Cloonar/nixos
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
3eb9ce0e89bb00e288429f722216c37b1664fd4b
nixos/hosts/mail.social-grow.tech/modules/openldap.nix
Dominik Polakovics 3eb9ce0e89 changes
2024-10-18 15:24:20 +02:00

312 lines
10 KiB
Nix
Raw Blame History

{
config,
lib,
pkgs,
...
}:
let
domain = config.networking.domain;
components = lib.strings.splitString "." domain;
dcComponents = map (x: "dc=" + x) components;
ldapPath = builtins.concatStringsSep "," dcComponents;
in {
services.openldap = {
enable = true;
urlList = [ "ldap:///" "ldaps:///" ];
settings.attrs = {
olcLogLevel = "-1";
olcTLSCACertificateFile = "/var/lib/acme/ldap.${domain}/full.pem";
olcTLSCertificateFile = "/var/lib/acme/ldap.${domain}/cert.pem";
olcTLSCertificateKeyFile = "/var/lib/acme/ldap.${domain}/key.pem";
# olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
olcTLSCipherSuite = "HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4";
olcTLSCRLCheck = "none";
olcTLSVerifyClient = "never";
olcTLSProtocolMin = "3.3";
olcSecurity = "tls=1";
};
settings.children = {
"cn=schema".includes = [
"${pkgs.openldap}/etc/schema/core.ldif"
"${pkgs.openldap}/etc/schema/cosine.ldif"
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
"${pkgs.openldap}/etc/schema/nis.ldif"
];
"olcDatabase={1}mdb".attrs = {
objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = "${ldapPath}";
olcRootDN = "cn=admin,${ldapPath}";
olcRootPW.path = config.sops.secrets.openldap-rootpw.path;
olcAccess = [
''
{0}to attrs=userPassword
by self write
by anonymous auth
by dn="cn=owncloud,ou=system,ou=users,${ldapPath}" write
by dn.subtree="ou=system,ou=users,${ldapPath}" read
by group.exact="cn=Administrators,ou=groups,${ldapPath}" write
by * none
''
''
{1}to attrs=loginShell
by self write
by dn.subtree="ou=system,ou=users,${ldapPath}" read
by group.exact="cn=Administrators,ou=groups,${ldapPath}" write
by * none
''
''
{2}to dn.subtree="ou=system,ou=users,${ldapPath}"
by dn.subtree="ou=system,ou=users,${ldapPath}" read
by group.exact="cn=Administrators,ou=groups,${ldapPath}" write
by * none
''
''
{3}to *
by dn.subtree="ou=system,ou=users,${ldapPath}" read
by dn="cn=admin,${ldapPath}" write
by group.exact="cn=Administrators,ou=groups,${ldapPath}" write
by * none
''
];
};
"olcOverlay=memberof,olcDatabase={1}mdb".attrs = {
objectClass = [ "olcOverlayConfig" "olcMemberOf" ];
olcOverlay = "memberof";
olcMemberOfRefint = "TRUE";
};
"olcOverlay=ppolicy,olcDatabase={1}mdb".attrs = {
objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ];
olcOverlay = "ppolicy";
olcPPolicyHashCleartext = "TRUE";
};
# "olcOverlay=syncprov,olcDatabase={1}mdb".attrs = {
# objectClass = ["olcOverlayConfig" "olcSyncProvConfig"];
# olcOverlay = "syncprov";
# olcSpSessionLog = "100";
# };
"olcDatabase={2}monitor".attrs = {
olcDatabase = "{2}monitor";
objectClass = ["olcDatabaseConfig" "olcMonitorConfig"];
olcAccess = [
''
{0}to *
by dn.exact="cn=netdata,ou=system,ou=users,${ldapPath}" read
by * none
''
];
};
"olcDatabase={3}mdb".attrs = {
objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
olcDatabase = "{3}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = "dc=ekouniversity,dc=com";
olcAccess = [
''
{0}to attrs=userPassword
by self write
by anonymous auth
by dn="cn=admin,${ldapPath}" write
by dn="cn=owncloud,ou=system,ou=users,${ldapPath}" write
by dn="cn=authelia,ou=system,ou=users,${ldapPath}" write
by dn.subtree="ou=system,ou=users,${ldapPath}" read
by group.exact="cn=Administrators,ou=groups,${ldapPath}" write
by * none
''
''
{1}to *
by dn.subtree="ou=system,ou=users,${ldapPath}" read
by dn="cn=admin,${ldapPath}" write
by group.exact="cn=Administrators,ou=groups,${ldapPath}" write
by * read
''
];
};
"olcOverlay=memberof,olcDatabase={3}mdb".attrs = {
objectClass = [ "olcOverlayConfig" "olcMemberOf" ];
olcOverlay = "memberof";
