.
+    # is done statically in the LDIF-formatted contents in this folder.
+    declarativeContents = builtins.readFile ./contents.ldif;
+
+    # ACL configuration
+    extraDatabaseConfig = ''
+      # Allow users to change their own password
+      access to attrs=userPassword
+        by self write
+        by anonymous auth
+        by users none
+
+      # Allow default read access to other directory elements
+      access to * by * read
+    '';
+  };
+}
-- 
cgit 1.4.1