feat: added a formatter and some instructions
This commit is contained in:
parent
14ae0a9065
commit
7f3dc8946e
39 changed files with 1739 additions and 1348 deletions
|
|
@ -1,13 +1,16 @@
|
|||
/*
|
||||
Gonna use a priper nixos module for this
|
||||
*/
|
||||
|
||||
{ config, pkgs, lib, inputs, ... }:
|
||||
with lib;
|
||||
let
|
||||
cfg = config.services.skynet_ldap;
|
||||
in {
|
||||
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
inputs,
|
||||
...
|
||||
}:
|
||||
with lib; let
|
||||
cfg = config.services.skynet_ldap;
|
||||
in {
|
||||
# these are needed for teh program in question
|
||||
imports = [
|
||||
../acme.nix
|
||||
|
|
@ -16,7 +19,6 @@ Gonna use a priper nixos module for this
|
|||
./backend.nix
|
||||
];
|
||||
|
||||
|
||||
options.services.skynet_ldap = {
|
||||
# options that need to be passed in to make this work
|
||||
|
||||
|
|
@ -61,7 +63,6 @@ Gonna use a priper nixos module for this
|
|||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
# passthrough to the backend
|
||||
services.ldap_backend = {
|
||||
enable = true;
|
||||
|
|
@ -82,7 +83,11 @@ Gonna use a priper nixos module for this
|
|||
];
|
||||
|
||||
skynet_dns.records = [
|
||||
{record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;}
|
||||
{
|
||||
record = cfg.domain.sub;
|
||||
r_type = "CNAME";
|
||||
value = cfg.host.name;
|
||||
}
|
||||
];
|
||||
|
||||
# firewall on teh computer itself
|
||||
|
|
@ -111,25 +116,29 @@ Gonna use a priper nixos module for this
|
|||
# using https://nixos.wiki/wiki/OpenLDAP for base config
|
||||
|
||||
systemd.services.openldap = {
|
||||
wants = [ "acme-${cfg.domain.base}.service" ];
|
||||
after = [ "acme-${cfg.domain.base}.service" ];
|
||||
wants = ["acme-${cfg.domain.base}.service"];
|
||||
after = ["acme-${cfg.domain.base}.service"];
|
||||
};
|
||||
|
||||
users.groups.acme.members = [ "openldap" ];
|
||||
users.groups.acme.members = ["openldap"];
|
||||
|
||||
services.openldap = {
|
||||
# backup /var/lib/openldap/slapd.d
|
||||
|
||||
enable = true;
|
||||
|
||||
/* enable plain and secure connections */
|
||||
urlList = [ "ldap:///" "ldaps:///" ];
|
||||
/*
|
||||
enable plain and secure connections
|
||||
*/
|
||||
urlList = ["ldap:///" "ldaps:///"];
|
||||
|
||||
settings = {
|
||||
attrs = {
|
||||
olcLogLevel = "conns config";
|
||||
|
||||
/* settings for acme ssl */
|
||||
/*
|
||||
settings for acme ssl
|
||||
*/
|
||||
olcTLSCACertificateFile = "/var/lib/acme/${cfg.domain.base}/full.pem";
|
||||
olcTLSCertificateFile = "/var/lib/acme/${cfg.domain.base}/cert.pem";
|
||||
olcTLSCertificateKeyFile = "/var/lib/acme/${cfg.domain.base}/key.pem";
|
||||
|
|
@ -154,67 +163,70 @@ Gonna use a priper nixos module for this
|
|||
./skMemberOf.ldif
|
||||
];
|
||||
|
||||
|
||||
"cn=modules".attrs = {
|
||||
objectClass = [ "olcModuleList" ];
|
||||
cn = "modules";
|
||||
objectClass = ["olcModuleList"];
|
||||
cn = "modules";
|
||||
olcModuleLoad = ["dynlist" "memberof" "refint" "pw-sha2"];
|
||||
};
|
||||
|
||||
"olcDatabase={-1}frontend".attrs = {
|
||||
objectClass = [ "olcDatabaseConfig" "olcFrontendConfig" ];
|
||||
objectClass = ["olcDatabaseConfig" "olcFrontendConfig"];
|
||||
|
||||
olcPasswordHash = "{SSHA512}";
|
||||
};
|
||||
|
||||
"olcDatabase={1}mdb" = {
|
||||
attrs = {
|
||||
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
|
||||
objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
|
||||
|
||||
olcDatabase = "{1}mdb";
|
||||
olcDbDirectory = "/var/lib/openldap/data";
|
||||
|
||||
olcSuffix = cfg.base;
|
||||
|
||||
/* your admin account, do not use writeText on a production system */
|
||||
/*
|
||||
your admin account, do not use writeText on a production system
|
||||
*/
|
||||
olcRootDN = "cn=admin,${cfg.base}";
|
||||
olcRootPW.path = config.age.secrets.ldap_pw.path;
|
||||
|
||||
#olcOverlay = "memberof";
|
||||
|
||||
olcAccess = [
|
||||
/* custom access rules for userPassword attributes */
|
||||
''{0}to attrs=userPassword
|
||||
by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
|
||||
by self write
|
||||
by anonymous auth
|
||||
by * none''
|
||||
/*
|
||||
custom access rules for userPassword attributes
|
||||
*/
|
||||
'' {0}to attrs=userPassword
|
||||
by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
|
||||
by self write
|
||||
by anonymous auth
|
||||
by * none''
|
||||
|
||||
''{1}to attrs=mail,sshPublicKey,cn,sn,skDiscord
|
||||
by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
|
||||
by self write
|
||||
by * read''
|
||||
'' {1}to attrs=mail,sshPublicKey,cn,sn,skDiscord
|
||||
by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
|
||||
by self write
|
||||
by * read''
|
||||
|
||||
/* allow read on anything else */
|
||||
''{2}to *
|
||||
by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
|
||||
by * read''
|
||||
/*
|
||||
allow read on anything else
|
||||
*/
|
||||
'' {2}to *
|
||||
by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
|
||||
by * read''
|
||||
];
|
||||
|
||||
|
||||
};
|
||||
|
||||
# https://blog.oddbit.com/post/2013-07-22-generating-a-membero/
|
||||
children = {
|
||||
"olcOverlay=dynlist".attrs = {
|
||||
objectClass = [ "olcOverlayConfig" "olcDynamicList" ];
|
||||
olcOverlay = "dynlist";
|
||||
objectClass = ["olcOverlayConfig" "olcDynamicList"];
|
||||
olcOverlay = "dynlist";
|
||||
olcDlAttrSet = "skPerson labeledURI skMemberOf";
|
||||
};
|
||||
|
||||
"olcOverlay=memberof".attrs = {
|
||||
objectClass = [ "olcOverlayConfig" "olcMemberOf" "olcConfig" "top" ];
|
||||
olcOverlay = "memberof";
|
||||
objectClass = ["olcOverlayConfig" "olcMemberOf" "olcConfig" "top"];
|
||||
olcOverlay = "memberof";
|
||||
|
||||
olcMemberOfDangling = "ignore";
|
||||
olcMemberOfRefInt = "TRUE";
|
||||
|
|
@ -223,10 +235,7 @@ Gonna use a priper nixos module for this
|
|||
olcMemberOfMemberOfAD = "memberOf";
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
};
|
||||
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue