maurice/snix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
snix/ops/nixos/tvl-slapd/default.nix
sterni 2d136e0327 feat(todolist): use static slapd user data for knownUsers 
Since the slapd data is static and generated using nix, we can simply
move the user list into ops/users, so it's recognized by readTree and we
can use it as ops.users both in ops/nixos/tvl-slapd and web/todolist as
a general purpose user registry for depot.

Update docs/REVIEWS.md as well.

Change-Id: I35caaaab70a5578c47cedc7f33077dd513766290
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2419
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
2021-01-18 23:18:55 +00:00

89 lines
2.4 KiB
Nix
Raw Blame History

# Configures an OpenLDAP instance for TVL
#
# TODO(tazjin): Configure ldaps://
{ config, lib, pkgs, ... }:
with config.depot.nix.yants;
let
user = struct {
username = string;
email = string;
password = string;
displayName = option string;
};
toLdif = defun [ user string ] (u: ''
dn: cn=${u.username},ou=users,dc=tvl,dc=fyi
objectClass: organizationalPerson
objectClass: inetOrgPerson
sn: ${u.username}
cn: ${u.username}
displayName: ${u.displayName or u.username}
mail: ${u.email}
userPassword: ${u.password}
'');
inherit (config.depot.ops) users;
in {
# Use our patched OpenLDAP derivation which enables stronger password hashing.
#
# Unfortunately the module for OpenLDAP has no package option, so we
# need to override it system-wide. Be aware that this triggers a
# *large* number of rebuilds of packages such as GPG and Python.
nixpkgs.overlays = [
(_: _: {
inherit (config.depot.third_party) openldap;
})
];
services.openldap = {
enable = true;
dataDir = "/var/lib/openldap";
database = "mdb";
suffix = "dc=tvl,dc=fyi";
rootdn = "cn=admin,dc=tvl,dc=fyi";
rootpw = "{ARGON2}$argon2id$v=19$m=65536,t=2,p=1$OfcgkOQ96VQ3aJj7NfA9vQ$oS6HQOkYl/bUYg4SejpltQYy7kvqx/RUxvoR4zo1vXU";
settings.children = {
"olcDatabase={1}mdb".attrs = {
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
olcDatabase = "{1}mdb";
olcSuffix = "dc=tvl,dc=fyi";
olcAccess = "to * by * read";
};
"cn=module{0}".attrs = {
objectClass = "olcModuleList";
olcModuleLoad = "pw-argon2";
};
};
# Contents are immutable at runtime, and adding user accounts etc.
# is done statically in the LDIF-formatted contents in this folder.
declarativeContents."dc=tvl,dc=fyi" = ''
dn: dc=tvl,dc=fyi
dc: tvl
o: TVL LDAP server
description: Root entry for tvl.fyi
objectClass: top
objectClass: dcObject
objectClass: organization
dn: ou=users,dc=tvl,dc=fyi
ou: users
description: All users in TVL
objectClass: top
objectClass: organizationalUnit
dn: ou=groups,dc=tvl,dc=fyi
ou: groups
description: All groups in TVL
objectClass: top
objectClass: organizationalUnit
${lib.concatStringsSep "\n" (map toLdif users)}
'';
};
}
Reference in a new issue View git blame Copy permalink