nix/lib
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

openldap database has to be under /var/lib/openldap

Browse Source
This commit is contained in:
niten 2022-12-10 12:02:29 -08:00
parent ba643ab3a2
commit b0e105371c
2 changed files with 49 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
lib/fudo/grafana.nix
View File

@ -197,15 +197,20 @@ in {
grafana = { grafana = {
enable = true; enable = true;
addr = "127.0.0.1";
protocol = "http";
port = 3000;
domain = cfg.hostname;
rootUrl = let scheme = if cfg.private-network then "http" else "https";
in "${scheme}://${cfg.hostname}/";
dataDir = cfg.state-directory; dataDir = cfg.state-directory;
settings = { settings = {
server = {
root_url =
let scheme = if cfg.private-network then "http" else "https";
in "${scheme}://${cfg.hostname}/";
http_addr = "127.0.0.1";
http_port = 3000;
protocol = "http";
domain = cfg.hostname;
};
smtp = { smtp = {
enable = true; enable = true;
# TODO: create system user as necessary # TODO: create system user as necessary
@ -228,7 +233,7 @@ in {
type = "postgres"; type = "postgres";
}; };
ldap.auth = mkIf (cfg.ldap != null) (let "ldap.auth" = mkIf (cfg.ldap != null) (let
base = cfg.ldap.base-dn; base = cfg.ldap.base-dn;
config-file = pkgs.writeText "grafana-ldap.toml" '' config-file = pkgs.writeText "grafana-ldap.toml" ''

50
lib/fudo/ldap.nix
View File

@ -15,7 +15,8 @@ let
ca-path = "${cfg.state-directory}/ca.pem"; ca-path = "${cfg.state-directory}/ca.pem";
build-ca-script = target: ca-cert: site-chain: let build-ca-script = target: ca-cert: site-chain:
let
user = config.services.openldap.user; user = config.services.openldap.user;
group = config.services.openldap.group; group = config.services.openldap.group;
in pkgs.writeShellScript "build-openldap-ca-script.sh" '' in pkgs.writeShellScript "build-openldap-ca-script.sh" ''
@ -219,12 +220,13 @@ in {
config = mkIf cfg.enable { config = mkIf cfg.enable {
users = { users = {
users.openldap = { users.openldap = { uid = 389; };
uid = 389; groups.openldap = { gid = 389; };
};
groups.openldap = {
gid = 389;
}; };
fileSystems."/var/lib/openldap/database" = {
device = "${cfg.state-directory}/database";
options = [ "bind" ];
}; };
environment = { environment = {
@ -250,9 +252,7 @@ in {
user = config.services.openldap.user; user = config.services.openldap.user;
group = config.services.openldap.group; group = config.services.openldap.group;
in { in {
tmpfiles.rules = [ tmpfiles.rules = [ "d ${dirOf ca-path} 0700 ${user} ${group} - -" ];
"d ${dirOf ca-path} 0700 ${user} ${group} - -"
];
services.openldap = { services.openldap = {
partOf = [ cfg.systemd-target ]; partOf = [ cfg.systemd-target ];
@ -261,9 +261,7 @@ in {
KRB5_KTNAME = cfg.kerberos-keytab; KRB5_KTNAME = cfg.kerberos-keytab;
}; };
preStart = mkAfter '' preStart = mkAfter ''
${build-ca-script ca-path ${build-ca-script ca-path cfg.ssl-chain cfg.ssl-ca-certificate}
cfg.ssl-chain
cfg.ssl-ca-certificate}
# The script is failing to do this # The script is failing to do this
chown "${user}:${group}" /etc/openldap chown "${user}:${group}" /etc/openldap
''; '';
@ -314,11 +312,12 @@ in {
settings = let settings = let
makePermEntry = dn: perm: "by ${dn} ${perm}"; makePermEntry = dn: perm: "by ${dn} ${perm}";
makeAccessLine = target: perm-map: let makeAccessLine = target: perm-map:
perm-entries = mapAttrsToList makePermEntry perm-map; let perm-entries = mapAttrsToList makePermEntry perm-map;
in "to ${target} ${concatStringsSep " " perm-entries}"; in "to ${target} ${concatStringsSep " " perm-entries}";
makeAccess = access-map: let makeAccess = access-map:
let
access-lines = mapAttrsToList makeAccessLine; access-lines = mapAttrsToList makeAccessLine;
numbered-access-lines = imap0 (i: line: "{${toString i}}${line}"); numbered-access-lines = imap0 (i: line: "{${toString i}}${line}");
in numbered-access-lines (access-lines access-map); in numbered-access-lines (access-lines access-map);
@ -333,11 +332,13 @@ in {
olcTLSCACertificateFile = ca-path; olcTLSCACertificateFile = ca-path;
olcSaslSecProps = "noplain,noanonymous"; olcSaslSecProps = "noplain,noanonymous";
olcAuthzRegexp = let olcAuthzRegexp = let
authz-regex-entry = i: { regex, target }: authz-regex-entry = i:
"{${toString i}}\"${regex}\" \"${target}\""; { regex, target }:
''{${toString i}}"${regex}" "${target}"'';
in imap0 authz-regex-entry [ in imap0 authz-regex-entry [
{ {
regex = "^uid=auth/([^.]+).fudo.org,cn=fudo.org,cn=gssapi,cn=auth$"; regex =
"^uid=auth/([^.]+).fudo.org,cn=fudo.org,cn=gssapi,cn=auth$";
target = "cn=$1,ou=hosts,dc=fudo,dc=org"; target = "cn=$1,ou=hosts,dc=fudo,dc=org";
} }
{ {
@ -353,7 +354,8 @@ in {
target = "cn=$1,ou=hosts,dc=fudo,dc=org"; target = "cn=$1,ou=hosts,dc=fudo,dc=org";
} }
{ {
regex = "^gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth$"; regex =
"^gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth$";
target = "cn=admin,dc=fudo,dc=org"; target = "cn=admin,dc=fudo,dc=org";
} }
]; ];
@ -377,11 +379,7 @@ in {
attrs = { attrs = {
objectClass = [ "olcDatabaseConfig" ]; objectClass = [ "olcDatabaseConfig" ];
olcDatabase = "{0}config"; olcDatabase = "{0}config";
olcAccess = makeAccess { olcAccess = makeAccess { "*" = { "*" = "none"; }; };
"*" = {
"*" = "none";
};
};
}; };
}; };
"olcDatabase={1}mdb" = { "olcDatabase={1}mdb" = {
@ -391,8 +389,8 @@ in {
olcSuffix = cfg.base; olcSuffix = cfg.base;
# olcRootDN = "cn=admin,${cfg.base}"; # olcRootDN = "cn=admin,${cfg.base}";
# olcRootPW = FIXME; # NOTE: this should be hashed... # olcRootPW = FIXME; # NOTE: this should be hashed...
olcDbDirectory = "${cfg.state-directory}/database"; olcDbDirectory = "/var/lib/openldap/database";
olcDbIndex = [ "objectClass eq" "uid pres,eq" "memberUid eq"]; olcDbIndex = [ "objectClass eq" "uid pres,eq" "memberUid eq" ];
olcAccess = makeAccess { olcAccess = makeAccess {
"attrs=userPassword,shadowLastChange" = { "attrs=userPassword,shadowLastChange" = {
"dn.exact=cn=auth_reader,${cfg.base}" = "read"; "dn.exact=cn=auth_reader,${cfg.base}" = "read";