public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #60097 from Mic92/openldap-rootpw-file

Browse Source 
nixos/openldap: make rootpw option optional
This commit is contained in:
Silvan Mosberger 2019-05-01 22:29:55 +02:00 committed by GitHub
commit c68124b5f0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 28 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
nixos/modules/services/databases/openldap.nix
View File

@ -18,7 +18,11 @@ let
database ${cfg.database} database ${cfg.database}
suffix ${cfg.suffix} suffix ${cfg.suffix}
rootdn ${cfg.rootdn} rootdn ${cfg.rootdn}
rootpw ${cfg.rootpw} ${if (cfg.rootpw != null) then ''
rootpw ${cfg.rootpw}
'' else ''
include ${cfg.rootpwFile}
''}
directory ${cfg.dataDir} directory ${cfg.dataDir}
${cfg.extraDatabaseConfig} ${cfg.extraDatabaseConfig}
''); '');
@ -106,10 +110,23 @@ in
}; };
rootpw = mkOption { rootpw = mkOption {
type = types.str; type = types.nullOr types.str;
default = null;
description = '' description = ''
Password for the root user. Password for the root user.
This setting will be ignored if configDir is set. This setting will be ignored if configDir is set.
Using this option will store the root password in plain text in the
world-readable nix store. To avoid this the <literal>rootpwFile</literal> can be used.
'';
};
rootpwFile = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Password file for the root user.
The file should contain the string <literal>rootpw</literal> followed by the password.
e.g.: <literal>rootpw mysecurepassword</literal>
''; '';
}; };
@ -140,9 +157,9 @@ in
include ${pkgs.openldap.out}/etc/schema/inetorgperson.schema include ${pkgs.openldap.out}/etc/schema/inetorgperson.schema
include ${pkgs.openldap.out}/etc/schema/nis.schema include ${pkgs.openldap.out}/etc/schema/nis.schema
database bdb database bdb
suffix dc=example,dc=org suffix dc=example,dc=org
rootdn cn=admin,dc=example,dc=org rootdn cn=admin,dc=example,dc=org
# NOTE: change after first start # NOTE: change after first start
rootpw secret rootpw secret
directory /var/db/openldap directory /var/db/openldap
@ -218,6 +235,12 @@ in
###### implementation ###### implementation
config = mkIf cfg.enable { config = mkIf cfg.enable {
assertions = [
{
assertion = cfg.rootpwFile != null || cfg.rootpw != null;
message = "Either services.openldap.rootpw or services.openldap.rootpwFile must be set";
}
];
environment.systemPackages = [ openldap ]; environment.systemPackages = [ openldap ];