mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-12-02 03:43:06 +00:00
08c37ba899
While `/var/lib/lldap` isn't technically accessible by unprivileged users thanks to `DynamicUser=true`, a user might prefer and change it to `DynamicUser=false`. There is currently also a PR open that intends to make `DynamicUser` configurable via module option. As such, `jwt_secret_file`, if bootstrapped by the service start procedure, might be rendered world-readable due to its permissions (`0644/-rw-r--r--`) defaulting to the service's umask (`022`) and `/var/lib/lldap` to `0755/drwxr-xr-x` due to `StateDirectoryMode=0755`. This would usually be fixed by using `(umask 027; openssl ...)` instead of just `openssl ...`. However, it was found that another file (`users.db`), this time bootstrapped by `lldap` itself, also had insufficient permissions (`0644/-rw-r--r--`) inherited by the global umask and would be left world-readable as well. Due to this, we instead change the service's to `027`. And to lower the impact for already bootstrapped files on existing instances like `users.db`, set `StateDirectoryMode=0750`.
138 lines
4.5 KiB
Nix
138 lines
4.5 KiB
Nix
{ config, lib, pkgs, utils, ... }:
|
|
|
|
let
|
|
cfg = config.services.lldap;
|
|
format = pkgs.formats.toml { };
|
|
in
|
|
{
|
|
options.services.lldap = with lib; {
|
|
enable = mkEnableOption (mdDoc "lldap");
|
|
|
|
package = mkPackageOption pkgs "lldap" { };
|
|
|
|
environment = mkOption {
|
|
type = with types; attrsOf str;
|
|
default = { };
|
|
example = {
|
|
LLDAP_JWT_SECRET_FILE = "/run/lldap/jwt_secret";
|
|
LLDAP_LDAP_USER_PASS_FILE = "/run/lldap/user_password";
|
|
};
|
|
description = lib.mdDoc ''
|
|
Environment variables passed to the service.
|
|
Any config option name prefixed with `LLDAP_` takes priority over the one in the configuration file.
|
|
'';
|
|
};
|
|
|
|
environmentFile = mkOption {
|
|
type = types.nullOr types.path;
|
|
default = null;
|
|
description = lib.mdDoc ''
|
|
Environment file as defined in {manpage}`systemd.exec(5)` passed to the service.
|
|
'';
|
|
};
|
|
|
|
settings = mkOption {
|
|
description = mdDoc ''
|
|
Free-form settings written directly to the `lldap_config.toml` file.
|
|
Refer to <https://github.com/lldap/lldap/blob/main/lldap_config.docker_template.toml> for supported values.
|
|
'';
|
|
|
|
default = { };
|
|
|
|
type = types.submodule {
|
|
freeformType = format.type;
|
|
options = {
|
|
ldap_host = mkOption {
|
|
type = types.str;
|
|
description = mdDoc "The host address that the LDAP server will be bound to.";
|
|
default = "::";
|
|
};
|
|
|
|
ldap_port = mkOption {
|
|
type = types.port;
|
|
description = mdDoc "The port on which to have the LDAP server.";
|
|
default = 3890;
|
|
};
|
|
|
|
http_host = mkOption {
|
|
type = types.str;
|
|
description = mdDoc "The host address that the HTTP server will be bound to.";
|
|
default = "::";
|
|
};
|
|
|
|
http_port = mkOption {
|
|
type = types.port;
|
|
description = mdDoc "The port on which to have the HTTP server, for user login and administration.";
|
|
default = 17170;
|
|
};
|
|
|
|
http_url = mkOption {
|
|
type = types.str;
|
|
description = mdDoc "The public URL of the server, for password reset links.";
|
|
default = "http://localhost";
|
|
};
|
|
|
|
ldap_base_dn = mkOption {
|
|
type = types.str;
|
|
description = mdDoc "Base DN for LDAP.";
|
|
example = "dc=example,dc=com";
|
|
};
|
|
|
|
ldap_user_dn = mkOption {
|
|
type = types.str;
|
|
description = mdDoc "Admin username";
|
|
default = "admin";
|
|
};
|
|
|
|
ldap_user_email = mkOption {
|
|
type = types.str;
|
|
description = mdDoc "Admin email.";
|
|
default = "admin@example.com";
|
|
};
|
|
|
|
database_url = mkOption {
|
|
type = types.str;
|
|
description = mdDoc "Database URL.";
|
|
default = "sqlite://./users.db?mode=rwc";
|
|
example = "postgres://postgres-user:password@postgres-server/my-database";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
systemd.services.lldap = {
|
|
description = "Lightweight LDAP server (lldap)";
|
|
wants = [ "network-online.target" ];
|
|
after = [ "network-online.target" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
# lldap defaults to a hardcoded `jwt_secret` value if none is provided, which is bad, because
|
|
# an attacker could create a valid admin jwt access token fairly trivially.
|
|
# Because there are 3 different ways `jwt_secret` can be provided, we check if any one of them is present,
|
|
# and if not, bootstrap a secret in `/var/lib/lldap/jwt_secret_file` and give that to lldap.
|
|
script = lib.optionalString (!cfg.settings ? jwt_secret) ''
|
|
if [[ -z "$LLDAP_JWT_SECRET_FILE" ]] && [[ -z "$LLDAP_JWT_SECRET" ]]; then
|
|
if [[ ! -e "./jwt_secret_file" ]]; then
|
|
${lib.getExe pkgs.openssl} rand -base64 -out ./jwt_secret_file 32
|
|
fi
|
|
export LLDAP_JWT_SECRET_FILE="./jwt_secret_file"
|
|
fi
|
|
'' + ''
|
|
${lib.getExe cfg.package} run --config-file ${format.generate "lldap_config.toml" cfg.settings}
|
|
'';
|
|
serviceConfig = {
|
|
StateDirectory = "lldap";
|
|
StateDirectoryMode = "0750";
|
|
WorkingDirectory = "%S/lldap";
|
|
UMask = "0027";
|
|
User = "lldap";
|
|
Group = "lldap";
|
|
DynamicUser = true;
|
|
EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile;
|
|
};
|
|
inherit (cfg) environment;
|
|
};
|
|
};
|
|
}
|