refactor(tvl-slapd): Move user definitions into Nix code

Implements a function that generates the LDIF record for each user and templates it into the configuration. This is slightly more user-friendly and less error-prone (people kept getting the DNs wrong) than editing the contents manually. Change-Id: Ic419d2ef464f9a94be5d54b666f7d53134b53eed Reviewed-on: https://cl.tvl.fyi/c/depot/+/447 Reviewed-by: riking <rikingcoding@gmail.com>
2020-06-17 03:48:21 +01:00 · 2020-06-17 03:48:21 +01:00 · 27db1fc86b
commit 27db1fc86b
parent b27239b60a
2 changed files with 107 additions and 125 deletions
--- a/ops/nixos/tvl-slapd/contents.ldif
+++ b/ops/nixos/tvl-slapd/contents.ldif
@ -1,119 +0,0 @@
 dn: dc=tvl,dc=fyi
 dc: tvl
 o: TVL LDAP server
 description: Root entry for tvl.fyi
 objectClass: top
 objectClass: dcObject
 objectClass: organization
 dn: ou=users,dc=tvl,dc=fyi
 ou: users
 description: All users in TVL
 objectClass: top
 objectClass: organizationalUnit
 dn: ou=groups,dc=tvl,dc=fyi
 ou: groups
 description: All groups in TVL
 objectClass: top
 objectClass: organizationalUnit
 # Users in tvl.fyi
 dn: cn=cynthia,ou=users,dc=tvl,dc=fyi
 objectClass: organizationalPerson
 objectClass: inetOrgPerson
 cn: cynthia
 sn: Cynthia
 title: cynthia
 mail: cynthia@tvl.fyi
 userPassword: {SSHA}aHx2keEnXv6u6oiV2xxqfXdxjom/K8CP
 dn: cn=edef,ou=users,dc=tvl,dc=fyi
 objectClass: organizationalPerson
 objectClass: inetOrgPerson
 cn: edef
 sn: edef
 title: edef
 mail: edef@edef.eu
 userPassword: {SSHA}7w2XC6xxuhlUX2KvBpK4fD/X7ZCpfN/E
 dn: cn=eta,ou=users,dc=tvl,dc=fyi
 objectClass: organizationalPerson
 objectClass: inetOrgPerson
 cn: eta
 sn: eta
 title: eta
 mail: eta@theta.eu.org
 userPassword: {SSHA}sOR5xzi7Lfv376XGQA8Hf6jyhTvo0XYc
 dn: cn=glittershark,ou=users,dc=tvl,dc=fyi
 objectClass: organizationalPerson
 objectClass: inetOrgPerson
 cn: glittershark
 sn: glittershark
 title: glittershark
 mail: grfn@gws.fyi
 userPassword: {SSHA}i7PSAsXwJT3jjmmvU77aar/tU/YPDCEO
 dn: cn=isomer,ou=users,dc=tvl,dc=fyi
 objectClass: organizationalPerson
 objectClass: inetOrgPerson
 cn: isomer
 sn: isomer
 title: isomer
 mail: isomer@tvl.fyi
 userPassword: {SSHA}OhWQkPJgH1rRJqYIaMUbbKC4iLEzvCev
 dn: cn=lukegb,ou=users,dc=tvl,dc=fyi
 objectClass: organizationalPerson
 objectClass: inetOrgPerson
 cn: lukegb
 sn: lukegb
 title: lukegb
 mail: lukegb@tvl.fyi
 userPassword: {SSHA}7a85VNhpFElFw+N5xcjgGmt4HnBsaGp4
 dn: cn=nyanotech,ou=users,dc=tvl,dc=fyi
 objectClass: organizationalPerson
 objectClass: inetOrgPerson
 cn: nyanotech
 sn: nyanotech
 title: nyanotech
 mail: nyanotechnology@gmail.com
 userPassword: {SSHA}NIJ2RCRb1+Q4Bs63cyE91VZyiN47DG6y
 dn: cn=q3k,ou=users,dc=tvl,dc=fyi
 objectClass: organizationalPerson
 objectClass: inetOrgPerson
 cn: q3k
 sn: q3k
 title: q3k
 mail: q3k@q3k.org
 userPassword: {SSHA}BEccJdtnhVLDzOn+pxNfayNi3QFcEABE
 dn: cn=ericvolp12,ou=users,dc=tvl,dc=fyi
 objectClass: organizationalPerson
 objectClass: inetOrgPerson
 cn: ericvolp12
 sn: ericvolp12
 title: ericvolp12
 mail: ericvolp12@gmail.com
 userPassword: {SSHA}pSepaQ+/5KBLfJtRR5rfxGU8goAsXgvk
 dn: cn=riking,ou=users,dc=tvl,dc=fyi
 objectClass: organizationalPerson
 objectClass: inetOrgPerson
 cn: riking
 sn: Kane York
 title: riking
 mail: rikingcoding@gmail.com
 userPassword: {SSHA}6rPxMOofHMGNTEYdyBOYbza7NT/RmiGz
 dn: cn=tazjin,ou=users,dc=tvl,dc=fyi
 objectClass: organizationalPerson
 objectClass: inetOrgPerson
 cn: tazjin
 sn: tazjin
 title: tazjin
 mail: mail@tazj.in
 userPassword: {SSHA}67H341jRfAFBDz/R9+T3fHQiPfjwTbpQ
