Cloonar/nixos
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix lib, remove old openldap

Browse Source
This commit is contained in:
Dominik Polakovics Polakovics
2023-09-29 10:42:19 +02:00
parent b00b09f139
commit 0bce2bf6fd
2 changed files with 1 additions and 326 deletions
Download Patch File Download Diff File Expand all files Collapse all files

325
utils/modules/openldap.nix
View File

@@ -1,325 +0,0 @@
{
pkgs,
config,
...
}: {
services.openldap = {
enable = true;
settings.attrs.olcLogLevel = "0";
settings.attrs.olcTLSCACertificateFile = config.sops.secrets.openldap-ca.path;
settings.attrs.olcTLSCertificateFile = config.sops.secrets.openldap-cert.path;
settings.attrs.olcTLSCertificateKeyFile = config.sops.secrets.openldap-key.path;
settings.children = {
"cn=schema".includes = [
"${pkgs.openldap}/etc/schema/core.ldif"
"${pkgs.openldap}/etc/schema/cosine.ldif"
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
"${pkgs.openldap}/etc/schema/nis.ldif"
];
"olcDatabase={1}mdb".attrs = {
objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcRootPW.path = config.sops.secrets.openldap-rootpw.path;
olcRootDN = "cn=admin,dc=cloonar,dc=com";
olcSuffix = "dc=cloonar,dc=com";
olcAccess = [
''
{0}to attrs=userPassword
by self write by anonymous auth
by dn.base="cn=dovecot,dc=cloonar,dc=com" read
by dn.base="cn=gogs,ou=system,ou=users,dc=cloonar,dc=com" read
read by * none
''
''
{1}to attrs=loginShell
by self write
by * read
''
''
{2}to dn.subtree="ou=system,ou=users,dc=cloonar,dc=com"
by dn.base="cn=dovecot,dc=mail,dc=cloonar,dc=com" read
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by * none
''
''
{3}to dn.subtree="ou=jabber,ou=users,dc=cloonar,dc=com"
by dn.base="cn=prosody,ou=system,ou=users,dc=eve" write
by * read
''
''
{4}to * by * read
''
];
};
"olcOverlay=syncprov,olcDatabase={1}mdb".attrs = {
objectClass = ["olcOverlayConfig" "olcSyncProvConfig"];
olcOverlay = "syncprov";
olcSpSessionLog = "100";
};
"olcDatabase={2}monitor".attrs = {
olcDatabase = "{2}monitor";
objectClass = ["olcDatabaseConfig" "olcMonitorConfig"];
olcAccess = [
''
{0}to *
by dn.exact="cn=netdata,ou=system,ou=users,dc=cloonar,dc=com" read
by * none
''
];
};
"cn={1}bitwarden,cn=schema" = {
attrs = {
cn = "{1}bitwarden";
objectClass = "olcSchemaConfig";
olcObjectClasses = [
''
(1.3.6.1.4.1.28298.1.2.4 NAME 'bitwarden'
SUP uidObject AUXILIARY
DESC 'Added to an account to allow bitwarden access'
MUST (mail $ userPassword))
''
]
};
};
# "cn={1}squid,cn=schema".attrs = {
# cn = "{1}squid";
# objectClass = "olcSchemaConfig";
# olcObjectClasses = [
# ''
# (1.3.6.1.4.1.16548.1.2.4 NAME 'proxyUser'
# SUP top AUXILIARY
# DESC 'Account to allow a user to use the Squid proxy'
# MUST ( mail $ userPassword ))
# ''
# ];
# };
# "cn={1}grafana,cn=schema".attrs = {
# cn = "{1}grafana";
# objectClass = "olcSchemaConfig";
# olcObjectClasses = [
# ''
# (1.3.6.1.4.1.28293.1.2.5 NAME 'grafana'
# SUP uidObject AUXILIARY
# DESC 'Added to an account to allow grafana access'
# MUST (mail))
# ''
# ];
# };
"cn={2}postfix,cn=schema".attrs = {
cn = "{2}postfix";
objectClass = "olcSchemaConfig";
olcAttributeTypes = [
''
(1.3.6.1.4.1.12461.1.1.1 NAME 'postfixTransport'
DESC 'A string directing postfix which transport to use'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{20} SINGLE-VALUE)''
''
(1.3.6.1.4.1.12461.1.1.5 NAME 'mailbox'
DESC 'The absolute path to the mailbox for a mail account in a non-default location'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)
''
''
(1.3.6.1.4.1.12461.1.1.6 NAME 'quota'
DESC 'A string that represents the quota on a mailbox'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)
''
''
(1.3.6.1.4.1.12461.1.1.8 NAME 'maildrop'
DESC 'RFC822 Mailbox - mail alias'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256})
