From e03e27c894fded3e9d108d1c175adbde59659902 Mon Sep 17 00:00:00 2001 From: Brendan Golden Date: Sun, 22 Oct 2023 14:39:35 +0100 Subject: [PATCH] ldap: small bit of a cleanup --- applications/ldap/server.nix | 37 ++++++++++++++++++------------- applications/ldap/skMemberOf.ldif | 18 --------------- 2 files changed, 21 insertions(+), 34 deletions(-) diff --git a/applications/ldap/server.nix b/applications/ldap/server.nix index 2090879..36be133 100644 --- a/applications/ldap/server.nix +++ b/applications/ldap/server.nix @@ -10,6 +10,7 @@ Gonna use a priper nixos module for this }: with lib; let cfg = config.services.skynet_ldap; + domain = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"; in { # these are needed for teh program in question imports = [ @@ -79,7 +80,7 @@ in { }; skynet_acme.domains = [ - "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" + domain ]; skynet_dns.records = [ @@ -97,7 +98,7 @@ in { ]; services.nginx.virtualHosts = { - "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = { + ${domain} = { forceSSL = true; useACMEHost = "skynet"; locations."/" = { @@ -190,29 +191,33 @@ in { olcRootDN = "cn=admin,${cfg.base}"; olcRootPW.path = config.age.secrets.ldap_pw.path; - #olcOverlay = "memberof"; - olcAccess = [ /* custom access rules for userPassword attributes */ - '' {0}to attrs=userPassword - by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage - by self write - by anonymous auth - by * none'' + '' + {0}to attrs=userPassword + by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage + by self write + by anonymous auth + by * none + '' - '' {1}to attrs=mail,sshPublicKey,cn,sn,skDiscord - by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage - by self write - by * read'' + '' + {1}to attrs=mail,sshPublicKey,cn,sn,skDiscord + by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage + by self write + by * read + '' /* allow read on anything else */ - '' {2}to * - by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage - by * read'' + '' + {2}to * + by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage + by * read + '' ]; }; diff --git a/applications/ldap/skMemberOf.ldif b/applications/ldap/skMemberOf.ldif index af4385b..fc3cdf8 100644 --- a/applications/ldap/skMemberOf.ldif +++ b/applications/ldap/skMemberOf.ldif @@ -24,24 +24,12 @@ olcAttributeTypes: ( 1.3.6.1.4.1.24441.1.4.1 EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) -olcAttributeTypes: ( 1.3.6.1.4.1.24441.1.5.1 - NAME 'skDiscord' - DESC 'Discord username' - EQUALITY caseIgnoreMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 - ) olcAttributeTypes: ( 1.3.6.1.4.1.24441.1.6.1 NAME 'skCreated' DESC 'When the account was created' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) -#olcAttributeTypes: ( 1.3.6.1.4.1.24441.1.7.1 -# NAME 'skEnabled' -# DESC 'TRUE/FALSE' -# EQUALITY booleanMatch -# SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 -# ) # https://github.com/variablenix/ldap-mail-schema/blob/master/quota.schema olcAttributeTypes: ( 1.3.6.1.4.1.24441.1.8.1 NAME 'quotaEmail' @@ -55,12 +43,6 @@ olcAttributeTypes: ( 1.3.6.1.4.1.24441.1.9.1 EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} ) -olcAttributeTypes: ( 1.3.6.1.4.1.24441.1.10.1 - NAME 'skSecure' - DESC '1 if secure' - EQUALITY caseIgnoreMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 - ) olcObjectClasses: ( 1.3.6.1.4.1.24441.1.1.1 NAME 'skPerson' DESC 'skynet person'