{ pkgs, config, ... }: let domain = config.networking.domain; in { services.openldap = { enable = true; urlList = [ "ldap:///" "ldaps:///" ]; settings.attrs = { olcLogLevel = "256"; olcTLSCACertificateFile = "/var/lib/acme/ldap.${domain}/full.pem"; olcTLSCertificateFile = "/var/lib/acme/ldap.${domain}/cert.pem"; olcTLSCertificateKeyFile = "/var/lib/acme/ldap.${domain}/key.pem"; olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL"; olcTLSCRLCheck = "none"; olcTLSVerifyClient = "never"; olcTLSProtocolMin = "3.1"; olcSecurity = "tls=1"; }; settings.children = { "cn=schema".includes = [ "${pkgs.openldap}/etc/schema/core.ldif" "${pkgs.openldap}/etc/schema/cosine.ldif" "${pkgs.openldap}/etc/schema/inetorgperson.ldif" "${pkgs.openldap}/etc/schema/nis.ldif" ]; "olcDatabase={1}mdb".attrs = { objectClass = ["olcDatabaseConfig" "olcMdbConfig"]; olcDatabase = "{1}mdb"; olcDbDirectory = "/var/lib/openldap/data"; olcSuffix = "dc=cloonar,dc=com"; olcRootDN = "cn=admin,dc=cloonar,dc=com"; olcRootPW.path = config.sops.secrets.openldap-rootpw.path; olcAccess = [ '' {0}to attrs=userPassword by self write by anonymous auth by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write by * none '' '' {1}to attrs=pgpPublicKey by self write by anonymous read by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write by * read '' '' {2}to attrs=loginShell by self write by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write by * none '' '' {3}to dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write by * none '' '' {4}to * by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read by dn="cn=admin,dc=cloonar,dc=com" write by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write by * none '' ]; }; "olcOverlay=memberof,olcDatabase={1}mdb".attrs = { objectClass = [ "olcOverlayConfig" "olcMemberOf" ]; olcOverlay = "memberof"; olcMemberOfRefint = "TRUE"; }; "olcOverlay=ppolicy,olcDatabase={1}mdb".attrs = { objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ]; olcOverlay = "ppolicy"; olcPPolicyHashCleartext = "TRUE"; }; # "olcOverlay=syncprov,olcDatabase={1}mdb".attrs = { # objectClass = ["olcOverlayConfig" "olcSyncProvConfig"]; # olcOverlay = "syncprov"; # olcSpSessionLog = "100"; # }; "olcDatabase={2}monitor".attrs = { olcDatabase = "{2}monitor"; objectClass = ["olcDatabaseConfig" "olcMonitorConfig"]; olcAccess = [ '' {0}to * by dn.exact="cn=netdata,ou=system,ou=users,dc=cloonar,dc=com" read by * none '' ]; }; "olcDatabase={3}mdb".attrs = { objectClass = ["olcDatabaseConfig" "olcMdbConfig"]; olcDatabase = "{3}mdb"; olcDbDirectory = "/var/lib/openldap/data"; olcSuffix = "dc=ghetto,dc=at"; olcAccess = [ '' {0}to attrs=userPassword by self write by anonymous auth by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write by dn="cn=authelia,ou=system,ou=users,dc=cloonar,dc=com" write by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write by * none '' '' {1}to attrs=pgpPublicKey by self write by anonymous read by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write by * read '' '' {2}to * by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write by * read '' ]; }; "olcOverlay=memberof,olcDatabase={3}mdb".attrs = { objectClass = [ "olcOverlayConfig" "olcMemberOf" ]; olcOverlay = "memberof"; olcMemberOfRefint = "TRUE"; }; "olcOverlay=ppolicy,olcDatabase={3}mdb".attrs = { objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ]; olcOverlay = "ppolicy"; olcPPolicyHashCleartext = "TRUE"; }; "olcDatabase={4}mdb".attrs = { objectClass = ["olcDatabaseConfig" "olcMdbConfig"]; olcDatabase = "{4}mdb"; olcDbDirectory = "/var/lib/openldap/data"; olcSuffix = "dc=superbros,dc=tv"; olcAccess = [ '' {0}to attrs=userPassword by self write by anonymous auth by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write by * none '' '' {1}to attrs=pgpPublicKey by self write by anonymous read by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write by * read '' '' {2}to * by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write by * read '' ]; }; "olcOverlay=memberof,olcDatabase={4}mdb".attrs = { objectClass = [ "olcOverlayConfig" "olcMemberOf" ]; olcOverlay = "memberof"; olcMemberOfRefint = "TRUE"; }; "olcOverlay=ppolicy,olcDatabase={4}mdb".attrs = { objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ]; olcOverlay = "ppolicy"; olcPPolicyHashCleartext = "TRUE"; }; "olcDatabase={6}mdb".attrs = { objectClass = ["olcDatabaseConfig" "olcMdbConfig"]; olcDatabase = "{6}mdb"; olcDbDirectory = "/var/lib/openldap/data"; olcSuffix = "dc=szaku-consulting,dc=at"; olcAccess = [ '' {0}to attrs=userPassword by self write by anonymous auth by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write by * none '' '' {1}to attrs=pgpPublicKey by self write by anonymous read by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write by * read '' '' {2}to * by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write by * read '' ]; }; # "olcOverlay=memberof,olcDatabase={6}mdb".attrs = { # objectClass = [ "olcOverlayConfig" "olcMemberOf" ]; # olcOverlay = "memberof"; # olcMemberOfRefint = "TRUE"; # }; # "olcOverlay=ppolicy,olcDatabase={6}mdb".attrs = { # objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ]; # olcOverlay = "ppolicy"; # olcPPolicyHashCleartext = "TRUE"; # }; "olcDatabase={7}mdb".attrs = { objectClass = ["olcDatabaseConfig" "olcMdbConfig"]; olcDatabase = "{7}mdb"; olcDbDirectory = "/var/lib/openldap/data"; olcSuffix = "dc=myhidden,dc=life"; olcAccess = [ '' {0}to attrs=userPassword by self write by anonymous auth by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write by dn="cn=authelia,ou=system,ou=users,dc=cloonar,dc=com" write by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write by * none '' '' {1}to attrs=pgpPublicKey by self write by anonymous read by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write by * read '' '' {2}to * by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write by * read '' ]; }; # "olcOverlay=memberof,olcDatabase={7}mdb".attrs = { # objectClass = [ "olcOverlayConfig" "olcMemberOf" ]; # olcOverlay = "memberof"; # olcMemberOfRefint = "TRUE"; # }; # "olcOverlay=ppolicy,olcDatabase={7}mdb".attrs = { # objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ]; # olcOverlay = "ppolicy"; # olcPPolicyHashCleartext = "TRUE"; # }; "olcDatabase={8}mdb".attrs = { objectClass = ["olcDatabaseConfig" "olcMdbConfig"]; olcDatabase = "{8}mdb"; olcDbDirectory = "/var/lib/openldap/data"; olcSuffix = "dc=korean-skin,dc=care"; olcAccess = [ '' {0}to attrs=userPassword by self write by anonymous auth by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write by dn="cn=authelia,ou=system,ou=users,dc=cloonar,dc=com" write by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write by * none '' '' {1}to attrs=pgpPublicKey by self write by anonymous read by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write by * read '' '' {2}to * by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write by * read '' ]; }; "olcDatabase={9}mdb".attrs = { objectClass = ["olcDatabaseConfig" "olcMdbConfig"]; olcDatabase = "{9}mdb"; olcDbDirectory = "/var/lib/openldap/data"; olcSuffix = "dc=scana11y,dc=com"; olcAccess = [ '' {0}to attrs=userPassword by self write by anonymous auth by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write by dn="cn=authelia,ou=system,ou=users,dc=cloonar,dc=com" write by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write by * none '' '' {1}to attrs=pgpPublicKey by self write by anonymous read by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write by * read '' '' {2}to * by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write by * read '' ]; }; # "cn=module{0},cn=config" = { # attrs = { # objectClass = "olcModuleList"; # cn = "module{0}"; # olcModuleLoad = "ppolicy.la"; # }; # }; "cn={3}cloonar,cn=schema" = { attrs = { cn = "{1}cloonar"; objectClass = "olcSchemaConfig"; olcObjectClasses = [ '' (1.3.6.1.4.1.28298.1.2.4 NAME 'cloonarUser' SUP (mailAccount) AUXILIARY DESC 'Cloonar Account' MAY (sshPublicKey $ pgpPublicKey $ ownCloudQuota $ quota)) '' ]; }; }; "cn={2}postfix,cn=schema".attrs = { cn = "{2}postfix"; objectClass = "olcSchemaConfig"; olcAttributeTypes = [ '' (1.3.6.1.4.1.12461.1.1.1 NAME 'postfixTransport' DESC 'A string directing postfix which transport to use' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{20} SINGLE-VALUE)'' '' (1.3.6.1.4.1.12461.1.1.5 NAME 'mailbox' DESC 'The absolute path to the mailbox for a mail