199 lines
5.7 KiB
Nix
199 lines
5.7 KiB
Nix
|
# Configures an OpenLDAP instance for TVL
|
||
|
#
|
||
|
# TODO(tazjin): Configure ldaps://
|
||
|
{ config, lib, pkgs, ... }:
|
||
|
|
||
|
with config.depot.nix.yants;
|
||
|
|
||
|
let
|
||
|
user = struct {
|
||
|
username = string;
|
||
|
email = string;
|
||
|
password = string;
|
||
|
displayName = option string;
|
||
|
};
|
||
|
|
||
|
toLdif = defun [ user string ] (u: ''
|
||
|
dn: cn=${u.username},ou=users,dc=tvl,dc=fyi
|
||
|
objectClass: organizationalPerson
|
||
|
objectClass: inetOrgPerson
|
||
|
sn: ${u.username}
|
||
|
cn: ${u.username}
|
||
|
displayName: ${u.displayName or u.username}
|
||
|
mail: ${u.email}
|
||
|
userPassword: ${u.password}
|
||
|
'');
|
||
|
|
||
|
users = [
|
||
|
{
|
||
|
username = "andi";
|
||
|
email = "andi@notmuch.email";
|
||
|
password = "{ARGON2}$argon2id$v=19$m=65536,t=2,p=1$8lefg7+8UPAEh9Ott8zH0A$7YuLRraTC1IgxTNTxFJF03AWmqBS3GX2+vfD4XVTrb0";
|
||
|
}
|
||
|
{
|
||
|
username = "artemist";
|
||
|
email = "me@artem.ist";
|
||
|
password = "{SSHA}N6Tl/txGQwlmVa7xVJCXpGcD1U4bJaI+";
|
||
|
}
|
||
|
{
|
||
|
username = "camsbury";
|
||
|
email = "camsbury7@gmail.com";
|
||
|
password = "{SSHA}r6/I/zefrAb1jWTdhuqWik0CXT8E+/E5";
|
||
|
}
|
||
|
{
|
||
|
username = "cynthia";
|
||
|
email = "cynthia@tvl.fyi";
|
||
|
password = "{SSHA}aHx2keEnXv6u6oiV2xxqfXdxjom/K8CP";
|
||
|
}
|
||
|
{
|
||
|
username = "edef";
|
||
|
email = "edef@edef.eu";
|
||
|
password = "{ARGON2}$argon2id$v=19$m=65536,t=2,p=1$OORx4ERbkgvTmuYCJA8cIw$i5qaBzHkRVw7Tl+wZsTFTDqJwF0vuZqhW3VpknMYMc0";
|
||
|
}
|
||
|
{
|
||
|
username = "ericvolp12";
|
||
|
email = "ericvolp12@gmail.com";
|
||
|
password = "{SSHA}pSepaQ+/5KBLfJtRR5rfxGU8goAsXgvk";
|
||
|
}
|
||
|
{
|
||
|
username = "eta";
|
||
|
email = "eta@theta.eu.org";
|
||
|
password = "{SSHA}sOR5xzi7Lfv376XGQA8Hf6jyhTvo0XYc";
|
||
|
}
|
||
|
{
|
||
|
username = "firefly";
|
||
|
email = "firefly@firefly.nu";
|
||
|
password = "{ARGON2}$argon2id$v=19$m=65536,t=2,p=1$RYVVkFoi3A1yYkI8J2zUwg$GUERvgHvU8SGjQmilDJGZu50hYRAHw+ejtuL+Skygs8";
|
||
|
}
|
||
|
{
|
||
|
username = "glittershark";
|
||
|
email = "grfn@gws.fyi";
|
||
|
password = "{SSHA}i7PSAsXwJT3jjmmvU77aar/tU/YPDCEO";
|
||
|
}
|
||
|
{
|
||
|
username = "isomer";
|
||
|
email = "isomer@tvl.fyi";
|
||
|
password = "{SSHA}OhWQkPJgH1rRJqYIaMUbbKC4iLEzvCev";
|
||
|
}
|
||
|
{
|
||
|
username = "lukegb";
|
||
|
email = "lukegb@tvl.fyi";
|
||
|
password = "{SSHA}7a85VNhpFElFw+N5xcjgGmt4HnBsaGp4";
|
||
|
}
|
||
|
{
|
||
|
username = "multi";
|
||
|
email = "depot@in-addr.xyz";
|
||
|
password = "{ARGON2}$argon2i$v=19$m=4096,t=3,p=1$qCfXhZUVft1YVPx7H4x7rw$dhtwtCrEMSpZfWQJbw2wpo5XHqiJqoZkiKeEbE6AdX0";
|
||
|
}
|
||
|
{
|
||
|
username = "nyanotech";
|
||
|
email = "nyanotechnology@gmail.com";
|
||
|
password = "{SSHA}NIJ2RCRb1+Q4Bs63cyE91VZyiN47DG6y";
|
||
|
}
|
||
|
{
|
||
|
username = "Profpatsch";
|
||
|
email = "mail@profpatsch.de";
|
||
|
password = "{SSHA}jcFXxRplMFxH4gpa0X5VdUzW64T95TwQ";
|
||
|
}
|
||
|
{
|
||
|
username = "q3k";
|
||
|
email = "q3k@q3k.org";
|
||
|
password = "{SSHA}BEccJdtnhVLDzOn+pxNfayNi3QFcEABE";
|
||
|
}
|
||
|
{
|
||
|
username = "qyliss";
