feat(tvl-slapd): Load Argon2 password module in OpenLDAP

This makes it possible to use {ARGON2} hashes instead of the current
salted SHA hashes, which is a much better idea.

Unfortunately the nixpkgs module does not have an option for
overridding the package used, so it is overlaid into the system
package set - this causes widespread rebuilds.

This is fine for us for now, but I have opened a PR upstream to add a
package option: https://github.com/NixOS/nixpkgs/pull/91963

Change-Id: Ib4be931d88e74b91566639f8656742cf096f6cc3
Reviewed-on: https://cl.tvl.fyi/c/depot/+/831
Reviewed-by: BuildkiteCI
Reviewed-by: isomer <isomer@tvl.fyi>
Tested-by: BuildkiteCI
This commit is contained in:
Vincent Ambo 2020-07-01 19:24:49 +01:00 committed by tazjin
parent d2aaf030bd
commit 5b4ff0c393

View file

@ -98,6 +98,17 @@ let
}
];
in {
# Use our patched OpenLDAP derivation which enables stronger password hashing.
#
# Unfortunately the module for OpenLDAP has no package option, so we
# need to override it system-wide. Be aware that this triggers a
# *large* number of rebuilds of packages such as GPG and Python.
nixpkgs.overlays = [
(_: _: {
inherit (config.depot.third_party) openldap;
})
];
services.openldap = {
enable = true;
dataDir = "/var/lib/openldap";
@ -117,6 +128,10 @@ in {
access to * by * read
'';
extraConfig = ''
moduleload pw-argon2
'';
# Contents are immutable at runtime, and adding user accounts etc.
# is done statically in the LDIF-formatted contents in this folder.
declarativeContents = ''