--- a/ops/nixos/tvl-slapd/default.nix
+++ b/ops/nixos/tvl-slapd/default.nix
@ -1,9 +1,88 @@
 # Configures an OpenLDAP instance for TVL
 #
 # TODO(tazjin): Configure ldaps://
-{ pkgs, config, ... }:
+{ config, lib, pkgs, ... }:
 with config.depot.nix.yants;
 let
  user = struct {
    username = string;
    email = string;
    password = string;
    displayName = option string;
  };
  toLdif = defun [ user string ] (u: ''
    dn: cn=${u.username},ou=users,dc=tvl,dc=fyi
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    sn: ${u.username}
    cn: ${u.username}
    displayName: ${u.displayName or u.username}
    mail: ${u.email}
    userPassword: ${u.password}
  '');
  users = [
    {
      username = "cynthia";
      email = "cynthia@tvl.fyi";
      password = "{SSHA}aHx2keEnXv6u6oiV2xxqfXdxjom/K8CP";
    }
    {
      username = "edef";
      email = "edef@edef.eu";
      password = "{SSHA}7w2XC6xxuhlUX2KvBpK4fD/X7ZCpfN/E";
    }
    {
      username = "eta";
      email = "eta@theta.eu.org";
      password = "{SSHA}sOR5xzi7Lfv376XGQA8Hf6jyhTvo0XYc";
    }
    {
      username = "glittershark";
      email = "grfn@gws.fyi";
      password = "{SSHA}i7PSAsXwJT3jjmmvU77aar/tU/YPDCEO";
    }
    {
      username = "isomer";
      email = "isomer@tvl.fyi";
      password = "{SSHA}OhWQkPJgH1rRJqYIaMUbbKC4iLEzvCev";
    }
    {
      username = "lukegb";
      email = "lukegb@tvl.fyi";
      password = "{SSHA}7a85VNhpFElFw+N5xcjgGmt4HnBsaGp4";
    }
    {
      username = "nyanotech";
      email = "nyanotechnology@gmail.com";
      password = "{SSHA}NIJ2RCRb1+Q4Bs63cyE91VZyiN47DG6y";
    }
    {
      username = "q3k";
      email = "q3k@q3k.org";
      password = "{SSHA}BEccJdtnhVLDzOn+pxNfayNi3QFcEABE";
    }
    {
      username = "ericvolp12";
      email = "ericvolp12@gmail.com";
      password = "{SSHA}pSepaQ+/5KBLfJtRR5rfxGU8goAsXgvk";
    }
    {
      username = "riking";
      displayName = "Kane York";
      email = "rikingcoding@gmail.com";
      password = "{SSHA}6rPxMOofHMGNTEYdyBOYbza7NT/RmiGz";
    }
    {
      username = "tazjin";
      email = "mail@tazj.in";
      password = "{SSHA}67H341jRfAFBDz/R9+T3fHQiPfjwTbpQ";
    }
  ];
 in {
  services.openldap = {
    enable = true;
    dataDir = "/var/lib/openldap";
@ -11,10 +90,6 @@
    rootdn = "cn=admin,dc=tvl,dc=fyi";
    rootpw = "{SSHA}yEEO6Ol2W3ritdiJzPSsjOtyPGxWF2JW";
    # Contents are immutable at runtime, and adding user accounts etc.
    # is done statically in the LDIF-formatted contents in this folder.
    declarativeContents = builtins.readFile ./contents.ldif;
    # ACL configuration
    extraDatabaseConfig = ''
      # Allow users to change their own password
@ -26,5 +101,31 @@
      # Allow default read access to other directory elements
      access to * by * read
    '';
    # Contents are immutable at runtime, and adding user accounts etc.
    # is done statically in the LDIF-formatted contents in this folder.
    declarativeContents = ''
      dn: dc=tvl,dc=fyi
      dc: tvl
      o: TVL LDAP server
      description: Root entry for tvl.fyi
      objectClass: top
      objectClass: dcObject
      objectClass: organization
      dn: ou=users,dc=tvl,dc=fyi
      ou: users
      description: All users in TVL
      objectClass: top
      objectClass: organizationalUnit
      dn: ou=groups,dc=tvl,dc=fyi
      ou: groups
      description: All groups in TVL
      objectClass: top
      objectClass: organizationalUnit
      ${lib.concatStringsSep "\n" (map toLdif users)}
    '';
  };
 }