''
];
olcObjectClasses = [
''
(1.3.6.1.4.1.12461.1.2.1 NAME 'mailAccount'
SUP top AUXILIARY
DESC 'Mail account objects'
MUST ( mail $ userPassword )
MAY ( cn $ description $ quota))
''
''
(1.3.6.1.4.1.12461.1.2.2 NAME 'mailAlias'
SUP top STRUCTURAL
DESC 'Mail aliasing/forwarding entry'
MUST ( mail $ maildrop )
MAY ( cn $ description ))
''
''
(1.3.6.1.4.1.12461.1.2.3 NAME 'mailDomain'
SUP domain STRUCTURAL
DESC 'Virtual Domain entry to be used with postfix transport maps'
MUST ( dc )
MAY ( postfixTransport $ description ))
''
''
(1.3.6.1.4.1.12461.1.2.4 NAME 'mailPostmaster'
SUP top AUXILIARY
DESC 'Added to a mailAlias to create a postmaster entry'
MUST roleOccupant)
''
];
};
"cn={1}openssh,cn=schema".attrs = {
cn = "{1}openssh";
objectClass = "olcSchemaConfig";
olcAttributeTypes = [
''
(1.3.6.1.4.1.24552.500.1.1.1.13
NAME 'sshPublicKey'
DESC 'MANDATORY: OpenSSH Public key'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
''
];
olcObjectClasses = [
''
(1.3.6.1.4.1.24552.500.1.1.2.0
NAME 'ldapPublicKey'
SUP top AUXILIARY
DESC 'MANDATORY: OpenSSH LPK objectclass'
MUST ( sshPublicKey $ uid ))
''
];
};
"cn={1}nginx,cn=schema".attrs = {
cn = "{1}nginx";
objectClass = "olcSchemaConfig";
olcObjectClasses = [
''
(1.3.6.1.4.1.28295.1.2.4 NAME 'nginx'
SUP top AUXILIARY
DESC 'Added to an account to allow nginx access'
MUST ( mail $ userPassword ))
''
];
};
"cn={1}nextcloud,cn=schema".attrs = {
cn = "{1}nextcloud";
objectClass = "olcSchemaConfig";
olcAttributeTypes = [
''
(1.3.6.1.4.1.39430.1.1.1
NAME 'ownCloudQuota'
DESC 'User Quota (e.g. 15 GB)'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15')
''
];
olcObjectClasses = [
''
(1.3.6.1.4.1.39430.1.2.1
NAME 'ownCloud'
DESC 'ownCloud LDAP Schema'
AUXILIARY
MUST ( mail $ userPassword )
MAY ( ownCloudQuota ))
''
];
};
"cn={1}gogs,cn=schema".attrs = {
cn = "{1}gitlab";
objectClass = "olcSchemaConfig";
olcObjectClasses = [
''
( 1.3.6.1.4.1.28293.1.2.4 NAME 'gitlab'
SUP uidObject AUXILIARY
DESC 'Added to an account to allow gitlab access'
MUST (mail))
''
];
};
"cn={1}iobroker,cn=schema".attrs = {
cn = "{1}homeAssistant";
objectClass = "olcSchemaConfig";
olcObjectClasses = [
''
(1.3.6.1.4.1.28297.1.2.4 NAME 'homeAssistant'
SUP uidObject AUXILIARY
DESC 'Added to an account to allow home-assistant access'
MUST (mail) )
''
];
};
# "cn={1}ttrss,cn=schema".attrs = {
# cn = "{1}ttrss";
# objectClass = "olcSchemaConfig";
# olcObjectClasses = [
# ''
# ( 1.3.6.1.4.1.28294.1.2.4 NAME 'ttrss'
# SUP top AUXILIARY
# DESC 'Added to an account to allow tinytinyrss access'
# MUST ( mail $ userPassword ))
# ''
# ];
# };
# "cn={1}prometheus,cn=schema".attrs = {
# cn = "{1}prometheus";
# objectClass = "olcSchemaConfig";
# olcObjectClasses = [
# ''
# ( 1.3.6.1.4.1.28296.1.2.4
# NAME 'prometheus'
# SUP uidObject AUXILIARY
# DESC 'Added to an account to allow prometheus access'
# MUST (mail))
# ''
# ];
# };
# "cn={1}loki,cn=schema".attrs = {
# cn = "{1}loki";
# objectClass = "olcSchemaConfig";
# olcObjectClasses = [
# ''
# ( 1.3.6.1.4.1.28299.1.2.4
# NAME 'loki'
# SUP uidObject AUXILIARY
# DESC 'Added to an account to allow loki access'
# MUST (mail))
# ''
# ];
# };
# "cn={1}flood,cn=schema".attrs = {
# cn = "{1}flood";
# objectClass = "olcSchemaConfig";
# olcObjectClasses = [
# ''
# (1.3.6.1.4.1.28300.1.2.4 NAME 'flood'
# SUP uidObject AUXILIARY
# DESC 'Added to an account to allow flood access'
# MUST (mail))
# ''
# ];
# };
};
};
sops.secrets.openldap-rootpw = {
owner = "openldap";
sopsFile = ./secrets.yaml;
};
sops.secrets.openldap-ca = {
owner = "openldap";
sopsFile = ./secrets.yaml;
};
sops.secrets.openldap-cert = {
owner = "openldap";
sopsFile = ./secrets.yaml;
};
sops.secrets.openldap-key = {
owner = "openldap";
sopsFile = ./secrets.yaml;
};
networking.firewall.allowedTCPPorts = [636];
}