copy nb configuration and modules

utils/modules/openldap/default.nix

@@ -0,0 +1,480 @@
+{
+  pkgs,
+  config,
+  ...
+}:
+let
+  domain = config.networking.domain;
+  # domain = "cloonar.com";
+in {
+  services.openldap = {
+    enable = true;
+
+    urlList = [ "ldap:///" "ldaps:///" ];
+
+    settings.attrs = {
+      olcLogLevel = "-1";
+
+      olcTLSCACertificateFile = "/var/lib/acme/ldap.${domain}/full.pem";
+      olcTLSCertificateFile = "/var/lib/acme/ldap.${domain}/cert.pem";
+      olcTLSCertificateKeyFile = "/var/lib/acme/ldap.${domain}/key.pem";
+      olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
+      olcTLSCRLCheck = "none";
+      olcTLSVerifyClient = "never";
+      olcTLSProtocolMin = "3.1";
+      olcSecurity = "tls=1";
+    };
+
+    settings.children = {
+      "cn=schema".includes = [
+        "${pkgs.openldap}/etc/schema/core.ldif"
+        "${pkgs.openldap}/etc/schema/cosine.ldif"
+        "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
+        "${pkgs.openldap}/etc/schema/nis.ldif"
+      ];
+
+      "olcDatabase={1}mdb".attrs = {
+        objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
+
+        olcDatabase = "{1}mdb";
+        olcDbDirectory = "/var/lib/openldap/data";
+
+        olcSuffix = "dc=cloonar,dc=com";
+
+        olcRootDN = "cn=admin,dc=cloonar,dc=com";
+        olcRootPW.path = config.sops.secrets.openldap-rootpw.path;
+
+
+        olcAccess = [
+          ''
+            {0}to attrs=userPassword
+              by self write
+              by anonymous auth
+              by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write
+              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
+              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
+              by * none
+          ''
+          ''
+            {1}to attrs=loginShell
+              by self write
+              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
+              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
+              by * none
+          ''
+          ''
+            {2}to dn.subtree="ou=system,ou=users,dc=cloonar,dc=com"
+              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
+              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
+              by * none
+          ''
+          ''
+            {3}to *
+              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
+              by dn="cn=admin,dc=cloonar,dc=com" write
+              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
+              by * none
+          ''
+        ];
+      };
+      "olcOverlay=memberof,olcDatabase={1}mdb".attrs = {
+        objectClass = [ "olcOverlayConfig" "olcMemberOf" ];
+        olcOverlay = "memberof";
+        olcMemberOfRefint = "TRUE";
+      };
+      "olcOverlay=ppolicy,olcDatabase={1}mdb".attrs = {
+        objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ];
+        olcOverlay = "ppolicy";
+        olcPPolicyHashCleartext = "TRUE";
+      };
+      # "olcOverlay=syncprov,olcDatabase={1}mdb".attrs = {
+      #   objectClass = ["olcOverlayConfig" "olcSyncProvConfig"];
+      #   olcOverlay = "syncprov";
+      #   olcSpSessionLog = "100";
+      # };
+      "olcDatabase={2}monitor".attrs = {
+        olcDatabase = "{2}monitor";
+        objectClass = ["olcDatabaseConfig" "olcMonitorConfig"];
+        olcAccess = [
+          ''
+            {0}to *
+              by dn.exact="cn=netdata,ou=system,ou=users,dc=cloonar,dc=com" read
+              by * none
+          ''
+        ];
+      };
+
+      "olcDatabase={3}mdb".attrs = {
+        objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
