Various changes
This commit is contained in:
parent
aa39f039aa
commit
daae1f2037
@ -66,6 +66,12 @@ let
|
|||||||
default = [];
|
default = [];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
ldap-servers = mkOption {
|
||||||
|
type = listOf str;
|
||||||
|
description = "List of hosts acting as LDAP authentication servers for the domain.";
|
||||||
|
default = [];
|
||||||
|
};
|
||||||
|
|
||||||
primary-nameserver = mkOption {
|
primary-nameserver = mkOption {
|
||||||
type = nullOr str;
|
type = nullOr str;
|
||||||
description = "Hostname of the primary nameserver for this domain.";
|
description = "Hostname of the primary nameserver for this domain.";
|
||||||
|
|||||||
@ -183,12 +183,6 @@ in {
|
|||||||
description = "Environment variables to set for the ejabberd daemon.";
|
description = "Environment variables to set for the ejabberd daemon.";
|
||||||
default = {};
|
default = {};
|
||||||
};
|
};
|
||||||
|
|
||||||
required-services = mkOption {
|
|
||||||
type = listOf str;
|
|
||||||
description = "List of services that must start before ejabberd.";
|
|
||||||
default = [];
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
@ -266,6 +260,7 @@ in {
|
|||||||
'';
|
'';
|
||||||
EnvironmentFile = host-secrets.ejabberd-password-env.target-file;
|
EnvironmentFile = host-secrets.ejabberd-password-env.target-file;
|
||||||
};
|
};
|
||||||
|
requires = [ host-secrets.ejabberd-password-env.service ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|||||||
@ -239,9 +239,8 @@ let
|
|||||||
};
|
};
|
||||||
|
|
||||||
ipropd-keytab = mkOption {
|
ipropd-keytab = mkOption {
|
||||||
type = str;
|
type = nullOr str;
|
||||||
description = "Location at which to find keytab for ipropd slave.";
|
description = "Location at which to find keytab for ipropd slave.";
|
||||||
default = "${state-directory}/ipropd.keytab";
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|||||||
@ -88,18 +88,12 @@ in {
|
|||||||
ldap-server = {
|
ldap-server = {
|
||||||
enable = mkEnableOption "Fudo Authentication";
|
enable = mkEnableOption "Fudo Authentication";
|
||||||
|
|
||||||
kerberos-host = mkOption {
|
|
||||||
type = str;
|
|
||||||
description = ''
|
|
||||||
The name of the host to use for Kerberos authentication.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
kerberos-keytab = mkOption {
|
kerberos-keytab = mkOption {
|
||||||
type = str;
|
type = nullOr str;
|
||||||
description = ''
|
description = ''
|
||||||
The path to a keytab for the LDAP server, containing a principal for ldap/<hostname>.
|
The path to a keytab for the LDAP server, containing a principal for ldap/<hostname>.
|
||||||
'';
|
'';
|
||||||
|
default = null;
|
||||||
};
|
};
|
||||||
|
|
||||||
ssl-certificate = mkOption {
|
ssl-certificate = mkOption {
|
||||||
@ -226,7 +220,7 @@ in {
|
|||||||
|
|
||||||
environment = {
|
environment = {
|
||||||
etc = {
|
etc = {
|
||||||
"openldap/sasl2/slapd.conf" = {
|
"openldap/sasl2/slapd.conf" = mkIf (cfg.kerberos-keytab != null) {
|
||||||
mode = "0400";
|
mode = "0400";
|
||||||
user = config.services.openldap.user;
|
user = config.services.openldap.user;
|
||||||
group = config.services.openldap.group;
|
group = config.services.openldap.group;
|
||||||
@ -255,11 +249,14 @@ in {
|
|||||||
services.openldap = {
|
services.openldap = {
|
||||||
partOf = [ cfg.systemd-target ];
|
partOf = [ cfg.systemd-target ];
|
||||||
requires = cfg.required-services;
|
requires = cfg.required-services;
|
||||||
environment.KRB5_KTNAME = cfg.kerberos-keytab;
|
environment = mkIf (cfg.kerberos-keytab != null) {
|
||||||
preStart = mkBefore
|
KRB5_KTNAME = cfg.kerberos-keytab;
|
||||||
"${build-ca-script ca-path
|
};
|
||||||
|
preStart = mkAfter ''
|
||||||
|
${build-ca-script ca-path
|
