NixOS deployment for LinuxLab
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

237 lines
6.3 KiB

2 weeks ago
2 weeks ago
2 weeks ago
2 weeks ago
2 weeks ago
2 weeks ago
  1. { pkgs, lib, config, inputs, ... }:
  2. with lib;
  3. let
  4. baseDN = concatMapStringsSep ","
  5. (part: "dc=${part}")
  6. (splitString "." "informatik.hs-fulda.de");
  7. ldap-sync =
  8. let
  9. wrapped = pkgs.callPackage inputs.ldap-sync { };
  10. env = pkgs.runCommand "ldap-sync-env" { } ''
  11. mkdir -p $out
  12. ln -s ${config.sops.secrets."ldap/sync/config".path} $out/ldap-sync.properties
  13. '';
  14. in
  15. pkgs.runCommand "ldap-sync-wrapper"
  16. {
  17. nativeBuildInputs = [ pkgs.makeWrapper ];
  18. } ''
  19. mkdir -p $out/bin
  20. makeWrapper "${wrapped}/bin/ldap-sync" $out/bin/ldap-sync \
  21. --chdir "${env}"
  22. '';
  23. in
  24. {
  25. services.openldap = {
  26. enable = true;
  27. package = (pkgs.openldap.overrideAttrs (final: prev: {
  28. configureFlags = prev.configureFlags ++ [
  29. "--enable-overlays"
  30. "--enable-remoteauth"
  31. "--enable-spasswd"
  32. "--with-cyrus-sasl"
  33. ];
  34. doCheck = false;
  35. })).override {
  36. cyrus_sasl = pkgs.cyrus_sasl.override {
  37. enableLdap = true;
  38. };
  39. };
  40. urlList = [ "ldap:///" "ldaps:///" ];
  41. settings = {
  42. attrs = {
  43. olcLogLevel = "config ACL stats stats2 trace";
  44. olcTLSCertificateFile = config.sops.secrets."ldap/tls/crt".path;
  45. olcTLSCertificateKeyFile = config.sops.secrets."ldap/tls/key".path;
  46. olcTLSCRLCheck = "none";
  47. olcTLSVerifyClient = "never";
  48. olcTLSProtocolMin = "3.1";
  49. olcSaslHost = "localhost";
  50. olcSaslSecProps = "none";
  51. olcSizeLimit = "unlimited";
  52. };
  53. children = {
  54. "cn=schema".includes = [
  55. "${config.services.openldap.package}/etc/schema/core.ldif"
  56. "${config.services.openldap.package}/etc/schema/cosine.ldif"
  57. "${config.services.openldap.package}/etc/schema/inetorgperson.ldif"
  58. "${config.services.openldap.package}/etc/schema/nis.ldif"
  59. ];
  60. "olcDatabase={1}mdb" = {
  61. attrs = {
  62. objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
  63. olcDatabase = "{1}mdb";
  64. olcDbDirectory = "/var/lib/openldap/db";
  65. olcSuffix = baseDN;
  66. olcRootDN = "cn=root,${baseDN}";
  67. olcRootPW.path = config.sops.secrets."ldap/root/password".path;
  68. # Increase max DB size to fit all the users
  69. olcDbMaxSize = "10737418240";
  70. olcDbIndex = [
  71. "uid,uidNumber pres,eq"
  72. "cn,sn pres,eq,sub"
  73. "objectClass eq"
  74. ];
  75. olcAccess = [
  76. # Custom access rules for userPassword attributes
  77. ''{0}to attrs=userPassword
  78. by self read
  79. by anonymous auth
  80. by * none
  81. ''
  82. # Synced is managed by sync
  83. ''{1}to dn.subtree="ou=synced,ou=users,dc=informatik,dc=hs-fulda,dc=de"
  84. by dn.base="cn=sync,dc=informatik,dc=hs-fulda,dc=de" manage
  85. by * break
  86. ''
  87. # Allow login to read users
  88. ''{2}to dn.subtree="ou=users,dc=informatik,dc=hs-fulda,dc=de"
  89. by dn.base="cn=login,dc=informatik,dc=hs-fulda,dc=de" read