+
+        olcDatabase = "{3}mdb";
+        olcDbDirectory = "/var/lib/openldap/data";
+
+        olcSuffix = "dc=ghetto,dc=at";
+
+        olcAccess = [
+          ''
+            {0}to attrs=userPassword
+              by self write
+              by anonymous auth
+              by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write
+              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
+              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
+              by * none
+          ''
+          ''
+            {1}to *
+              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
+              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
+              by * read
+          ''
+        ];
+      };
+      "olcOverlay=memberof,olcDatabase={3}mdb".attrs = {
+        objectClass = [ "olcOverlayConfig" "olcMemberOf" ];
+        olcOverlay = "memberof";
+        olcMemberOfRefint = "TRUE";
+      };
+      "olcOverlay=ppolicy,olcDatabase={3}mdb".attrs = {
+        objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ];
+        olcOverlay = "ppolicy";
+        olcPPolicyHashCleartext = "TRUE";
+      };
+
+      "olcDatabase={4}mdb".attrs = {
+        objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
+
+        olcDatabase = "{4}mdb";
+        olcDbDirectory = "/var/lib/openldap/data";
+
+        olcSuffix = "dc=superbros,dc=tv";
+
+        olcAccess = [
+          ''
+            {0}to attrs=userPassword
+              by self write
+              by anonymous auth
+              by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write
+              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
+              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
+              by * none
+          ''
+          ''
+            {1}to *
+              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
+              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
+              by * read
+          ''
+        ];
+      };
+      "olcOverlay=memberof,olcDatabase={4}mdb".attrs = {
+        objectClass = [ "olcOverlayConfig" "olcMemberOf" ];
+        olcOverlay = "memberof";
+        olcMemberOfRefint = "TRUE";
+      };
+      "olcOverlay=ppolicy,olcDatabase={4}mdb".attrs = {
+        objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ];
+        olcOverlay = "ppolicy";
+        olcPPolicyHashCleartext = "TRUE";
+      };
+
+      "olcDatabase={5}mdb".attrs = {
+        objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
+
+        olcDatabase = "{5}mdb";
+        olcDbDirectory = "/var/lib/openldap/data";
+
+        olcSuffix = "dc=optiprot,dc=eu";
+
+        olcAccess = [
+          ''
+            {0}to attrs=userPassword
+              by self write
+              by anonymous auth
+              by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write
+              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
+              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
+              by * none
+          ''
+          ''
+            {1}to *
+              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
+              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
+              by * read
+          ''
+        ];
+      };
+      "olcOverlay=memberof,olcDatabase={5}mdb".attrs = {
+        objectClass = [ "olcOverlayConfig" "olcMemberOf" ];
+        olcOverlay = "memberof";
+        olcMemberOfRefint = "TRUE";
+      };
+      "olcOverlay=ppolicy,olcDatabase={5}mdb".attrs = {
+        objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ];
+        olcOverlay = "ppolicy";
