From daae1f203776c53bae2bcfdfe0bdcab8823f3fbc Mon Sep 17 00:00:00 2001 From: niten Date: Sun, 12 Dec 2021 22:50:25 -0800 Subject: [PATCH] Various changes --- lib/fudo/domains.nix | 6 +++++ lib/fudo/jabber.nix | 7 +----- lib/fudo/kdc.nix | 3 +-- lib/fudo/ldap.nix | 59 +++++++++++++++++++++----------------------- lib/fudo/secrets.nix | 9 +++++-- lib/lib/passwd.nix | 6 +++-- 6 files changed, 47 insertions(+), 43 deletions(-) diff --git a/lib/fudo/domains.nix b/lib/fudo/domains.nix index c7433f1..514f1f6 100644 --- a/lib/fudo/domains.nix +++ b/lib/fudo/domains.nix @@ -66,6 +66,12 @@ let default = []; }; + ldap-servers = mkOption { + type = listOf str; + description = "List of hosts acting as LDAP authentication servers for the domain."; + default = []; + }; + primary-nameserver = mkOption { type = nullOr str; description = "Hostname of the primary nameserver for this domain."; diff --git a/lib/fudo/jabber.nix b/lib/fudo/jabber.nix index 55eb693..c389299 100644 --- a/lib/fudo/jabber.nix +++ b/lib/fudo/jabber.nix @@ -183,12 +183,6 @@ in { description = "Environment variables to set for the ejabberd daemon."; default = {}; }; - - required-services = mkOption { - type = listOf str; - description = "List of services that must start before ejabberd."; - default = []; - }; }; config = mkIf cfg.enable { @@ -266,6 +260,7 @@ in { ''; EnvironmentFile = host-secrets.ejabberd-password-env.target-file; }; + requires = [ host-secrets.ejabberd-password-env.service ]; }; }; }; diff --git a/lib/fudo/kdc.nix b/lib/fudo/kdc.nix index 4f481d8..95c1e39 100644 --- a/lib/fudo/kdc.nix +++ b/lib/fudo/kdc.nix @@ -239,9 +239,8 @@ let }; ipropd-keytab = mkOption { - type = str; + type = nullOr str; description = "Location at which to find keytab for ipropd slave."; - default = "${state-directory}/ipropd.keytab"; }; }; }; diff --git a/lib/fudo/ldap.nix b/lib/fudo/ldap.nix index 1b930b7..3801d1b 100644 --- a/lib/fudo/ldap.nix +++ b/lib/fudo/ldap.nix @@ -88,18 +88,12 @@ in { ldap-server = { enable = mkEnableOption "Fudo Authentication"; - kerberos-host = mkOption { - type = str; - description = '' - The name of the host to use for Kerberos authentication. - ''; - }; - kerberos-keytab = mkOption { - type = str; + type = nullOr str; description = '' The path to a keytab for the LDAP server, containing a principal for ldap/. ''; + default = null; }; ssl-certificate = mkOption { @@ -226,7 +220,7 @@ in { environment = { etc = { - "openldap/sasl2/slapd.conf" = { + "openldap/sasl2/slapd.conf" = mkIf (cfg.kerberos-keytab != null) { mode = "0400"; user = config.services.openldap.user; group = config.services.openldap.group; @@ -255,11 +249,14 @@ in { services.openldap = { partOf = [ cfg.systemd-target ]; requires = cfg.required-services; - environment.KRB5_KTNAME = cfg.kerberos-keytab; - preStart = mkBefore - "${build-ca-script ca-path + environment = mkIf (cfg.kerberos-keytab != null) { + KRB5_KTNAME = cfg.kerberos-keytab; + }; + preStart = mkAfter '' + ${build-ca-script ca-path cfg.ssl-chain - cfg.ssl-ca-certificate}"; + cfg.ssl-ca-certificate} + ''; serviceConfig = { PrivateDevices = true; PrivateTmp = true; @@ -392,26 +389,26 @@ in { "dn.exact=cn=auth_reader,${cfg.base}" = "read"; "*" = "auth"; }; - "dn=cn=admin,ou=groups,${cfg.base}" = { - # "dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage"; - "anonymous" = "auth"; - "dn.children=dc=fudo,dc=org" = "read"; - }; - "dn.subtree=ou=groups,${cfg.base} attrs=memberUid" = { - # "dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage"; - # "dn.regex=cn=[a-zA-Z][a-zA-Z0-9_]+,ou=hosts,${cfg.base}" = "write"; - "anonymous" = "auth"; - "dn.children=dc=fudo,dc=org" = "read"; - }; - "dn.subtree=ou=members,${cfg.base} attrs=cn,sn,homeDirectory,loginShell,gecos,description,homeDirectory,uidNumber,gidNumber" = { - # "dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage"; - "anonymous" = "auth"; - "dn.children=dc=fudo,dc=org" = "read"; - }; + # "dn=cn=admin,ou=groups,${cfg.base}" = { + # # "dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage"; + # "anonymous" = "auth"; + # "*" = "read"; + # }; + # "dn.subtree=ou=groups,${cfg.base} attrs=memberUid" = { + # # "dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage"; + # # "dn.regex=cn=[a-zA-Z][a-zA-Z0-9_]+,ou=hosts,${cfg.base}" = "write"; + # "anonymous" = "auth"; + # "*" = "read"; + # }; + # "dn.subtree=ou=members,${cfg.base} attrs=cn,sn,homeDirectory,loginShell,gecos,description,homeDirectory,uidNumber,gidNumber" = { + # # "dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage"; + # "anonymous" = "auth"; + # "*" = "read"; + # }; "*" = { # "dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage"; "anonymous" = "auth"; - "dn.children=dc=fudo,dc=org" = "read"; + "*" = "read"; }; }; }; @@ -420,7 +417,7 @@ in { }; declarativeContents = { - "dc=fudo,dc=org" = '' + "${cfg.base}" = '' dn: ${cfg.base} objectClass: top objectClass: dcObject diff --git a/lib/fudo/secrets.nix b/lib/fudo/secrets.nix index e6d553c..a321f60 100644 --- a/lib/fudo/secrets.nix +++ b/lib/fudo/secrets.nix @@ -180,8 +180,13 @@ in { else { }; - host-secret-services = mapAttrs' (secret: secretOpts: - (nameValuePair secretOpts.service + host-secret-services = let + head-or-null = lst: if (lst == []) then null else head lst; + strip-service = service-name: + head-or-null + (builtins.match "^(.+)[.]service$" service-name); + in mapAttrs' (secret: secretOpts: + (nameValuePair (strip-service secretOpts.service) (secret-service hostname secret secretOpts))) host-secrets; trace-all = obj: builtins.trace obj obj; diff --git a/lib/lib/passwd.nix b/lib/lib/passwd.nix index 97c2088..28d58d4 100644 --- a/lib/lib/passwd.nix +++ b/lib/lib/passwd.nix @@ -9,8 +9,10 @@ let buildInputs = with pkgs; [ openldap ]; - installPhase = '' - slappasswd -T ${passwd-file} > $out + installPhase = let + passwd = removeSuffix "\n" (readFile passwd-file); + in '' + slappasswd -s ${passwd} > $out ''; };