tvl-depot/ops/nixos/tvl-slapd/default.nix

# Configures an OpenLDAP instance for TVL
#
# TODO(tazjin): Configure ldaps://
{ depot, lib, pkgs, ... }:

with depot.nix.yants;

let
  user = struct {
    username = string;
    email = string;
    password = string;
    displayName = option string;
  };

  toLdif = defun [ user string ] (u: ''
    dn: cn=${u.username},ou=users,dc=tvl,dc=fyi
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    sn: ${u.username}
    cn: ${u.username}
    displayName: ${u.displayName or u.username}
    mail: ${u.email}
    userPassword: ${u.password}
  '');

  inherit (depot.ops) users;

in {
  # Use our patched OpenLDAP derivation which enables stronger password hashing.
  #
  # Unfortunately the module for OpenLDAP has no package option, so we
  # need to override it system-wide. Be aware that this triggers a
  # *large* number of rebuilds of packages such as GPG and Python.
  nixpkgs.overlays = [
    (_: _: {
      inherit (depot.third_party) openldap;
    })
  ];

  services.openldap = {
    enable = true;
    dataDir = "/var/lib/openldap";
    database = "mdb";
    suffix = "dc=tvl,dc=fyi";
    rootdn = "cn=admin,dc=tvl,dc=fyi";
    rootpw = "{ARGON2}$argon2id$v=19$m=65536,t=2,p=1$OfcgkOQ96VQ3aJj7NfA9vQ$oS6HQOkYl/bUYg4SejpltQYy7kvqx/RUxvoR4zo1vXU";

    settings.children = {
      "olcDatabase={1}mdb".attrs = {
        objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
        olcDatabase = "{1}mdb";
        olcSuffix = "dc=tvl,dc=fyi";
        olcAccess = "to *  by * read";
      };

      "cn=module{0}".attrs = {
        objectClass = "olcModuleList";
        olcModuleLoad = "pw-argon2";
      };
    };

    # Contents are immutable at runtime, and adding user accounts etc.
    # is done statically in the LDIF-formatted contents in this folder.
    declarativeContents."dc=tvl,dc=fyi" = ''
      dn: dc=tvl,dc=fyi
      dc: tvl
      o: TVL LDAP server
      description: Root entry for tvl.fyi
      objectClass: top
      objectClass: dcObject
      objectClass: organization

      dn: ou=users,dc=tvl,dc=fyi
      ou: users
      description: All users in TVL
      objectClass: top
      objectClass: organizationalUnit

      dn: ou=groups,dc=tvl,dc=fyi
      ou: groups
      description: All groups in TVL
      objectClass: top
      objectClass: organizationalUnit

      ${lib.concatStringsSep "\n" (map toLdif users)}
    '';
  };
}
feat(ops/nixos/modules): Add TVL slapd module This initialises an OpenLDAP server for tvl.fyi This is the least annoying way to bootstrap Gerrit. Yep. 2020-06-08 02:08:41 +02:00			`# Configures an OpenLDAP instance for TVL`
			`#`
			`# TODO(tazjin): Configure ldaps://`
refactor(ops/nixos): migrate to depot module arg Previously the depot argument was provided as config.depot, but the "new way" of doing things (which is more like the args list provided in the rest of the depot) is to provide this as the "depot" NixOS module argument instead. Change-Id: Ib48b1c7c1bdff9c1eb0618c6cbacc22b651f5f98 Reviewed-on: https://cl.tvl.fyi/c/depot/+/2763 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in> Reviewed-by: glittershark <grfn@gws.fyi> 2021-04-02 14:18:50 +02:00			`{ depot, lib, pkgs, ... }:`
feat(ops/nixos/modules): Add TVL slapd module This initialises an OpenLDAP server for tvl.fyi This is the least annoying way to bootstrap Gerrit. Yep. 2020-06-08 02:08:41 +02:00
refactor(ops/nixos): migrate to depot module arg Previously the depot argument was provided as config.depot, but the "new way" of doing things (which is more like the args list provided in the rest of the depot) is to provide this as the "depot" NixOS module argument instead. Change-Id: Ib48b1c7c1bdff9c1eb0618c6cbacc22b651f5f98 Reviewed-on: https://cl.tvl.fyi/c/depot/+/2763 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in> Reviewed-by: glittershark <grfn@gws.fyi> 2021-04-02 14:18:50 +02:00			`with depot.nix.yants;`
refactor(tvl-slapd): Move user definitions into Nix code Implements a function that generates the LDIF record for each user and templates it into the configuration. This is slightly more user-friendly and less error-prone (people kept getting the DNs wrong) than editing the contents manually. Change-Id: Ic419d2ef464f9a94be5d54b666f7d53134b53eed Reviewed-on: https://cl.tvl.fyi/c/depot/+/447 Reviewed-by: riking <rikingcoding@gmail.com> 2020-06-17 04:48:21 +02:00
			`let`
			`user = struct {`
			`username = string;`
			`email = string;`
			`password = string;`
			`displayName = option string;`
			`};`

