diff --git a/ops/nixos/camden/default.nix b/ops/nixos/camden/default.nix index 5db84ef50..bed32d2b3 100644 --- a/ops/nixos/camden/default.nix +++ b/ops/nixos/camden/default.nix @@ -10,6 +10,7 @@ in lib.fix(self: { ../modules/depot.nix ../modules/hound.nix ../modules/monorepo-gerrit.nix + ../modules/tvl-slapd/default.nix "${pkgs.nixpkgsSrc}/nixos/modules/services/web-apps/gerrit.nix" ]; depot = depot; diff --git a/ops/nixos/modules/tvl-slapd/contents.ldif b/ops/nixos/modules/tvl-slapd/contents.ldif new file mode 100644 index 000000000..4f883926f --- /dev/null +++ b/ops/nixos/modules/tvl-slapd/contents.ldif @@ -0,0 +1,29 @@ +dn: dc=tvl,dc=fyi +dc: tvl +o: TVL LDAP server +description: Root entry for tvl.fyi +objectClass: top +objectClass: dcObject +objectClass: organization + +dn: ou=users,dc=tvl,dc=fyi +ou: users +description: All users in TVL +objectClass: top +objectClass: organizationalUnit + +dn: ou=groups,dc=tvl,dc=fyi +ou: groups +description: All groups in TVL +objectClass: top +objectClass: organizationalUnit + +# Users in tvl.fyi +dn: cn=tazjin,ou=users,dc=tvl,dc=fyi +objectClass: organizationalPerson +objectClass: inetOrgPerson +cn: tazjin +sn: tazjin +title: tazjin +mail: mail@tazj.in +userPassword: {SSHA}67H341jRfAFBDz/R9+T3fHQiPfjwTbpQ diff --git a/ops/nixos/modules/tvl-slapd/default.nix b/ops/nixos/modules/tvl-slapd/default.nix new file mode 100644 index 000000000..294a6636d --- /dev/null +++ b/ops/nixos/modules/tvl-slapd/default.nix @@ -0,0 +1,30 @@ +# Configures an OpenLDAP instance for TVL +# +# TODO(tazjin): Configure ldaps:// +{ pkgs, config, ... }: + +{ + services.openldap = { + enable = true; + dataDir = "/var/lib/openldap"; + suffix = "dc=tvl,dc=fyi"; + rootdn = "cn=admin,dc=tvl,dc=fyi"; + rootpw = "{SSHA}yEEO6Ol2W3ritdiJzPSsjOtyPGxWF2JW"; + + # Contents are immutable at runtime, and adding user accounts etc. + # is done statically in the LDIF-formatted contents in this folder. + declarativeContents = builtins.readFile ./contents.ldif; + + # ACL configuration + extraDatabaseConfig = '' + # Allow users to change their own password + access to attrs=userPassword + by self write + by anonymous auth + by users none + + # Allow default read access to other directory elements + access to * by * read + ''; + }; +}