account in a non-default location' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE) '' '' (1.3.6.1.4.1.12461.1.1.6 NAME 'quota' DESC 'A string that represents the quota on a mailbox' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE) '' '' (1.3.6.1.4.1.12461.1.1.8 NAME 'maildrop' DESC 'RFC822 Mailbox - mail alias' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256}) '' ]; olcObjectClasses = [ '' (1.3.6.1.4.1.12461.1.2.1 NAME 'mailAccount' SUP top AUXILIARY DESC 'Mail account objects' MUST ( mail $ userPassword ) MAY ( cn $ description $ quota)) '' '' (1.3.6.1.4.1.12461.1.2.2 NAME 'mailAlias' SUP top STRUCTURAL DESC 'Mail aliasing/forwarding entry' MUST ( mail $ maildrop ) MAY ( cn $ description )) '' '' (1.3.6.1.4.1.12461.1.2.3 NAME 'mailDomain' SUP domain STRUCTURAL DESC 'Virtual Domain entry to be used with postfix transport maps' MUST ( dc ) MAY ( postfixTransport $ description )) '' '' (1.3.6.1.4.1.12461.1.2.4 NAME 'mailPostmaster' SUP top AUXILIARY DESC 'Added to a mailAlias to create a postmaster entry' MUST roleOccupant) '' ]; }; "cn={1}openssh,cn=schema".attrs = { cn = "{1}openssh"; objectClass = "olcSchemaConfig"; olcAttributeTypes = [ '' (1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' DESC 'MANDATORY: OpenSSH Public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) '' '' (1.3.6.1.4.1.24552.500.1.1.1.14 NAME 'pgpPublicKey' DESC 'PGP/GPG Public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) '' ]; olcObjectClasses = [ '' (1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY DESC 'SSH and PGP Public Key Support' MUST ( uid ) MAY ( sshPublicKey $ pgpPublicKey )) '' ]; }; "cn={1}nextcloud,cn=schema".attrs = { cn = "{1}nextcloud"; objectClass = "olcSchemaConfig"; olcAttributeTypes = [ '' (1.3.6.1.4.1.39430.1.1.1 NAME 'ownCloudQuota' DESC 'User Quota (e.g. 15 GB)' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15') '' ]; olcObjectClasses = [ '' (1.3.6.1.4.1.39430.1.2.1 NAME 'ownCloud' DESC 'ownCloud LDAP Schema' AUXILIARY MUST ( mail $ userPassword ) MAY ( ownCloudQuota )) '' ]; }; "cn={1}gogs,cn=schema".attrs = { cn = "{1}gogs"; objectClass = "olcSchemaConfig"; olcObjectClasses = [ '' ( 1.3.6.1.4.1.28293.1.2.4 NAME 'gitlab' SUP uidObject AUXILIARY DESC 'Added to an account to allow gitlab access' MUST (mail)) '' ]; }; "cn={1}homeAssistant,cn=schema".attrs = { cn = "{1}homeAssistant"; objectClass = "olcSchemaConfig"; olcObjectClasses = [ '' (1.3.6.1.4.1.28297.1.2.4 NAME 'homeAssistant' SUP uidObject AUXILIARY DESC 'Added to an account to allow home-assistant access' MUST (mail) ) '' ]; }; # "cn={1}ttrss,cn=schema".attrs = { # cn = "{1}ttrss"; # objectClass = "olcSchemaConfig"; # olcObjectClasses = [ # '' # ( 1.3.6.1.4.1.28294.1.2.4 NAME 'ttrss' # SUP top AUXILIARY # DESC 'Added to an account to allow tinytinyrss access' # MUST ( mail $ userPassword )) # '' # ]; # }; # "cn={1}prometheus,cn=schema".attrs = { # cn = "{1}prometheus"; # objectClass = "olcSchemaConfig"; # olcObjectClasses = [ # '' # ( 1.3.6.1.4.1.28296.1.2.4 # NAME 'prometheus' # SUP uidObject AUXILIARY # DESC 'Added to an account to allow prometheus access' # MUST (mail)) # '' # ]; # }; # "cn={1}loki,cn=schema".attrs = { # cn = "{1}loki"; # objectClass = "olcSchemaConfig"; # olcObjectClasses = [ # '' # ( 1.3.6.1.4.1.28299.1.2.4 # NAME 'loki' # SUP uidObject AUXILIARY # DESC 'Added to an account to allow loki access' # MUST (mail)) # '' # ]; # }; # "cn={1}flood,cn=schema".attrs = { # cn = "{1}flood"; # objectClass = "olcSchemaConfig"; # olcObjectClasses = [ # '' # (1.3.6.1.4.1.28300.1.2.4 NAME 'flood' # SUP uidObject AUXILIARY # DESC 'Added to an account to allow flood access' # MUST (mail)) # '' # ]; # }; }; }; /* ensure openldap is launched after certificates are created */ systemd.services.openldap = { wants = [ "acme-${domain}.service" ]; after = [ "acme-${domain}.service" ]; }; users.groups.acme.members = [ "openldap" ]; /* trigger the actual certificate generation for your hostname */ security.acme.certs."ldap.${domain}" = { extraDomainNames = [ "ldap-test.${domain}" "ldap-02.${domain}" ]; postRun = "systemctl restart openldap.service"; }; sops.secrets.openldap-rootpw.owner = "openldap"; networking.firewall.allowedTCPPorts = [ 389 636 ]; }