			`toLdif = defun [ user string ] (u: ''`
			`dn: cn=${u.username},ou=users,dc=tvl,dc=fyi`
			`objectClass: organizationalPerson`
			`objectClass: inetOrgPerson`
			`sn: ${u.username}`
			`cn: ${u.username}`
			`displayName: ${u.displayName or u.username}`
			`mail: ${u.email}`
			`userPassword: ${u.password}`
			`'');`

refactor(ops/nixos): migrate to depot module arg Previously the depot argument was provided as config.depot, but the "new way" of doing things (which is more like the args list provided in the rest of the depot) is to provide this as the "depot" NixOS module argument instead. Change-Id: Ib48b1c7c1bdff9c1eb0618c6cbacc22b651f5f98 Reviewed-on: https://cl.tvl.fyi/c/depot/+/2763 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in> Reviewed-by: glittershark <grfn@gws.fyi> 2021-04-02 14:18:50 +02:00			`inherit (depot.ops) users;`
feat(todolist): use static slapd user data for knownUsers Since the slapd data is static and generated using nix, we can simply move the user list into ops/users, so it's recognized by readTree and we can use it as ops.users both in ops/nixos/tvl-slapd and web/todolist as a general purpose user registry for depot. Update docs/REVIEWS.md as well. Change-Id: I35caaaab70a5578c47cedc7f33077dd513766290 Reviewed-on: https://cl.tvl.fyi/c/depot/+/2419 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in> 2021-01-18 12:10:33 +01:00
refactor(tvl-slapd): Move user definitions into Nix code Implements a function that generates the LDIF record for each user and templates it into the configuration. This is slightly more user-friendly and less error-prone (people kept getting the DNs wrong) than editing the contents manually. Change-Id: Ic419d2ef464f9a94be5d54b666f7d53134b53eed Reviewed-on: https://cl.tvl.fyi/c/depot/+/447 Reviewed-by: riking <rikingcoding@gmail.com> 2020-06-17 04:48:21 +02:00			`in {`
feat(tvl-slapd): Load Argon2 password module in OpenLDAP This makes it possible to use {ARGON2} hashes instead of the current salted SHA hashes, which is a much better idea. Unfortunately the nixpkgs module does not have an option for overridding the package used, so it is overlaid into the system package set - this causes widespread rebuilds. This is fine for us for now, but I have opened a PR upstream to add a package option: https://github.com/NixOS/nixpkgs/pull/91963 Change-Id: Ib4be931d88e74b91566639f8656742cf096f6cc3 Reviewed-on: https://cl.tvl.fyi/c/depot/+/831 Reviewed-by: BuildkiteCI Reviewed-by: isomer <isomer@tvl.fyi> Tested-by: BuildkiteCI 2020-07-01 20:24:49 +02:00			`# Use our patched OpenLDAP derivation which enables stronger password hashing.`
			`#`
			`# Unfortunately the module for OpenLDAP has no package option, so we`
			`# need to override it system-wide. Be aware that this triggers a`
			`# large number of rebuilds of packages such as GPG and Python.`
			`nixpkgs.overlays = [`
			`(_: _: {`
refactor(ops/nixos): migrate to depot module arg Previously the depot argument was provided as config.depot, but the "new way" of doing things (which is more like the args list provided in the rest of the depot) is to provide this as the "depot" NixOS module argument instead. Change-Id: Ib48b1c7c1bdff9c1eb0618c6cbacc22b651f5f98 Reviewed-on: https://cl.tvl.fyi/c/depot/+/2763 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in> Reviewed-by: glittershark <grfn@gws.fyi> 2021-04-02 14:18:50 +02:00			`inherit (depot.third_party) openldap;`
feat(tvl-slapd): Load Argon2 password module in OpenLDAP This makes it possible to use {ARGON2} hashes instead of the current salted SHA hashes, which is a much better idea. Unfortunately the nixpkgs module does not have an option for overridding the package used, so it is overlaid into the system package set - this causes widespread rebuilds. This is fine for us for now, but I have opened a PR upstream to add a package option: https://github.com/NixOS/nixpkgs/pull/91963 Change-Id: Ib4be931d88e74b91566639f8656742cf096f6cc3 Reviewed-on: https://cl.tvl.fyi/c/depot/+/831 Reviewed-by: BuildkiteCI Reviewed-by: isomer <isomer@tvl.fyi> Tested-by: BuildkiteCI 2020-07-01 20:24:49 +02:00			`})`
			`];`

