NixOS deployment for LinuxLab
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

226 lines
6.0 KiB

2 weeks ago
  1. { pkgs, lib, config, inputs, ... }:
  2. with lib;
  3. let
  4. baseDN = concatMapStringsSep ","
  5. (part: "dc=${part}")
  6. (splitString "." "informatik.hs-fulda.de");
  7. ldap-sync =
  8. let
  9. wrapped = pkgs.callPackage inputs.ldap-sync { };
  10. env = pkgs.runCommand "ldap-sync-env" { } ''
  11. mkdir -p $out
  12. ln -s ${config.sops.secrets."ldap/sync/config".path} $out/ldap-sync.properties
  13. '';
  14. in
  15. pkgs.runCommand "ldap-sync-wrapper"
  16. {
  17. nativeBuildInputs = [ pkgs.makeWrapper ];
  18. } ''
  19. mkdir -p $out/bin
  20. makeWrapper "${wrapped}/bin/ldap-sync" $out/bin/ldap-sync \
  21. --chdir "${env}"
  22. '';
  23. in
  24. {
  25. services.openldap = {
  26. enable = true;
  27. package = (pkgs.openldap.overrideAttrs (final: prev: {
  28. configureFlags = prev.configureFlags ++ [
  29. "--enable-overlays"
  30. "--enable-remoteauth"
  31. "--enable-spasswd"
  32. "--with-cyrus-sasl"
  33. ];
  34. doCheck = false;
  35. })).override {
  36. cyrus_sasl = pkgs.cyrus_sasl.override {
  37. enableLdap = true;
  38. };
  39. };
  40. urlList = [ "ldap:///" "ldaps:///" ];
  41. settings = {
  42. attrs = {
  43. olcLogLevel = "config ACL stats stats2 trace";
  44. olcTLSCertificateFile = config.sops.secrets."ldap/tls/crt".path;
  45. olcTLSCertificateKeyFile = config.sops.secrets."ldap/tls/key".path;
  46. olcTLSCRLCheck = "none";
  47. olcTLSVerifyClient = "never";
  48. olcTLSProtocolMin = "3.1";
  49. olcSaslHost = "localhost";
  50. olcSaslSecProps = "none";
  51. olcSizeLimit = "unlimited";
  52. };
  53. children = {
  54. "cn=schema".includes = [
  55. "${config.services.openldap.package}/etc/schema/core.ldif"
  56. "${config.services.openldap.package}/etc/schema/cosine.ldif"
  57. "${config.services.openldap.package}/etc/schema/inetorgperson.ldif"
  58. "${config.services.openldap.package}/etc/schema/nis.ldif"
  59. ];
  60. "olcDatabase={1}mdb" = {
  61. attrs = {
  62. objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
  63. olcDatabase = "{1}mdb";
  64. olcDbDirectory = "/var/lib/openldap/db";
  65. olcSuffix = baseDN;
  66. olcRootDN = "cn=root,${baseDN}";
  67. olcRootPW.path = config.sops.secrets."ldap/root/password".path;
  68. olcAccess = [
  69. # Custom access rules for userPassword attributes
  70. ''{0}to attrs=userPassword
  71. by self read
  72. by anonymous auth
  73. by * none
  74. ''
  75. # Synced is managed by sync
  76. ''{1}to dn.subtree="ou=synced,ou=users,dc=informatik,dc=hs-fulda,dc=de"
  77. by dn.base="cn=sync,dc=informatik,dc=hs-fulda,dc=de" manage
  78. by * break
  79. ''
  80. # Allow login to read users
  81. ''{2}to dn.subtree="ou=users,dc=informatik,dc=hs-fulda,dc=de"
  82. by dn.base="cn=login,dc=informatik,dc=hs-fulda,dc=de" read
  83. by self read
  84. by * break
  85. ''
  86. # Prevent access
  87. ''{3}to *
  88. by * none
  89. ''
  90. ];