+        olcPPolicyHashCleartext = "TRUE";
+      };
+
+      "olcDatabase={6}mdb".attrs = {
+        objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
+
+        olcDatabase = "{6}mdb";
+        olcDbDirectory = "/var/lib/openldap/data";
+
+        olcSuffix = "dc=szaku-consulting,dc=at";
+
+        olcAccess = [
+          ''
+            {0}to attrs=userPassword
+              by self write
+              by anonymous auth
+              by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write
+              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
+              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
+              by * none
+          ''
+          ''
+            {1}to *
+              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
+              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
+              by * read
+          ''
+        ];
+      };
+      "olcOverlay=memberof,olcDatabase={6}mdb".attrs = {
+        objectClass = [ "olcOverlayConfig" "olcMemberOf" ];
+        olcOverlay = "memberof";
+        olcMemberOfRefint = "TRUE";
+      };
+      "olcOverlay=ppolicy,olcDatabase={6}mdb".attrs = {
+        objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ];
+        olcOverlay = "ppolicy";
+        olcPPolicyHashCleartext = "TRUE";
+      };
+
+      # "cn=module{0},cn=config" = {
+      #   attrs = {
+      #     objectClass = "olcModuleList";
+      #     cn = "module{0}";
+      #     olcModuleLoad = "ppolicy.la";
+      #   };
+      # };
+
+      "cn={3}cloonar,cn=schema" = {
+        attrs = {
+          cn = "{1}cloonar";
+          objectClass = "olcSchemaConfig";
+          olcObjectClasses = [
+            ''
+              (1.3.6.1.4.1.28298.1.2.4 NAME 'cloonarUser'
+                SUP (mailAccount) AUXILIARY
+                DESC 'Cloonar Account'
+                MAY (sshPublicKey $ ownCloudQuota $ quota))
+            ''
+          ];
+        };
+      };
+      "cn={2}postfix,cn=schema".attrs = {
+        cn = "{2}postfix";
+        objectClass = "olcSchemaConfig";
+        olcAttributeTypes = [
+          ''
+            (1.3.6.1.4.1.12461.1.1.1 NAME 'postfixTransport'
+              DESC 'A string directing postfix which transport to use'
+              EQUALITY caseExactIA5Match
+              SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{20} SINGLE-VALUE)''
+          ''
+            (1.3.6.1.4.1.12461.1.1.5 NAME 'mailbox'
+              DESC 'The absolute path to the mailbox for a mail account in a non-default location'
+              EQUALITY caseExactIA5Match
+              SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)
+          ''
+          ''
+            (1.3.6.1.4.1.12461.1.1.6 NAME 'quota'
+              DESC 'A string that represents the quota on a mailbox'
+              EQUALITY caseExactIA5Match
+              SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)
+          ''
+          ''
+            (1.3.6.1.4.1.12461.1.1.8 NAME 'maildrop'
+              DESC 'RFC822 Mailbox - mail alias'
+              EQUALITY caseIgnoreIA5Match
+              SUBSTR caseIgnoreIA5SubstringsMatch
+              SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256})
+          ''
+        ];
+        olcObjectClasses = [
+          ''
+            (1.3.6.1.4.1.12461.1.2.1 NAME 'mailAccount'
+              SUP top AUXILIARY
+              DESC 'Mail account objects'
+              MUST ( mail $ userPassword )
+              MAY (  cn $ description $ quota))
+          ''
+          ''
+            (1.3.6.1.4.1.12461.1.2.2 NAME 'mailAlias'
+              SUP top STRUCTURAL
+              DESC 'Mail aliasing/forwarding entry'