olcMemberOfRefint = "TRUE";
};
"olcOverlay=ppolicy,olcDatabase={3}mdb".attrs = {
objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ];
olcOverlay = "ppolicy";
olcPPolicyHashCleartext = "TRUE";
};
"cn={3}cloonar,cn=schema" = {
attrs = {
cn = "{1}cloonar";
objectClass = "olcSchemaConfig";
olcObjectClasses = [
''
(1.3.6.1.4.1.28298.1.2.4 NAME 'cloonarUser'
SUP (mailAccount) AUXILIARY
DESC 'Cloonar Account'
MAY (sshPublicKey $ ownCloudQuota $ quota))
''
];
};
};
"cn={2}postfix,cn=schema".attrs = {
cn = "{2}postfix";
objectClass = "olcSchemaConfig";
olcAttributeTypes = [
''
(1.3.6.1.4.1.12461.1.1.1 NAME 'postfixTransport'
DESC 'A string directing postfix which transport to use'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{20} SINGLE-VALUE)''
''
(1.3.6.1.4.1.12461.1.1.5 NAME 'mailbox'
DESC 'The absolute path to the mailbox for a mail account in a non-default location'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)
''
''
(1.3.6.1.4.1.12461.1.1.6 NAME 'quota'
DESC 'A string that represents the quota on a mailbox'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)
''
''
(1.3.6.1.4.1.12461.1.1.8 NAME 'maildrop'
DESC 'RFC822 Mailbox - mail alias'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256})
''
];
olcObjectClasses = [
''
(1.3.6.1.4.1.12461.1.2.1 NAME 'mailAccount'
SUP top AUXILIARY
DESC 'Mail account objects'
MUST ( mail $ userPassword )
MAY ( cn $ description $ quota))
''
''
(1.3.6.1.4.1.12461.1.2.2 NAME 'mailAlias'
SUP top STRUCTURAL
DESC 'Mail aliasing/forwarding entry'
MUST ( mail $ maildrop )
MAY ( cn $ description ))
''
''
(1.3.6.1.4.1.12461.1.2.3 NAME 'mailDomain'
SUP domain STRUCTURAL
DESC 'Virtual Domain entry to be used with postfix transport maps'
MUST ( dc )
MAY ( postfixTransport $ description ))
''
''
(1.3.6.1.4.1.12461.1.2.4 NAME 'mailPostmaster'
SUP top AUXILIARY
DESC 'Added to a mailAlias to create a postmaster entry'
MUST roleOccupant)
''
];
};
"cn={1}openssh,cn=schema".attrs = {
cn = "{1}openssh";
objectClass = "olcSchemaConfig";
olcAttributeTypes = [
''
(1.3.6.1.4.1.24552.500.1.1.1.13
NAME 'sshPublicKey'
DESC 'MANDATORY: OpenSSH Public key'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
''
];
olcObjectClasses = [
''
(1.3.6.1.4.1.24552.500.1.1.2.0
NAME 'ldapPublicKey'
SUP top AUXILIARY
DESC 'MANDATORY: OpenSSH LPK objectclass'
MUST ( sshPublicKey $ uid ))
''
];
};
"cn={1}nextcloud,cn=schema".attrs = {
cn = "{1}nextcloud";
objectClass = "olcSchemaConfig";
olcAttributeTypes = [
''
(1.3.6.1.4.1.39430.1.1.1
NAME 'ownCloudQuota'
DESC 'User Quota (e.g. 15 GB)'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15')
''
];
olcObjectClasses = [
''
(1.3.6.1.4.1.39430.1.2.1
NAME 'ownCloud'
DESC 'ownCloud LDAP Schema'
AUXILIARY
MUST ( mail $ userPassword )
MAY ( ownCloudQuota ))
''
];
};
"cn={1}gogs,cn=schema".attrs = {
cn = "{1}gogs";
objectClass = "olcSchemaConfig";
olcObjectClasses = [
''
( 1.3.6.1.4.1.28293.1.2.4 NAME 'gitlab'
SUP uidObject AUXILIARY
DESC 'Added to an account to allow gitlab access'
MUST (mail))
''
];
};
"cn={1}homeAssistant,cn=schema".attrs = {
cn = "{1}homeAssistant";
objectClass = "olcSchemaConfig";
olcObjectClasses = [
''
(1.3.6.1.4.1.28297.1.2.4 NAME 'homeAssistant'
SUP uidObject AUXILIARY
DESC 'Added to an account to allow home-assistant access'
MUST (mail) )
''
];
};
};
};
/* ensure openldap is launched after certificates are created */
systemd.services.openldap = {
wants = [ "acme-${domain}.service" ];
after = [ "acme-${domain}.service" ];
};
users.groups.acme.members = [ "openldap" ];
/* trigger the actual certificate generation for your hostname */
security.acme.certs."ldap.${domain}" = {
postRun = "systemctl restart openldap.service";
};
sops.secrets.openldap-rootpw.owner = "openldap";
networking.firewall.allowedTCPPorts = [ 389 636 ];
}
Reference in New Issue View Git Blame Copy Permalink