feat(ops/nixos/modules): Add TVL slapd module

This initialises an OpenLDAP server for tvl.fyi

This is the least annoying way to bootstrap Gerrit. Yep.

ops/nixos/camden/default.nix

@@ -10,6 +10,7 @@ in lib.fix(self: {
     ../modules/depot.nix
     ../modules/hound.nix
     ../modules/monorepo-gerrit.nix
+    ../modules/tvl-slapd/default.nix
     "${pkgs.nixpkgsSrc}/nixos/modules/services/web-apps/gerrit.nix"
   ];
   depot = depot;

ops/nixos/modules/tvl-slapd/contents.ldif

@@ -0,0 +1,29 @@
+dn: dc=tvl,dc=fyi
+dc: tvl
+o: TVL LDAP server
+description: Root entry for tvl.fyi
+objectClass: top
+objectClass: dcObject
+objectClass: organization
+
+dn: ou=users,dc=tvl,dc=fyi
+ou: users
+description: All users in TVL
+objectClass: top
+objectClass: organizationalUnit
+
+dn: ou=groups,dc=tvl,dc=fyi
+ou: groups
+description: All groups in TVL
+objectClass: top
+objectClass: organizationalUnit
+
+# Users in tvl.fyi
+dn: cn=tazjin,ou=users,dc=tvl,dc=fyi
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+cn: tazjin
+sn: tazjin
+title: tazjin
+mail: mail@tazj.in
+userPassword: {SSHA}67H341jRfAFBDz/R9+T3fHQiPfjwTbpQ

ops/nixos/modules/tvl-slapd/default.nix

@@ -0,0 +1,30 @@
+# Configures an OpenLDAP instance for TVL
+#
+# TODO(tazjin): Configure ldaps://
+{ pkgs, config, ... }:
+
+{
+  services.openldap = {
+    enable = true;
+    dataDir = "/var/lib/openldap";
+    suffix = "dc=tvl,dc=fyi";
+    rootdn = "cn=admin,dc=tvl,dc=fyi";
+    rootpw = "{SSHA}yEEO6Ol2W3ritdiJzPSsjOtyPGxWF2JW";
+
+    # Contents are immutable at runtime, and adding user accounts etc.
+    # is done statically in the LDIF-formatted contents in this folder.
+    declarativeContents = builtins.readFile ./contents.ldif;
+
+    # ACL configuration
+    extraDatabaseConfig = ''
+      # Allow users to change their own password
+      access to attrs=userPassword
+        by self write
+        by anonymous auth
+        by users none
+
+      # Allow default read access to other directory elements
+      access to * by * read
+    '';
+  };
+}