+              MUST ( mail $ maildrop )
+              MAY ( cn $ description ))
+          ''
+          ''
+            (1.3.6.1.4.1.12461.1.2.3 NAME 'mailDomain'
+              SUP domain STRUCTURAL
+              DESC 'Virtual Domain entry to be used with postfix transport maps'
+              MUST ( dc )
+              MAY ( postfixTransport $ description  ))
+          ''
+          ''
+            (1.3.6.1.4.1.12461.1.2.4 NAME 'mailPostmaster'
+              SUP top AUXILIARY
+              DESC 'Added to a mailAlias to create a postmaster entry'
+              MUST roleOccupant)
+          ''
+        ];
+      };
+      "cn={1}openssh,cn=schema".attrs = {
+        cn = "{1}openssh";
+        objectClass = "olcSchemaConfig";
+        olcAttributeTypes = [
+          ''
+            (1.3.6.1.4.1.24552.500.1.1.1.13
+              NAME 'sshPublicKey'
+              DESC 'MANDATORY: OpenSSH Public key'
+              EQUALITY octetStringMatch
+              SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+          ''
+        ];
+        olcObjectClasses = [
+          ''
+            (1.3.6.1.4.1.24552.500.1.1.2.0
+              NAME 'ldapPublicKey'
+              SUP top AUXILIARY
+              DESC 'MANDATORY: OpenSSH LPK objectclass'
+              MUST ( sshPublicKey $ uid ))
+          ''
+        ];
+      };
+      "cn={1}nextcloud,cn=schema".attrs = {
+        cn = "{1}nextcloud";
+        objectClass = "olcSchemaConfig";
+        olcAttributeTypes = [
+          ''
+            (1.3.6.1.4.1.39430.1.1.1
+              NAME 'ownCloudQuota'
+              DESC 'User Quota (e.g. 15 GB)'
+              SYNTAX '1.3.6.1.4.1.1466.115.121.1.15')
+          ''
+        ];
+        olcObjectClasses = [
+          ''
+            (1.3.6.1.4.1.39430.1.2.1
+              NAME 'ownCloud'
+              DESC 'ownCloud LDAP Schema'
+              AUXILIARY
+              MUST ( mail $ userPassword )
+              MAY ( ownCloudQuota ))
+          ''
+        ];
+      };
+      "cn={1}gogs,cn=schema".attrs = {
+        cn = "{1}gogs";
+        objectClass = "olcSchemaConfig";
+        olcObjectClasses = [
+          ''
+            ( 1.3.6.1.4.1.28293.1.2.4 NAME 'gitlab'
+              SUP uidObject AUXILIARY
+              DESC 'Added to an account to allow gitlab access'
+              MUST (mail))
+          ''
+        ];
+      };
+      "cn={1}homeAssistant,cn=schema".attrs = {
+        cn = "{1}homeAssistant";
+        objectClass = "olcSchemaConfig";
+        olcObjectClasses = [
+          ''
+            (1.3.6.1.4.1.28297.1.2.4 NAME 'homeAssistant'
+              SUP uidObject AUXILIARY
+              DESC 'Added to an account to allow home-assistant access'
+              MUST (mail) )
+          ''
+        ];
+      };
+      # "cn={1}ttrss,cn=schema".attrs = {
+      #   cn = "{1}ttrss";
+      #   objectClass = "olcSchemaConfig";
+      #   olcObjectClasses = [
+      #     ''
+      #       ( 1.3.6.1.4.1.28294.1.2.4 NAME 'ttrss'
+      #         SUP top AUXILIARY
+      #         DESC 'Added to an account to allow tinytinyrss access'
+      #         MUST ( mail $ userPassword ))
+      #     ''
+      #   ];
+      # };
+      # "cn={1}prometheus,cn=schema".attrs = {
+      #   cn = "{1}prometheus";
+      #   objectClass = "olcSchemaConfig";
+      #   olcObjectClasses = [
+      #     ''
+      #       ( 1.3.6.1.4.1.28296.1.2.4
+      #         NAME 'prometheus'
+      #         SUP uidObject AUXILIARY
+      #         DESC 'Added to an account to allow prometheus access'
+      #         MUST (mail))
+      #     ''
+      #   ];
+      # };
+      # "cn={1}loki,cn=schema".attrs = {
