From 88bf43878f243ca0276da4a21aa6a00a6a0dbc3c Mon Sep 17 00:00:00 2001
From: Vincent Ambo <mail@tazj.in>
Date: Fri, 25 Dec 2020 11:13:06 +0100
Subject: chore(3p): Bump NixOS channels to 2020-12-28

Changes:

* ops/nixos/tvl-slapd: The NixOS module for OpenLDAP has removed the
  ability to configure OpenLDAP directly and now forces users to use
  some kind of weird Nix->OLC mapping that is mostly undocumented.

  This moves the config we need to the new format in a way that may or
  may not work and does the other arbitrary dance steps that someone
  decided to impose on us. Note that this now throws lots of warnings,
  but I can't be bothered to fix them.

* 3p: Random package removals accomodated

* users/glittershark: Pin grfn's kernel to 5.9, because the CK patch
  is not yet updated for 5.10

* users/glittershark: Update vendor hash for pg-dump-upsert, I suspect
  this changed because of something in the Go build machinery in
  nixpkgs. The deleteVendor flag also has no effect anymore and has been
  removed.

* users/glittershark: agda build is broken, commenting out development
  home-manager environment until it can be fixed

* third_party/haskell_overlay: updating random needs upper boundarles
  of a few dependencies relaxed (curse them)

* third_party/gerrit_plugins: for some cursed reason the fixed-output
  hash of the gerrit owners plugin fetchgit changed, updated.
  Same for the checks plugin.

Change-Id: Ica37995fe8039d3ba80eab643867f98795c56734
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2295
Tested-by: BuildkiteCI
Reviewed-by: Profpatsch <mail@profpatsch.de>
Reviewed-by: glittershark <grfn@gws.fyi>
Reviewed-by: tazjin <mail@tazj.in>
---
 ops/nixos/tvl-slapd/default.nix | 29 ++++++++++++++---------------
 1 file changed, 14 insertions(+), 15 deletions(-)

(limited to 'ops/nixos/tvl-slapd/default.nix')

diff --git a/ops/nixos/tvl-slapd/default.nix b/ops/nixos/tvl-slapd/default.nix
index cb47d8b33e..3f3ec67893 100644
--- a/ops/nixos/tvl-slapd/default.nix
+++ b/ops/nixos/tvl-slapd/default.nix
@@ -164,29 +164,28 @@ in {
   services.openldap = {
     enable = true;
     dataDir = "/var/lib/openldap";
+    database = "mdb";
     suffix = "dc=tvl,dc=fyi";
     rootdn = "cn=admin,dc=tvl,dc=fyi";
     rootpw = "{ARGON2}$argon2id$v=19$m=65536,t=2,p=1$OfcgkOQ96VQ3aJj7NfA9vQ$oS6HQOkYl/bUYg4SejpltQYy7kvqx/RUxvoR4zo1vXU";
 
-    # ACL configuration
-    extraDatabaseConfig = ''
-      # Allow users to change their own password
-      access to attrs=userPassword
-        by self write
-        by anonymous auth
-        by users none
+    settings.children = {
+      "olcDatabase={1}mdb".attrs = {
+        objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
+        olcDatabase = "{1}mdb";
+        olcSuffix = "dc=tvl,dc=fyi";
+        olcAccess = "to *  by * read";
+      };
 
-      # Allow default read access to other directory elements
-      access to * by * read
-    '';
-
-    extraConfig = ''
-      moduleload pw-argon2
-    '';
+      "cn=module{0}".attrs = {
+        objectClass = "olcModuleList";
+        olcModuleLoad = "pw-argon2";
+      };
+    };
 
     # Contents are immutable at runtime, and adding user accounts etc.
     # is done statically in the LDIF-formatted contents in this folder.
-    declarativeContents = ''
+    declarativeContents."dc=tvl,dc=fyi" = ''
       dn: dc=tvl,dc=fyi
       dc: tvl
       o: TVL LDAP server
-- 
cgit 1.4.1