  90. by self read
  91. by * break
  92. ''
  93. # Prevent access
  94. ''{3}to *
  95. by * none
  96. ''
  97. ];
  98. };
  99. children = {
  100. "olcOverlay={0}remoteauth" = {
  101. attrs = {
  102. objectClass = [ "olcOverlayConfig" "olcRemoteAuthCfg" ];
  103. olcOverlay = "{0}remoteauth";
  104. olcRemoteAuthTLS = "starttls=yes tls_cacert=\"/etc/ssl/certs/ca-certificates.crt\"";
  105. olcRemoteAuthDNAttribute = "seeAlso";
  106. olcRemoteAuthDomainAttribute = "associatedDomain";
  107. olcRemoteAuthDefaultDomain = "upstream";
  108. olcRemoteAuthDefaultRealm = "file://${config.sops.secrets."ldap/upstream".path}";
  109. olcRemoteAuthRetryCount = "3";
  110. olcRemoteAuthStore = "false";
  111. };
  112. };
  113. };
  114. };
  115. };
  116. };
  117. declarativeContents = {
  118. "dc=informatik,dc=hs-fulda,dc=de" = ''
  119. dn: dc=informatik,dc=hs-fulda,dc=de
  120. objectClass: domain
  121. dc: informatik
  122. dn: ou=users,dc=informatik,dc=hs-fulda,dc=de
  123. objectClass: organizationalUnit
  124. ou: users
  125. dn: ou=synced,ou=users,dc=informatik,dc=hs-fulda,dc=de
  126. objectClass: organizationalUnit
  127. ou: users
  128. dn: cn=sync,dc=informatik,dc=hs-fulda,dc=de
  129. objectClass: applicationProcess
  130. objectClass: simpleSecurityObject
  131. objectClass: top
  132. cn: sync
  133. userPassword: {SSHA}Kf5ViggnBdUAPJ3/X5F80Qf/tXOzGI9G
  134. dn: cn=login,dc=informatik,dc=hs-fulda,dc=de
  135. objectClass: applicationProcess
  136. objectClass: simpleSecurityObject
  137. objectClass: top
  138. cn: login
  139. userPassword: {SSHA}esWkdMFThbFD0gSE5tC+jJ1rjwfUuI0p
  140. '';
  141. };
  142. };
  143. systemd.services."openldap" = {
  144. environment = {
  145. SASL_PATH = pkgs.writeTextFile {
  146. name = "openldap-sasl-path";
  147. destination = "/slapd.conf";
  148. text = ''
  149. pwcheck_method: saslauthd
  150. saslauthd_path: /var/run/saslauthd/mux
  151. mech_list: GSSAPI EXTERNAL PLAIN NTLM
  152. '';
  153. };
  154. };
  155. onSuccess = [ "ldap-sync.service" ];
  156. };
  157. systemd.services."ldap-sync" = {
  158. script = "${ldap-sync}/bin/ldap-sync";
  159. startAt = "hourly";
  160. requisite = [ "openldap.service" ];
  161. # Flush caches
  162. postStop = ''
  163. ${config.services.nscd.package}/bin/nscd --invalidate=group
  164. ${config.services.nscd.package}/bin/nscd --invalidate=passwd
  165. '';
  166. };
  167. sops.secrets = {
  168. "ldap/root/password" = {
  169. sopsFile = ./secrets/ldap.yaml;
  170. owner = "openldap";
  171. };
  172. "ldap/upstream" = {
  173. sopsFile = ./secrets/ldap.yaml;
  174. owner = "openldap";
  175. };
  176. "ldap/tls/key" = {
  177. sopsFile = ./secrets/ldap.tls.key;
  178. format = "binary";
  179. owner = "openldap";
  180. };
  181. "ldap/tls/crt" = {
  182. sopsFile = ./secrets/ldap.tls.crt;
  183. format = "binary";
  184. owner = "openldap";
  185. };
  186. "ldap/sync/config" = {
  187. sopsFile = ./secrets/ldap.yaml;
  188. };
  189. };
  190. networking.firewall.allowedTCPPorts = [
  191. 22
  192. 389
  193. 636
  194. ];
  195. }