From 268729083eb80c93aa402883085c37e32c8a08cf Mon Sep 17 00:00:00 2001 From: Vincent Ambo Date: Sat, 13 Jun 2020 21:52:20 +0100 Subject: refactor(ops/nixos): Move my NixOS configurations to //users/tazjin NixOS modules move one level up because it's unlikely that //ops/nixos will contain actual systems at this point (they're user-specific). This is the first users folder, so it is also added to the root readTree invocation for the repository. Change-Id: I546c701145fa204b7ba7518a8a56a783588629e0 Reviewed-on: https://cl.tvl.fyi/c/depot/+/244 Reviewed-by: tazjin --- ops/nixos/tvl-slapd/contents.ldif | 92 +++++++++++++++++++++++++++++++++++++++ ops/nixos/tvl-slapd/default.nix | 30 +++++++++++++ ops/nixos/tvl-slapd/genpasswd.rb | 5 +++ 3 files changed, 127 insertions(+) create mode 100644 ops/nixos/tvl-slapd/contents.ldif create mode 100644 ops/nixos/tvl-slapd/default.nix create mode 100644 ops/nixos/tvl-slapd/genpasswd.rb (limited to 'ops/nixos/tvl-slapd') diff --git a/ops/nixos/tvl-slapd/contents.ldif b/ops/nixos/tvl-slapd/contents.ldif new file mode 100644 index 000000000000..4ac5bcecdf01 --- /dev/null +++ b/ops/nixos/tvl-slapd/contents.ldif @@ -0,0 +1,92 @@ +dn: dc=tvl,dc=fyi +dc: tvl +o: TVL LDAP server +description: Root entry for tvl.fyi +objectClass: top +objectClass: dcObject +objectClass: organization + +dn: ou=users,dc=tvl,dc=fyi +ou: users +description: All users in TVL +objectClass: top +objectClass: organizationalUnit + +dn: ou=groups,dc=tvl,dc=fyi +ou: groups +description: All groups in TVL +objectClass: top +objectClass: organizationalUnit + +# Users in tvl.fyi +dn: cn=edef,ou=users,dc=tvl,dc=fyi +objectClass: organizationalPerson +objectClass: inetOrgPerson +cn: edef +sn: edef +title: edef +mail: edef@edef.eu +userPassword: {SSHA}7w2XC6xxuhlUX2KvBpK4fD/X7ZCpfN/E + +dn: cn=eta,ou=users,dc=tvl,dc=fyi +objectClass: organizationalPerson +objectClass: inetOrgPerson +cn: eta +sn: eta +title: eta +mail: eta@theta.eu.org +userPassword: {SSHA}sOR5xzi7Lfv376XGQA8Hf6jyhTvo0XYc + +dn: cn=isomer,ou=users,dc=tvl,dc=fyi +objectClass: organizationalPerson +objectClass: inetOrgPerson +cn: isomer +sn: isomer +title: isomer +mail: isomer@tvl.fyi +userPassword: {SSHA}OhWQkPJgH1rRJqYIaMUbbKC4iLEzvCev + +dn: cn=lukegb,ou=users,dc=tvl,dc=fyi +objectClass: organizationalPerson +objectClass: inetOrgPerson +cn: lukegb +sn: lukegb +title: lukegb +mail: lukegb@tvl.fyi +userPassword: {SSHA}7a85VNhpFElFw+N5xcjgGmt4HnBsaGp4 + +dn: cn=nyanotech,ou=users,dc=tvl,dc=fyi +objectClass: organizationalPerson +objectClass: inetOrgPerson +cn: nyanotech +sn: nyanotech +title: nyanotech +mail: nyanotechnology@gmail.com +userPassword: {SSHA}NIJ2RCRb1+Q4Bs63cyE91VZyiN47DG6y + +dn: cn=q3k,ou=users,dc=tvl,dc=fyi +objectClass: organizationalPerson +objectClass: inetOrgPerson +cn: q3k +sn: q3k +title: q3k +mail: q3k@q3k.org +userPassword: {SSHA}BEccJdtnhVLDzOn+pxNfayNi3QFcEABE + +dn: cn=riking,ou=users,dc=tvl,dc=fyi +objectClass: organizationalPerson +objectClass: inetOrgPerson +cn: riking +sn: Kane York +title: riking +mail: rikingcoding@gmail.com +userPassword: {SSHA}6rPxMOofHMGNTEYdyBOYbza7NT/RmiGz + +dn: cn=tazjin,ou=users,dc=tvl,dc=fyi +objectClass: organizationalPerson +objectClass: inetOrgPerson +cn: tazjin +sn: tazjin +title: tazjin +mail: mail@tazj.in +userPassword: {SSHA}67H341jRfAFBDz/R9+T3fHQiPfjwTbpQ diff --git a/ops/nixos/tvl-slapd/default.nix b/ops/nixos/tvl-slapd/default.nix new file mode 100644 index 000000000000..294a6636d719 --- /dev/null +++ b/ops/nixos/tvl-slapd/default.nix @@ -0,0 +1,30 @@ +# Configures an OpenLDAP instance for TVL +# +# TODO(tazjin): Configure ldaps:// +{ pkgs, config, ... }: + +{ + services.openldap = { + enable = true; + dataDir = "/var/lib/openldap"; + suffix = "dc=tvl,dc=fyi"; + rootdn = "cn=admin,dc=tvl,dc=fyi"; + rootpw = "{SSHA}yEEO6Ol2W3ritdiJzPSsjOtyPGxWF2JW"; + + # Contents are immutable at runtime, and adding user accounts etc. + # is done statically in the LDIF-formatted contents in this folder. + declarativeContents = builtins.readFile ./contents.ldif; + + # ACL configuration + extraDatabaseConfig = '' + # Allow users to change their own password + access to attrs=userPassword + by self write + by anonymous auth + by users none + + # Allow default read access to other directory elements + access to * by * read + ''; + }; +} diff --git a/ops/nixos/tvl-slapd/genpasswd.rb b/ops/nixos/tvl-slapd/genpasswd.rb new file mode 100644 index 000000000000..8f6f8d75842e --- /dev/null +++ b/ops/nixos/tvl-slapd/genpasswd.rb @@ -0,0 +1,5 @@ +require 'securerandom' + +passwd = SecureRandom.urlsafe_base64(15) + +puts "your password: [[#{passwd}]]" -- cgit 1.4.1