268729083e
NixOS modules move one level up because it's unlikely that //ops/nixos will contain actual systems at this point (they're user-specific). This is the first users folder, so it is also added to the root readTree invocation for the repository. Change-Id: I546c701145fa204b7ba7518a8a56a783588629e0 Reviewed-on: https://cl.tvl.fyi/c/depot/+/244 Reviewed-by: tazjin <mail@tazj.in>
30 lines
826 B
Nix
30 lines
826 B
Nix
# Configures an OpenLDAP instance for TVL
|
|
#
|
|
# TODO(tazjin): Configure ldaps://
|
|
{ pkgs, config, ... }:
|
|
|
|
{
|
|
services.openldap = {
|
|
enable = true;
|
|
dataDir = "/var/lib/openldap";
|
|
suffix = "dc=tvl,dc=fyi";
|
|
rootdn = "cn=admin,dc=tvl,dc=fyi";
|
|
rootpw = "{SSHA}yEEO6Ol2W3ritdiJzPSsjOtyPGxWF2JW";
|
|
|
|
# Contents are immutable at runtime, and adding user accounts etc.
|
|
# is done statically in the LDIF-formatted contents in this folder.
|
|
declarativeContents = builtins.readFile ./contents.ldif;
|
|
|
|
# ACL configuration
|
|
extraDatabaseConfig = ''
|
|
# Allow users to change their own password
|
|
access to attrs=userPassword
|
|
by self write
|
|
by anonymous auth
|
|
by users none
|
|
|
|
# Allow default read access to other directory elements
|
|
access to * by * read
|
|
'';
|
|
};
|
|
}
|