NixOS deployment for LinuxLab
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

228 lines
6.0 KiB

{ pkgs, lib, config, inputs, ... }:
with lib;
let
baseDN = concatMapStringsSep ","
(part: "dc=${part}")
(splitString "." "informatik.hs-fulda.de");
ldap-sync =
let
wrapped = pkgs.callPackage inputs.ldap-sync { };
env = pkgs.runCommand "ldap-sync-env" { } ''
mkdir -p $out
ln -s ${config.sops.secrets."ldap/sync/config".path} $out/ldap-sync.properties
'';
in
pkgs.runCommand "ldap-sync-wrapper"
{
nativeBuildInputs = [ pkgs.makeWrapper ];
} ''
mkdir -p $out/bin
makeWrapper "${wrapped}/bin/ldap-sync" $out/bin/ldap-sync \
--chdir "${env}"
'';
in
{
services.openldap = {
enable = true;
package = (pkgs.openldap.overrideAttrs (final: prev: {
configureFlags = prev.configureFlags ++ [
"--enable-overlays"
"--enable-remoteauth"
"--enable-spasswd"
"--with-cyrus-sasl"
];
doCheck = false;
})).override {
cyrus_sasl = pkgs.cyrus_sasl.override {
enableLdap = true;
};
};
urlList = [ "ldap:///" "ldaps:///" ];
settings = {
attrs = {
olcLogLevel = "config ACL stats stats2 trace";
olcTLSCertificateFile = config.sops.secrets."ldap/tls/crt".path;
olcTLSCertificateKeyFile = config.sops.secrets."ldap/tls/key".path;
olcTLSCRLCheck = "none";
olcTLSVerifyClient = "never";
olcTLSProtocolMin = "3.1";
olcSaslHost = "localhost";
olcSaslSecProps = "none";
olcSizeLimit = "unlimited";
};
children = {
"cn=schema".includes = [
"${config.services.openldap.package}/etc/schema/core.ldif"
"${config.services.openldap.package}/etc/schema/cosine.ldif"
"${config.services.openldap.package}/etc/schema/inetorgperson.ldif"
"${config.services.openldap.package}/etc/schema/nis.ldif"
];
"olcDatabase={1}mdb" = {
attrs = {
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap/db";
olcSuffix = baseDN;
olcRootDN = "cn=root,${baseDN}";
olcRootPW.path = config.sops.secrets."ldap/root/password".path;
olcAccess = [
# Custom access rules for userPassword attributes
''{0}to attrs=userPassword
by self read
by anonymous auth
by * none
''
# Synced is managed by sync
''{1}to dn.subtree="ou=synced,ou=users,dc=informatik,dc=hs-fulda,dc=de"
by dn.base="cn=sync,dc=informatik,dc=hs-fulda,dc=de" manage
by * break
''
# Allow login to read users
''{2}to dn.subtree="ou=users,dc=informatik,dc=hs-fulda,dc=de"
by dn.base="cn=login,dc=informatik,dc=hs-fulda,dc=de" read
by self read
by * break
''
# Prevent access
''{3}to *
by * none
''
];
};
children = {
"olcOverlay={0}remoteauth" = {
attrs = {
objectClass = [ "olcOverlayConfig" "olcRemoteAuthCfg" ];
olcOverlay = "{0}remoteauth";
olcRemoteAuthTLS = "starttls=yes tls_cacert=\"/etc/ssl/certs/ca-certificates.crt\"";
olcRemoteAuthDNAttribute = "seeAlso";
olcRemoteAuthDomainAttribute = "associatedDomain";
olcRemoteAuthDefaultDomain = "upstream";
olcRemoteAuthDefaultRealm = "file://${config.sops.secrets."ldap/upstream".path}";
olcRemoteAuthRetryCount = "3";
olcRemoteAuthStore = "false";
};
};
};
};
};
};
declarativeContents = {
"dc=informatik,dc=hs-fulda,dc=de" = ''
dn: dc=informatik,dc=hs-fulda,dc=de
objectClass: domain
dc: informatik
dn: ou=users,dc=informatik,dc=hs-fulda,dc=de
objectClass: organizationalUnit
ou: users
dn: ou=synced,ou=users,dc=informatik,dc=hs-fulda,dc=de
objectClass: organizationalUnit
ou: users
dn: cn=sync,dc=informatik,dc=hs-fulda,dc=de
objectClass: applicationProcess
objectClass: simpleSecurityObject
objectClass: top
cn: sync
userPassword: {SSHA}Kf5ViggnBdUAPJ3/X5F80Qf/tXOzGI9G
dn: cn=login,dc=informatik,dc=hs-fulda,dc=de
objectClass: applicationProcess
objectClass: simpleSecurityObject
objectClass: top
cn: login
userPassword: {SSHA}esWkdMFThbFD0gSE5tC+jJ1rjwfUuI0p
'';
};
};
systemd.services."openldap" = {
environment = {
SASL_PATH = pkgs.writeTextFile {
name = "openldap-sasl-path";
destination = "/slapd.conf";
text = ''
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux
mech_list: GSSAPI EXTERNAL PLAIN NTLM
'';
};
};
onSuccess = [ "ldap-sync.service" ];
};
systemd.services."ldap-sync" = {
script = "${ldap-sync}/bin/ldap-sync";
startAt = "hourly";
requisite = [ "openldap.service" ];
# Flush caches
postStop = ''
${config.services.nscd.package}/bin/nscd --invalidate=group
${config.services.nscd.package}/bin/nscd --invalidate=passwd
'';
};
sops.secrets = {
"ldap/root/password" = {
sopsFile = ./secrets/ldap.yaml;
owner = "openldap";
};
"ldap/upstream" = {
sopsFile = ./secrets/ldap.yaml;
owner = "openldap";
};
"ldap/tls/key" = {
sopsFile = ./secrets/ldap.tls.key;
format = "binary";
owner = "openldap";
};
"ldap/tls/crt" = {
sopsFile = ./secrets/ldap.tls.crt;
format = "binary";
owner = "openldap";
};
"ldap/sync/config" = {
sopsFile = ./secrets/ldap.yaml;
};
};
networking.firewall.allowedTCPPorts = [
22
389
636
];
}