Various changes

2021-12-12 22:50:25 -08:00 · 2021-12-12 22:50:25 -08:00 · daae1f2037
commit daae1f2037
parent aa39f039aa
6 changed files with 47 additions and 43 deletions
--- a/lib/fudo/domains.nix
+++ b/lib/fudo/domains.nix
@ -66,6 +66,12 @@ let
        default = [];
      };

+      ldap-servers = mkOption {
+        type = listOf str;
+        description = "List of hosts acting as LDAP authentication servers for the domain.";
+        default = [];
+      };
+
      primary-nameserver = mkOption {
        type = nullOr str;
        description = "Hostname of the primary nameserver for this domain.";
--- a/lib/fudo/jabber.nix
+++ b/lib/fudo/jabber.nix
@ -183,12 +183,6 @@ in {
      description = "Environment variables to set for the ejabberd daemon.";
      default = {};
    };
-
-    required-services = mkOption {
-      type = listOf str;
-      description = "List of services that must start before ejabberd.";
-      default = [];
-    };
  };
  
  config = mkIf cfg.enable {
@ -266,6 +260,7 @@ in {
            '';
            EnvironmentFile = host-secrets.ejabberd-password-env.target-file;
          };
+          requires = [ host-secrets.ejabberd-password-env.service ];
        };
      };
    };
--- a/lib/fudo/kdc.nix
+++ b/lib/fudo/kdc.nix
@ -239,9 +239,8 @@ let
      };

      ipropd-keytab = mkOption {
-        type = str;
+        type = nullOr str;
        description = "Location at which to find keytab for ipropd slave.";
-        default = "${state-directory}/ipropd.keytab";
      };
    };
  };
--- a/lib/fudo/ldap.nix
+++ b/lib/fudo/ldap.nix
@ -88,18 +88,12 @@ in {
        ldap-server = {
          enable = mkEnableOption "Fudo Authentication";

-          kerberos-host = mkOption {
-            type = str;
-            description = ''
-              The name of the host to use for Kerberos authentication.
-            '';
-          };
-
          kerberos-keytab = mkOption {
-            type = str;
+            type = nullOr str;
            description = ''
              The path to a keytab for the LDAP server, containing a principal for ldap/<hostname>.
            '';
+            default = null;
          };

          ssl-certificate = mkOption {
@ -226,7 +220,7 @@ in {

    environment = {
      etc = {
-        "openldap/sasl2/slapd.conf" = {
+        "openldap/sasl2/slapd.conf" = mkIf (cfg.kerberos-keytab != null) {
          mode = "0400";
          user = config.services.openldap.user;
          group = config.services.openldap.group;
@ -255,11 +249,14 @@ in {
      services.openldap = {
        partOf = [ cfg.systemd-target ];
        requires = cfg.required-services;
-        environment.KRB5_KTNAME = cfg.kerberos-keytab;
-        preStart = mkBefore
-          "${build-ca-script ca-path
+        environment = mkIf (cfg.kerberos-keytab != null) {
+          KRB5_KTNAME = cfg.kerberos-keytab;
+        };
+        preStart = mkAfter ''
+          ${build-ca-script ca-path
            cfg.ssl-chain
-            cfg.ssl-ca-certificate}";
+            cfg.ssl-ca-certificate}
+        '';
        serviceConfig = {
          PrivateDevices = true;
          PrivateTmp = true;
@ -392,26 +389,26 @@ in {
                  "dn.exact=cn=auth_reader,${cfg.base}" = "read";
                  "*" = "auth";
                };
-                "dn=cn=admin,ou=groups,${cfg.base}" = {
-                  # "dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage";
-                  "anonymous" = "auth";
-                  "dn.children=dc=fudo,dc=org" = "read";
-                };
-                "dn.subtree=ou=groups,${cfg.base} attrs=memberUid" = {
-                  # "dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage";
-                  # "dn.regex=cn=[a-zA-Z][a-zA-Z0-9_]+,ou=hosts,${cfg.base}" = "write";
-                  "anonymous" = "auth";
-                  "dn.children=dc=fudo,dc=org" = "read";
-                };
-                "dn.subtree=ou=members,${cfg.base} attrs=cn,sn,homeDirectory,loginShell,gecos,description,homeDirectory,uidNumber,gidNumber" = {
-                  # "dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage";
-                  "anonymous" = "auth";
-                  "dn.children=dc=fudo,dc=org" = "read";
-                };
+                # "dn=cn=admin,ou=groups,${cfg.base}" = {
+                #   # "dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage";
+                #   "anonymous" = "auth";
+                #   "*" = "read";
+                # };
+                # "dn.subtree=ou=groups,${cfg.base} attrs=memberUid" = {
+                #   # "dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage";
+                #   # "dn.regex=cn=[a-zA-Z][a-zA-Z0-9_]+,ou=hosts,${cfg.base}" = "write";
+                #   "anonymous" = "auth";
+                #   "*" = "read";
+                # };
+                # "dn.subtree=ou=members,${cfg.base} attrs=cn,sn,homeDirectory,loginShell,gecos,description,homeDirectory,uidNumber,gidNumber" = {
+                #   # "dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage";
+                #   "anonymous" = "auth";
+                #   "*" = "read";
+                # };
                "*" = {
                  # "dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage";
                  "anonymous" = "auth";
-                  "dn.children=dc=fudo,dc=org" = "read";
+                  "*" = "read";
                };
              };
            };
@ -420,7 +417,7 @@ in {
      };

      declarativeContents = {
-        "dc=fudo,dc=org" = ''
+        "${cfg.base}" = ''
          dn: ${cfg.base}
          objectClass: top
          objectClass: dcObject
--- a/lib/fudo/secrets.nix
+++ b/lib/fudo/secrets.nix
@ -180,8 +180,13 @@ in {
      else
        { };

-      host-secret-services = mapAttrs' (secret: secretOpts:
-        (nameValuePair secretOpts.service
+      host-secret-services = let
+        head-or-null = lst: if (lst == []) then null else head lst;
+        strip-service = service-name:
+          head-or-null
+            (builtins.match "^(.+)[.]service$" service-name);
+      in mapAttrs' (secret: secretOpts:
+        (nameValuePair (strip-service secretOpts.service)
          (secret-service hostname secret secretOpts))) host-secrets;

      trace-all = obj: builtins.trace obj obj;
--- a/lib/lib/passwd.nix
+++ b/lib/lib/passwd.nix
@ -9,8 +9,10 @@ let

    buildInputs = with pkgs; [ openldap ];

-    installPhase = ''
-      slappasswd -T ${passwd-file} > $out
+    installPhase = let
+      passwd = removeSuffix "\n" (readFile passwd-file);
+    in ''
+      slappasswd -s ${passwd} > $out
    '';
  };