tvl-depot/ops/nixos/modules/tvl-slapd/default.nix

# Configures an OpenLDAP instance for TVL
#
# TODO(tazjin): Configure ldaps://
{ pkgs, config, ... }:

{
  services.openldap = {
    enable = true;
    dataDir = "/var/lib/openldap";
    suffix = "dc=tvl,dc=fyi";
    rootdn = "cn=admin,dc=tvl,dc=fyi";
    rootpw = "{SSHA}yEEO6Ol2W3ritdiJzPSsjOtyPGxWF2JW";

    # Contents are immutable at runtime, and adding user accounts etc.
    # is done statically in the LDIF-formatted contents in this folder.
    declarativeContents = builtins.readFile ./contents.ldif;

    # ACL configuration
    extraDatabaseConfig = ''
      # Allow users to change their own password
      access to attrs=userPassword
        by self write
        by anonymous auth
        by users none

      # Allow default read access to other directory elements
      access to * by * read
    '';
  };
}
feat(ops/nixos/modules): Add TVL slapd module This initialises an OpenLDAP server for tvl.fyi This is the least annoying way to bootstrap Gerrit. Yep. 2020-06-08 02:08:41 +02:00			`# Configures an OpenLDAP instance for TVL`
			`#`
			`# TODO(tazjin): Configure ldaps://`
			`{ pkgs, config, ... }:`

			`{`
			`services.openldap = {`
			`enable = true;`
			`dataDir = "/var/lib/openldap";`
			`suffix = "dc=tvl,dc=fyi";`
			`rootdn = "cn=admin,dc=tvl,dc=fyi";`
			`rootpw = "{SSHA}yEEO6Ol2W3ritdiJzPSsjOtyPGxWF2JW";`

			`# Contents are immutable at runtime, and adding user accounts etc.`
			`# is done statically in the LDIF-formatted contents in this folder.`
			`declarativeContents = builtins.readFile ./contents.ldif;`

			`# ACL configuration`
			`extraDatabaseConfig = ''`
			`# Allow users to change their own password`
			`access to attrs=userPassword`
			`by self write`
			`by anonymous auth`
			`by users none`

			`# Allow default read access to other directory elements`
			`access to * by * read`
			`'';`
			`};`
			`}`