feat(ops/nixos/modules): Add TVL slapd module This initialises an OpenLDAP server for tvl.fyi This is the least annoying way to bootstrap Gerrit. Yep. 2020-06-08 02:08:41 +02:00			`services.openldap = {`
			`enable = true;`
			`dataDir = "/var/lib/openldap";`
chore(3p): Bump NixOS channels to 2020-12-28 Changes: * ops/nixos/tvl-slapd: The NixOS module for OpenLDAP has removed the ability to configure OpenLDAP directly and now forces users to use some kind of weird Nix->OLC mapping that is mostly undocumented. This moves the config we need to the new format in a way that may or may not work and does the other arbitrary dance steps that someone decided to impose on us. Note that this now throws lots of warnings, but I can't be bothered to fix them. * 3p: Random package removals accomodated * users/glittershark: Pin grfn's kernel to 5.9, because the CK patch is not yet updated for 5.10 * users/glittershark: Update vendor hash for pg-dump-upsert, I suspect this changed because of something in the Go build machinery in nixpkgs. The deleteVendor flag also has no effect anymore and has been removed. * users/glittershark: agda build is broken, commenting out development home-manager environment until it can be fixed * third_party/haskell_overlay: updating random needs upper boundarles of a few dependencies relaxed (curse them) * third_party/gerrit_plugins: for some cursed reason the fixed-output hash of the gerrit owners plugin fetchgit changed, updated. Same for the checks plugin. Change-Id: Ica37995fe8039d3ba80eab643867f98795c56734 Reviewed-on: https://cl.tvl.fyi/c/depot/+/2295 Tested-by: BuildkiteCI Reviewed-by: Profpatsch <mail@profpatsch.de> Reviewed-by: glittershark <grfn@gws.fyi> Reviewed-by: tazjin <mail@tazj.in> 2020-12-25 11:13:06 +01:00			`database = "mdb";`
feat(ops/nixos/modules): Add TVL slapd module This initialises an OpenLDAP server for tvl.fyi This is the least annoying way to bootstrap Gerrit. Yep. 2020-06-08 02:08:41 +02:00			`suffix = "dc=tvl,dc=fyi";`
			`rootdn = "cn=admin,dc=tvl,dc=fyi";`
chore(tvl-slapd): Rotate my LDAP passwords and use ARGON2 hashes Change-Id: Id1a60121e4254e7ccff77ac17fd39d0955aedc8f Reviewed-on: https://cl.tvl.fyi/c/depot/+/832 Reviewed-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in> Reviewed-by: isomer <isomer@tvl.fyi> Tested-by: BuildkiteCI 2020-07-01 20:28:58 +02:00			`rootpw = "{ARGON2}$argon2id$v=19$m=65536,t=2,p=1$OfcgkOQ96VQ3aJj7NfA9vQ$oS6HQOkYl/bUYg4SejpltQYy7kvqx/RUxvoR4zo1vXU";`
feat(ops/nixos/modules): Add TVL slapd module This initialises an OpenLDAP server for tvl.fyi This is the least annoying way to bootstrap Gerrit. Yep. 2020-06-08 02:08:41 +02:00
chore(3p): Bump NixOS channels to 2020-12-28 Changes: * ops/nixos/tvl-slapd: The NixOS module for OpenLDAP has removed the ability to configure OpenLDAP directly and now forces users to use some kind of weird Nix->OLC mapping that is mostly undocumented. This moves the config we need to the new format in a way that may or may not work and does the other arbitrary dance steps that someone decided to impose on us. Note that this now throws lots of warnings, but I can't be bothered to fix them. * 3p: Random package removals accomodated * users/glittershark: Pin grfn's kernel to 5.9, because the CK patch is not yet updated for 5.10 * users/glittershark: Update vendor hash for pg-dump-upsert, I suspect this changed because of something in the Go build