+      #   cn = "{1}loki";
+      #   objectClass = "olcSchemaConfig";
+      #   olcObjectClasses = [
+      #     ''
+      #       ( 1.3.6.1.4.1.28299.1.2.4
+      #         NAME 'loki'
+      #         SUP uidObject AUXILIARY
+      #         DESC 'Added to an account to allow loki access'
+      #         MUST (mail))
+      #     ''
+      #   ];
+      # };
+      # "cn={1}flood,cn=schema".attrs = {
+      #   cn = "{1}flood";
+      #   objectClass = "olcSchemaConfig";
+      #   olcObjectClasses = [
+      #     ''
+      #       (1.3.6.1.4.1.28300.1.2.4 NAME 'flood'
+      #         SUP uidObject AUXILIARY
+      #         DESC 'Added to an account to allow flood access'
+      #         MUST (mail))
+      #     ''
+      #   ];
+      # };
+    };
+  };
+
+  /* ensure openldap is launched after certificates are created */
+  systemd.services.openldap = {
+    wants = [ "acme-${domain}.service" ];
+    after = [ "acme-${domain}.service" ];
+  };
+
+  users.groups.acme.members = [ "openldap" ];
+  
+  /* trigger the actual certificate generation for your hostname */
+  security.acme.certs."ldap.${domain}" = {
+    extraDomainNames = [
+      "ldap-test.${domain}"
+      "ldap-02.${domain}"
+    ];
+    postRun = "systemctl restart openldap.service";
+  };
+
+  sops.secrets.openldap-rootpw = {
+    owner = "openldap";
+    sopsFile = ./secrets.yaml;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 389 636 ];
+}

utils/modules/openldap/secrets.yaml

@@ -0,0 +1,40 @@
+openldap-rootpw: ENC[AES256_GCM,data:cwxXkLd5jyrGI4IoewQL4HBH/Xi6SfVkizitKa0Qyr30SeH02VDLyGXzbpuRfZuPRePbLFEOMKUcCwkZV/2RTA==,iv:SqxCK5rnsgU6i68ZoBZtbRxLgUe59wMg7EYO5jlAwFw=,tag:SbORanDDqLPF+dNleqzYNg==,type:str]
+dovecot-ldap-password: ENC[AES256_GCM,data:czkIYqmWXs0U6LFbetJg47VQHw+E5kcHpdwRGmZAKi6Q3hP/IOW8N1dhIkrQRLzKih9vWXKhyo6BDA2e6w6pHQ==,iv:Ka18K0/pGJubfiQ1GKq3uxwZ/CgujO1DulwBomXBbco=,tag:QACpoLJ+QIMM3mCI/vTjtA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpcnBXWk1JaE9McXlzMUk3
+            bXZHRXRQbDdsK25MNTY1MHA0UWhCcWJRdlVVCmlzcDE0L1ZOQzB6MVBPYUdncUZr
+            M0FGSkdxaFpiY2NUTlRBSUZZdUJmRzgKLS0tIGs3UlNwUDJYVTFHTXcvZkJCS0w5
+            cGJic1JZTHE2NnkxN2JuYXY0TmZUWjAKN6orRU5LnJbl84HtKy0MBNA/PiuEmuhO
+            JL/tpFX+LiOScFHrvb40Ka6YvnyER+rufZXi1xknBzW1uyDt+lSyQw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1jyeppc8yl2twnv8fwcewutd5gjewnxl59lmhev6ygds9qel8zf8syt7zz4
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1RWNUenVwS2xISmRQK3RN
+            ZEc5TGF2MGNocnZWNkhHQ1lGOU1adlFCZlJ3CmdOWC8vQVd4aEdLVTJtNTZCM1R5
+            VndOM3RJRy9laW1pa1k0TUt5UTEyVmsKLS0tIFB5aDNZQXlTRlYvUkJaOXI3NVky
+            VHFINVFjVVVsTXViTDV0QmFBWTRsbVkKJCjMI1GImwSKpgTDVwF5xAdnbUqBkxUO
+            vYFySQg5p12lZ7RtMbxdql24a52J9Jm/2dMMKKph339vw/rcW7YRXQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1azmxsw5llmp2nnsv3yc2l8paelmq9rfepxd8jvmswgsmax0qyyxqdnsc7t
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDdXJGOFgzZFhFWXEvZkNB
+            OWI3MDQxVGZ5dGpXM245ZUlHZHJhRnR0UWl3CnNKeGhLNVdYVWdoWWFBaC90ZUhj
+            Mjc4MDQxa0ZaMnVaSndWRDFrTjVpZmMKLS0tIG9rZGJJb0J6SE1lSjdWSHc0V2FH
+            dGJqSzB5NE5ESzE1L0ZxTDBORnpvRUUKtKejHfzBGnrOJzPStRUcjD/cRq3BqsdP
+            PtSh9ujx/aazn1O86wMYuIgb1WfWL3ZyTtoPCukGKth9KT1JweU1eA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-01-22T20:44:32Z"
+    mac: ENC[AES256_GCM,data:nKR47o4Evt4TPyndEwZlnP/ctGaaz6wwn0k+JnDCL3FW1TO64spNL7xDcoxWwPuRLrgjgtazsm4Tevplzc3J/N4dhnPAdiPtZOQd3tKibIJKDkxG+6upGvzMMrXXInzoGVqwFMrZmdIqlpLAgqX/1VwY4Tnrf0IfiwJ8wWmSZe8=,iv:FUL/gcDZBZrclYupzstSFG86NOnEOvvgr8ou7wVQ3AY=,tag:KPXm0HHwc8v64dnqGqlFUQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3