118 lines
3.5 KiB
Nix
118 lines
3.5 KiB
Nix
|
{ config, lib, pkgs, ... }:
|
||
|
|
|
||
|
|
with lib;
|
||
|
|
let
|
||
|
|
hostname = config.instance.hostname;
|
||
|
|
domain-name = config.instance.local-domain;
|
||
|
|
site-name = config.instance.local-site;
|
||
|
|
fqdn = "${hostname}.${domain-name}";
|
||
|
|
|
||
|
|
secrets = config.fudo.secrets.host-secrets.france;
|
||
|
|
|
||
|
|
# same as genAttr, but takes back attrsets and merges them
|
||
|
|
concatGenAttrs = lst: f:
|
||
|
|
foldr (a0: a1: a0 // a1) {} (map f lst);
|
||
|
|
|
||
|
|
in {
|
||
|
|
options.france = with types; {
|
||
|
|
ldap = {
|
||
|
|
ssl-certificate = mkOption {
|
||
|
|
type = path;
|
||
|
|
description = "SSL certificate to use for the LDAP server.";
|
||
|
|
};
|
||
|
|
ssl-private-key = mkOption {
|
||
|
|
type = path;
|
||
|
|
description = "SSL private key to use for the LDAP server.";
|
||
|
|
};
|
||
|
|
ssl-ca-certificate = mkOption {
|
||
|
|
type = path;
|
||
|
|
description = "SSL certificate authority to use for the LDAP server.";
|
||
|
|
};
|
||
|
|
};
|
||
|
|
|
||
|
|
kdc = {
|
||
|
|
state-directory = mkOption {
|
||
|
|
type = str;
|
||
|
|
description = "Path at which to store kerberos state.";
|
||
|
|
};
|
||
|
|
|
||
|
|
master-key-file = mkOption {
|
||
|
|
type = str;
|
||
|
|
description = "Heimdal database master key file.";
|
||
|
|
};
|
||
|
|
};
|
||
|
|
};
|
||
|
|
|
||
|
|
config = {
|
||
|
|
fudo = {
|
||
|
|
secrets.host-secrets.${hostname} = {
|
||
|
|
ldap-ssl-certificate = {
|
||
|
|
source-file = cfg.ssl-certificate;
|
||
|
|
target-file = "/var/run/ldap/ssl-certificate.pem";
|
||
|
|
user = config.services.openldap.user;
|
||
|
|
group = config.services.openldap.group;
|
||
|
|
permissions = "0444";
|
||
|
|
};
|
||
|
|
ldap-ssl-private-key = {
|
||
|
|
source-file = cfg.ssl-private-key;
|
||
|
|
target-file = "/var/run/ldap/ssl-private-key.pem";
|
||
|
|
user = config.services.openldap.user;
|
||
|
|
group = config.services.openldap.group;
|
||
|
|
permissions = "0400";
|
||
|
|
};
|
||
|
|
ldap-ssl-ca-certificate = {
|
||
|
|
source-file = cfg.ssl-ca-certificate;
|
||
|
|
target-file = "/var/run/ldap/ssl-ca-certificate.pem";
|
||
|
|
user = config.services.openldap.user;
|
||
|
|
group = config.services.openldap.group;
|
||
|
|
permissions = "0400";
|
||
|
|
};
|
||
|
|
};
|
||
|
|
|
||
|
|
auth = {
|
||
|
|
ldap = {
|
||
|
|
enable = true;
|
||
|
|
base = "dc=fudo,dc=org";
|
||
|
|
organization = "Fudo";
|
||
|
|
rootpw-file = secrets.ldap-root-passwd;
|
||
|
|
kerberos-host = fqdn;
|
||
|
|
kerberos-keytab = secrets.ldap-keytab;
|
||
|
|
|
||
|
|
sslCert =
|
||
|
|
secrets.ldap-ssl-certificate.target-file;
|
||
|
|
sslKey =
|
||
|
|
secrets.ldap-ssl-private-key.target-file;
|
||
|
|
sslCACert =
|
||
|
|
secrets.ldap-ssl-ca-certificate.target-file;
|
||
|
|
|
||
|
|
listen-uris = [ "ldap:///" "ldaps:///" "ldapi:///" ];
|
||
|
|
|
||
|
|
users = config.fudo.users;
|
||
|
|
groups = config.fudo.groups;
|
||
|
|
system-users = config.fudo.system-users;
|
||
|
|
};
|
||
|
|
|
||
|
|
# TODO: let build hosts create keys?
|
||
|
|
kdc = {
|
||
|
|
enable = true;
|
||
|
|
realm = config.domains.${domain-name}.gssapi-realm;
|
||
|
|
state-directory = cfg.state-directory;
|
||
|
|
master-key-file = cfg.master-key-file;
|
||
|
|
acl = let
|
||
|
|
admin-entries = concatGenAttrs
|
||
|
|
config.instance.local-admins
|
||
|
|
(admin: {
|
||
|
|
"${admin}" = { perms = [ "add" "list" "change-password" ]; };
|
||
|
|
"${admin}/root" = { perms = [ "all" ]; };
|
||
|
|
});
|
||
|
|
in {
|
||
|
|
"host/*.fudo.org" = { perms = [ "add" ]; };
|
||
|
|
"pam_migrate/*.fudo.org" = { perms = [ "add" "change-password" ]; };
|
||
|
|
} // admin-entries;
|
||
|
|
bind-addresses = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ];
|
||
|
|
};
|
||
|
|
};
|
||
|
|
};
|
||
|
|
};
|
||
|
|
}
|