||||||
cfg.ssl-chain
|
cfg.ssl-chain
|
||||||
cfg.ssl-ca-certificate}";
|
cfg.ssl-ca-certificate}
|
||||||
|
'';
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
PrivateDevices = true;
|
PrivateDevices = true;
|
||||||
PrivateTmp = true;
|
PrivateTmp = true;
|
||||||
@ -392,26 +389,26 @@ in {
|
|||||||
"dn.exact=cn=auth_reader,${cfg.base}" = "read";
|
"dn.exact=cn=auth_reader,${cfg.base}" = "read";
|
||||||
"*" = "auth";
|
"*" = "auth";
|
||||||
};
|
};
|
||||||
"dn=cn=admin,ou=groups,${cfg.base}" = {
|
# "dn=cn=admin,ou=groups,${cfg.base}" = {
|
||||||
# "dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage";
|
# # "dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage";
|
||||||
"anonymous" = "auth";
|
# "anonymous" = "auth";
|
||||||
"dn.children=dc=fudo,dc=org" = "read";
|
# "*" = "read";
|
||||||
};
|
# };
|
||||||
"dn.subtree=ou=groups,${cfg.base} attrs=memberUid" = {
|
# "dn.subtree=ou=groups,${cfg.base} attrs=memberUid" = {
|
||||||
# "dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage";
|
# # "dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage";
|
||||||
# "dn.regex=cn=[a-zA-Z][a-zA-Z0-9_]+,ou=hosts,${cfg.base}" = "write";
|
# # "dn.regex=cn=[a-zA-Z][a-zA-Z0-9_]+,ou=hosts,${cfg.base}" = "write";
|
||||||
"anonymous" = "auth";
|
# "anonymous" = "auth";
|
||||||
"dn.children=dc=fudo,dc=org" = "read";
|
# "*" = "read";
|
||||||
};
|
# };
|
||||||
"dn.subtree=ou=members,${cfg.base} attrs=cn,sn,homeDirectory,loginShell,gecos,description,homeDirectory,uidNumber,gidNumber" = {
|
# "dn.subtree=ou=members,${cfg.base} attrs=cn,sn,homeDirectory,loginShell,gecos,description,homeDirectory,uidNumber,gidNumber" = {
|
||||||
# "dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage";
|
# # "dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage";
|
||||||
"anonymous" = "auth";
|
# "anonymous" = "auth";
|
||||||
"dn.children=dc=fudo,dc=org" = "read";
|
# "*" = "read";
|
||||||
};
|
# };
|
||||||
"*" = {
|
"*" = {
|
||||||
# "dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage";
|
# "dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage";
|
||||||
"anonymous" = "auth";
|
"anonymous" = "auth";
|
||||||
"dn.children=dc=fudo,dc=org" = "read";
|
"*" = "read";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
@ -420,7 +417,7 @@ in {
|
|||||||
};
|
};
|
||||||
|
|
||||||
declarativeContents = {
|
declarativeContents = {
|
||||||
"dc=fudo,dc=org" = ''
|
"${cfg.base}" = ''
|
||||||
dn: ${cfg.base}
|
dn: ${cfg.base}
|
||||||
objectClass: top
|
objectClass: top
|
||||||
objectClass: dcObject
|
objectClass: dcObject
|
||||||
|
|||||||
@ -180,8 +180,13 @@ in {
|
|||||||
else
|
else
|
||||||
{ };
|
{ };
|
||||||
|
|
||||||
host-secret-services = mapAttrs' (secret: secretOpts:
|
host-secret-services = let
|
||||||
(nameValuePair secretOpts.service
|
head-or-null = lst: if (lst == []) then null else head lst;
|
||||||
|
strip-service = service-name:
|
||||||
|
head-or-null
|
||||||
|
(builtins.match "^(.+)[.]service$" service-name);
|
||||||
|
in mapAttrs' (secret: secretOpts:
|
||||||
|
(nameValuePair (strip-service secretOpts.service)
|
||||||
(secret-service hostname secret secretOpts))) host-secrets;
|
(secret-service hostname secret secretOpts))) host-secrets;
|
||||||
|
|
||||||
trace-all = obj: builtins.trace obj obj;
|
trace-all = obj: builtins.trace obj obj;
|
||||||
|
|||||||
@ -9,8 +9,10 @@ let
|
|||||||
|
|
||||||
buildInputs = with pkgs; [ openldap ];
|
buildInputs = with pkgs; [ openldap ];
|
||||||
|
|
||||||
installPhase = ''
|
installPhase = let
|
||||||
slappasswd -T ${passwd-file} > $out
|
passwd = removeSuffix "\n" (readFile passwd-file);
|
||||||
|
in ''
|
||||||
|
slappasswd -s ${passwd} > $out
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user