machinery in nixpkgs. The deleteVendor flag also has no effect anymore and has been removed. * users/glittershark: agda build is broken, commenting out development home-manager environment until it can be fixed * third_party/haskell_overlay: updating random needs upper boundarles of a few dependencies relaxed (curse them) * third_party/gerrit_plugins: for some cursed reason the fixed-output hash of the gerrit owners plugin fetchgit changed, updated. Same for the checks plugin. Change-Id: Ica37995fe8039d3ba80eab643867f98795c56734 Reviewed-on: https://cl.tvl.fyi/c/depot/+/2295 Tested-by: BuildkiteCI Reviewed-by: Profpatsch <mail@profpatsch.de> Reviewed-by: glittershark <grfn@gws.fyi> Reviewed-by: tazjin <mail@tazj.in> 2020-12-25 11:13:06 +01:00			`settings.children = {`
			`"olcDatabase={1}mdb".attrs = {`
			`objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];`
			`olcDatabase = "{1}mdb";`
			`olcSuffix = "dc=tvl,dc=fyi";`
			`olcAccess = "to * by * read";`
			`};`
feat(ops/nixos/modules): Add TVL slapd module This initialises an OpenLDAP server for tvl.fyi This is the least annoying way to bootstrap Gerrit. Yep. 2020-06-08 02:08:41 +02:00
chore(3p): Bump NixOS channels to 2020-12-28 Changes: * ops/nixos/tvl-slapd: The NixOS module for OpenLDAP has removed the ability to configure OpenLDAP directly and now forces users to use some kind of weird Nix->OLC mapping that is mostly undocumented. This moves the config we need to the new format in a way that may or may not work and does the other arbitrary dance steps that someone decided to impose on us. Note that this now throws lots of warnings, but I can't be bothered to fix them. * 3p: Random package removals accomodated * users/glittershark: Pin grfn's kernel to 5.9, because the CK patch is not yet updated for 5.10 * users/glittershark: Update vendor hash for pg-dump-upsert, I suspect this changed because of something in the Go build machinery in nixpkgs. The deleteVendor flag also has no effect anymore and has been removed. * users/glittershark: agda build is broken, commenting out development home-manager environment until it can be fixed * third_party/haskell_overlay: updating random needs upper boundarles of a few dependencies relaxed (curse them) * third_party/gerrit_plugins: for some cursed reason the fixed-output hash of the gerrit owners plugin fetchgit changed, updated. Same for the checks plugin. Change-Id: Ica37995fe8039d3ba80eab643867f98795c56734 Reviewed-on: https://cl.tvl.fyi/c/depot/+/2295 Tested-by: BuildkiteCI Reviewed-by: Profpatsch <mail@profpatsch.de> Reviewed-by: glittershark <grfn@gws.fyi> Reviewed-by: tazjin <mail@tazj.in> 2020-12-25 11:13:06 +01:00			`"cn=module{0}".attrs = {`
			`objectClass = "olcModuleList";`
			`olcModuleLoad = "pw-argon2";`
			`};`
			`};`
feat(tvl-slapd): Load Argon2 password module in OpenLDAP This makes it possible to use {ARGON2} hashes instead of the current salted SHA hashes, which is a much better idea. Unfortunately the nixpkgs module does not have an option for overridding the package used, so it is overlaid into the system package set - this causes widespread rebuilds. This is fine for us for now, but I have opened a PR upstream to add a package option: https://github.com/NixOS/nixpkgs/pull/91963 Change-Id: Ib4be931d88e74b91566639f8656742cf096f6cc3 Reviewed-on: https://cl.tvl.fyi/c/depot/+/831 Reviewed-by: BuildkiteCI Reviewed-by: isomer <isomer@tvl.fyi> Tested-by: BuildkiteCI 2020-07-01 20:24:49 +02:00