|
||
|
displayName = "Alyssa Ross";
|
||
|
email = "hi@alyssa.is";
|
||
|
password = "{ARGON2}$argon2id$v=19$m=65536,t=2,p=1$+uTpAKrN452D8wa7OFqPnw$GYi9/zns5iJCXDp1VuTPPsa35M5vkD6+rC8riT8cEHI";
|
||
|
}
|
||
|
{
|
||
|
username = "riking";
|
||
|
displayName = "kanepyork";
|
||
|
email = "rikingcoding@gmail.com";
|
||
|
password = "{ARGON2}$argon2id$v=19$m=65536,t=2,p=1$o2OcfhfKOry+UrcmODyQCw$qloaQgoIRDESwaA3yqPxxy8sgLk3mrjYFBbF41elVrM";
|
||
|
}
|
||
|
{
|
||
|
username = "tazjin";
|
||
|
email = "mail@tazj.in";
|
||
|
password = "{ARGON2}$argon2id$v=19$m=65536,t=2,p=1$wOPEl9D3kSke//oLtbvqrg$j0npwwXgaXQ/emefKUwL59tH8hdmtzbgH2rQzWSmE2Y";
|
||
|
}
|
||
|
{
|
||
|
username = "implr";
|
||
|
email = "implr@hackerspace.pl";
|
||
|
password = "{ARGON2}$argon2id$v=19$m=65536,t=2,p=1$SHRFps5sVgyUXYdmqGPw9g$tEx9DwKK1RjWlw52GLwOZ/iHep+QJboaZE83f1pXSwQ";
|
||
|
}
|
||
|
{
|
||
|
username = "v";
|
||
|
displayName = "V";
|
||
|
email = "v@anomalous.eu";
|
||
|
password = "{ARGON2}$argon2id$v=19$m=65536,t=2,p=1$Wa11vk3gQKhJr1uzvtRTRQ$RHfvcC2j6rDUgWfezm05N03LeGIEezeKtmFmt+rfvM4";
|
||
|
}
|
||
|
{
|
||
|
username = "ben";
|
||
|
email = "tvl@benjojo.co.uk";
|
||
|
password = "{SSHA}Zi48mSPsRMEPhff44w4RHi0SjjyhjWk1";
|
||
|
}
|
||
|
];
|
||
|
in {
|
||
|
# Use our patched OpenLDAP derivation which enables stronger password hashing.
|
||
|
#
|
||
|
# Unfortunately the module for OpenLDAP has no package option, so we
|
||
|
# need to override it system-wide. Be aware that this triggers a
|
||
|
# *large* number of rebuilds of packages such as GPG and Python.
|
||
|
nixpkgs.overlays = [
|
||
|
(_: _: {
|
||
|
inherit (config.depot.third_party) openldap;
|
||
|
})
|
||
|
];
|
||
|
|
||
|
services.openldap = {
|
||
|
enable = true;
|
||
|
dataDir = "/var/lib/openldap";
|
||
|
suffix = "dc=tvl,dc=fyi";
|
||
|
rootdn = "cn=admin,dc=tvl,dc=fyi";
|
||
|
rootpw = "{ARGON2}$argon2id$v=19$m=65536,t=2,p=1$OfcgkOQ96VQ3aJj7NfA9vQ$oS6HQOkYl/bUYg4SejpltQYy7kvqx/RUxvoR4zo1vXU";
|
||
|
|
||
|
# ACL configuration
|
||
|
extraDatabaseConfig = ''
|
||
|
# Allow users to change their own password
|
||
|
access to attrs=userPassword
|
||
|
by self write
|
||
|
by anonymous auth
|
||
|
by users none
|
||
|
|
||
|
# Allow default read access to other directory elements
|
||
|
access to * by * read
|
||
|
'';
|
||
|
|
||
|
extraConfig = ''
|
||
|
moduleload pw-argon2
|
||
|
'';
|
||
|
|
||
|
# Contents are immutable at runtime, and adding user accounts etc.
|
||
|
# is done statically in the LDIF-formatted contents in this folder.
|
||
|
declarativeContents = ''
|
||
|
dn: dc=tvl,dc=fyi
|
||
|
dc: tvl
|
||
|
o: TVL LDAP server
|
||
|
description: Root entry for tvl.fyi
|
||
|
objectClass: top
|
||
|
objectClass: dcObject
|
||
|
objectClass: organization
|
||
|
|
||
|
dn: ou=users,dc=tvl,dc=fyi
|
||
|
ou: users
|
||
|
description: All users in TVL
|
||
|
objectClass: top
|
||
|
objectClass: organizationalUnit
|
||
|
|
||
|
dn: ou=groups,dc=tvl,dc=fyi
|
||
|
ou: groups
|
||
|
description: All groups in TVL
|
||
|
objectClass: top
|
||
|
objectClass: organizationalUnit
|
||
|
|
||
|
${lib.concatStringsSep "\n" (map toLdif users)}
|
||
|
'';
|
||
|
};
|
||
|
}
|