nix-dotfiles/hosts/tsuki/services/openldap.todo.nix

75 lines
2.6 KiB
Nix
Raw Normal View History

2022-03-07 16:01:52 +01:00
{ pkgs, ... }:
{
services.openldap = {
enable = true;
2022-06-22 20:16:57 +02:00
# dataDir = "${config.machineVars.dataDrives.default}/var/openldap";
2022-03-07 16:01:52 +01:00
urlList = [ "ldap:///" "ldapi:///" ]; # Add ldaps to this list to listen with SSL (requires configured certificates)
# suffix = "dc=nixos,dc=org";
# rootdn = "cn=admin,dc=nixos,dc=org";
# rootpwFile = "/var/keys/ldap/rootpw";
# See https://www.openldap.org/doc/admin24/slapdconfig.html
# extraDatabaseConfig = ''
# access to dn.base="dc=nixos,dc=org" by * read
# # Add your own ACLs here…
# # Drop everything that wasn't handled by previous ACLs:
# access to * by * none
# index objectClass eq
# index uid eq
# index mail sub
# # Accelerates replication if you use it
# index entryCSN eq
# index entryUUID eq
# '';
settings = {
attrs.olcLogLevel = [ "stats" ];
children = {
"cn=schema".includes = [
"${pkgs.openldap}/etc/schema/core.ldif"
"${pkgs.openldap}/etc/schema/cosine.ldif"
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
];
"olcDatabase={-1}frontend" = {
attrs = {
objectClass = "olcDatabaseConfig";
olcDatabase = "{-1}frontend";
olcAccess = [ "{0}to * by dn.exact=uidNumber=0+gidNumber=0,cn=peercred,cn=external,cn=auth manage stop by * none stop" ];
};
};
"olcDatabase={0}config" = {
attrs = {
objectClass = "olcDatabaseConfig";
olcDatabase = "{0}config";
olcAccess = [ "{0}to * by * none break" ];
};
};
"olcDatabase={1}mdb" = {
attrs = {
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
olcDatabase = "{1}mdb";
olcDbDirectory = "/data/var/openldap/db";
olcDbIndex = [
"objectClass eq"
"cn pres,eq"
"uid pres,eq"
"sn pres,eq,subany"
];
olcSuffix = "dc=example,dc=com";
olcAccess = [ "{0}to * by * read break" ];
};
};
};
};
# Setting this causes OpenLDAP to drop the entire database on startup and write the contents of
# of this LDIF string into the database. This ensures that only nix-managed content is found in the
# database. Note that if a lot of entries are created in conjunction with a lot of indexes, this might hurt
# startup performance.
# Also, you can set `readonly on` in `extraDatabaseConfig` to ensure nobody writes data that will be
# lost.
# declarativeContents = "…";
};
}