refactor(tvl-slapd): Move user definitions into Nix code Implements a function that generates the LDIF record for each user and templates it into the configuration. This is slightly more user-friendly and less error-prone (people kept getting the DNs wrong) than editing the contents manually. Change-Id: Ic419d2ef464f9a94be5d54b666f7d53134b53eed Reviewed-on: https://cl.tvl.fyi/c/depot/+/447 Reviewed-by: riking <rikingcoding@gmail.com> 2020-06-17 04:48:21 +02:00			`# Contents are immutable at runtime, and adding user accounts etc.`
			`# is done statically in the LDIF-formatted contents in this folder.`
chore(3p): Bump NixOS channels to 2020-12-28 Changes: * ops/nixos/tvl-slapd: The NixOS module for OpenLDAP has removed the ability to configure OpenLDAP directly and now forces users to use some kind of weird Nix->OLC mapping that is mostly undocumented. This moves the config we need to the new format in a way that may or may not work and does the other arbitrary dance steps that someone decided to impose on us. Note that this now throws lots of warnings, but I can't be bothered to fix them. * 3p: Random package removals accomodated * users/glittershark: Pin grfn's kernel to 5.9, because the CK patch is not yet updated for 5.10 * users/glittershark: Update vendor hash for pg-dump-upsert, I suspect this changed because of something in the Go build machinery in nixpkgs. The deleteVendor flag also has no effect anymore and has been removed. * users/glittershark: agda build is broken, commenting out development home-manager environment until it can be fixed * third_party/haskell_overlay: updating random needs upper boundarles of a few dependencies relaxed (curse them) * third_party/gerrit_plugins: for some cursed reason the fixed-output hash of the gerrit owners plugin fetchgit changed, updated. Same for the checks plugin. Change-Id: Ica37995fe8039d3ba80eab643867f98795c56734 Reviewed-on: https://cl.tvl.fyi/c/depot/+/2295 Tested-by: BuildkiteCI Reviewed-by: Profpatsch <mail@profpatsch.de> Reviewed-by: glittershark <grfn@gws.fyi> Reviewed-by: tazjin <mail@tazj.in> 2020-12-25 11:13:06 +01:00			`declarativeContents."dc=tvl,dc=fyi" = ''`
refactor(tvl-slapd): Move user definitions into Nix code Implements a function that generates the LDIF record for each user and templates it into the configuration. This is slightly more user-friendly and less error-prone (people kept getting the DNs wrong) than editing the contents manually. Change-Id: Ic419d2ef464f9a94be5d54b666f7d53134b53eed Reviewed-on: https://cl.tvl.fyi/c/depot/+/447 Reviewed-by: riking <rikingcoding@gmail.com> 2020-06-17 04:48:21 +02:00			`dn: dc=tvl,dc=fyi`
			`dc: tvl`
			`o: TVL LDAP server`
			`description: Root entry for tvl.fyi`
			`objectClass: top`
			`objectClass: dcObject`
			`objectClass: organization`

			`dn: ou=users,dc=tvl,dc=fyi`
			`ou: users`
			`description: All users in TVL`
			`objectClass: top`
			`objectClass: organizationalUnit`

			`dn: ou=groups,dc=tvl,dc=fyi`
			`ou: groups`
			`description: All groups in TVL`
			`objectClass: top`
			`objectClass: organizationalUnit`

			`${lib.concatStringsSep "\n" (map toLdif users)}`
			`'';`
feat(ops/nixos/modules): Add TVL slapd module This initialises an OpenLDAP server for tvl.fyi This is the least annoying way to bootstrap Gerrit. Yep. 2020-06-08 02:08:41 +02:00			`};`
			`}`