  91. };
  92. children = {
  93. "olcOverlay={0}remoteauth" = {
  94. attrs = {
  95. objectClass = [ "olcOverlayConfig" "olcRemoteAuthCfg" ];
  96. olcOverlay = "{0}remoteauth";
  97. olcRemoteAuthTLS = "starttls=yes tls_cacert=\"/etc/ssl/certs/ca-certificates.crt\"";
  98. olcRemoteAuthDNAttribute = "seeAlso";
  99. olcRemoteAuthDomainAttribute = "associatedDomain";
  100. olcRemoteAuthDefaultDomain = "upstream";
  101. olcRemoteAuthDefaultRealm = "file://${config.sops.secrets."ldap/upstream".path}";
  102. olcRemoteAuthRetryCount = "3";
  103. olcRemoteAuthStore = "false";
  104. };
  105. };
  106. };
  107. };
  108. };
  109. };
  110. declarativeContents = {
  111. "dc=informatik,dc=hs-fulda,dc=de" = ''
  112. dn: dc=informatik,dc=hs-fulda,dc=de
  113. objectClass: domain
  114. dc: informatik
  115. dn: ou=users,dc=informatik,dc=hs-fulda,dc=de
  116. objectClass: organizationalUnit
  117. ou: users
  118. dn: ou=synced,ou=users,dc=informatik,dc=hs-fulda,dc=de
  119. objectClass: organizationalUnit
  120. ou: users
  121. dn: cn=sync,dc=informatik,dc=hs-fulda,dc=de
  122. objectClass: applicationProcess
  123. objectClass: simpleSecurityObject
  124. objectClass: top
  125. cn: sync
  126. userPassword: {SSHA}Kf5ViggnBdUAPJ3/X5F80Qf/tXOzGI9G
  127. dn: cn=login,dc=informatik,dc=hs-fulda,dc=de
  128. objectClass: applicationProcess
  129. objectClass: simpleSecurityObject
  130. objectClass: top
  131. cn: login
  132. userPassword: {SSHA}esWkdMFThbFD0gSE5tC+jJ1rjwfUuI0p
  133. '';
  134. };
  135. };
  136. systemd.services."openldap" = {
  137. environment = {
  138. SASL_PATH = pkgs.writeTextFile {
  139. name = "openldap-sasl-path";
  140. destination = "/slapd.conf";
  141. text = ''
  142. pwcheck_method: saslauthd
  143. saslauthd_path: /var/run/saslauthd/mux
  144. mech_list: GSSAPI EXTERNAL PLAIN NTLM
  145. '';
  146. };
  147. };
  148. onSuccess = [ "ldap-sync.service" ];
  149. };
  150. systemd.services."ldap-sync" = {
  151. script = "${ldap-sync}/bin/ldap-sync";
  152. startAt = "hourly";
  153. requisite = [ "openldap.service" ];
  154. # Flush caches
  155. postStop = ''
  156. ${config.services.nscd.package}/bin/nscd --invalidate=group
  157. ${config.services.nscd.package}/bin/nscd --invalidate=passwd
  158. '';
  159. };
  160. sops.secrets."ldap/root/password" = {
  161. sopsFile = ./secrets/ldap.yaml;
  162. owner = "openldap";
  163. };
  164. sops.secrets."ldap/upstream" = {
  165. sopsFile = ./secrets/ldap.yaml;
  166. owner = "openldap";
  167. };
  168. sops.secrets."ldap/tls/key" = {
  169. sopsFile = ./secrets/ldap.tls.key;
  170. format = "binary";
  171. owner = "openldap";
  172. };
  173. sops.secrets."ldap/tls/crt" = {
  174. sopsFile = ./secrets/ldap.tls.crt;
  175. format = "binary";
  176. owner = "openldap";
  177. };
  178. sops.secrets."ldap/sync/config" = {
  179. sopsFile = ./secrets/ldap.yaml;
  180. };
  181. networking.firewall.allowedTCPPorts = [
  182. 22
  183. 389
  184. 636
  185. ];
  186. }