nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-24 07:53:19 +00:00
Code Issues Packages Projects Releases Wiki Activity
14b3ea2789
nixpkgs/nixos/modules/services/databases/lldap.nix
emilylange 08c37ba899 nixos/lldap: set service UMask=0027 and StateDirectoryMode=0750 
While `/var/lib/lldap` isn't technically accessible by unprivileged
users thanks to `DynamicUser=true`, a user might prefer and change it to
`DynamicUser=false`.

There is currently also a PR open that intends to make `DynamicUser`
configurable via module option.

As such, `jwt_secret_file`, if bootstrapped by the service start
procedure, might be rendered world-readable due to its permissions
(`0644/-rw-r--r--`) defaulting to the service's umask (`022`) and
`/var/lib/lldap` to `0755/drwxr-xr-x` due to `StateDirectoryMode=0755`.

This would usually be fixed by using `(umask 027; openssl ...)` instead
of just `openssl ...`.

However, it was found that another file (`users.db`), this time
bootstrapped by `lldap` itself, also had insufficient permissions
(`0644/-rw-r--r--`) inherited by the global umask and would be left
world-readable as well.

Due to this, we instead change the service's to `027`.

And to lower the impact for already bootstrapped files on existing
instances like `users.db`, set `StateDirectoryMode=0750`.
2024-03-11 17:34:29 +01:00

138 lines
4.5 KiB
Nix
Raw Blame History

{ config, lib, pkgs, utils, ... }:
let
cfg = config.services.lldap;
format = pkgs.formats.toml { };
in
{
options.services.lldap = with lib; {
enable = mkEnableOption (mdDoc "lldap");
package = mkPackageOption pkgs "lldap" { };
environment = mkOption {
type = with types; attrsOf str;
default = { };
example = {
LLDAP_JWT_SECRET_FILE = "/run/lldap/jwt_secret";
LLDAP_LDAP_USER_PASS_FILE = "/run/lldap/user_password";
};
description = lib.mdDoc ''
Environment variables passed to the service.
Any config option name prefixed with `LLDAP_` takes priority over the one in the configuration file.
'';
};
environmentFile = mkOption {
type = types.nullOr types.path;
default = null;
description = lib.mdDoc ''
Environment file as defined in {manpage}`systemd.exec(5)` passed to the service.
'';
};
settings = mkOption {
description = mdDoc ''
Free-form settings written directly to the `lldap_config.toml` file.
Refer to <https://github.com/lldap/lldap/blob/main/lldap_config.docker_template.toml> for supported values.
'';
default = { };
type = types.submodule {
freeformType = format.type;
options = {
ldap_host = mkOption {
type = types.str;
description = mdDoc "The host address that the LDAP server will be bound to.";
default = "::";
};
ldap_port = mkOption {
type = types.port;
description = mdDoc "The port on which to have the LDAP server.";
default = 3890;
};
http_host = mkOption {
type = types.str;
description = mdDoc "The host address that the HTTP server will be bound to.";
default = "::";
};
http_port = mkOption {
type = types.port;
description = mdDoc "The port on which to have the HTTP server, for user login and administration.";
default = 17170;
};
http_url = mkOption {
type = types.str;
description = mdDoc "The public URL of the server, for password reset links.";
default = "http://localhost";
};
ldap_base_dn = mkOption {
type = types.str;
description = mdDoc "Base DN for LDAP.";
example = "dc=example,dc=com";
};
ldap_user_dn = mkOption {
type = types.str;
description = mdDoc "Admin username";
default = "admin";
};
ldap_user_email = mkOption {
type = types.str;
description = mdDoc "Admin email.";
default = "admin@example.com";
};
database_url = mkOption {
type = types.str;
description = mdDoc "Database URL.";
default = "sqlite://./users.db?mode=rwc";
example = "postgres://postgres-user:password@postgres-server/my-database";
};
};
};
};
};
config = lib.mkIf cfg.enable {
systemd.services.lldap = {
description = "Lightweight LDAP server (lldap)";
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
# lldap defaults to a hardcoded `jwt_secret` value if none is provided, which is bad, because
# an attacker could create a valid admin jwt access token fairly trivially.
# Because there are 3 different ways `jwt_secret` can be provided, we check if any one of them is present,
# and if not, bootstrap a secret in `/var/lib/lldap/jwt_secret_file` and give that to lldap.
script = lib.optionalString (!cfg.settings ? jwt_secret) ''
if [[ -z "$LLDAP_JWT_SECRET_FILE" ]] && [[ -z "$LLDAP_JWT_SECRET" ]]; then
if [[ ! -e "./jwt_secret_file" ]]; then
${lib.getExe pkgs.openssl} rand -base64 -out ./jwt_secret_file 32
fi
export LLDAP_JWT_SECRET_FILE="./jwt_secret_file"
fi
'' + ''
${lib.getExe cfg.package} run --config-file ${format.generate "lldap_config.toml" cfg.settings}
'';
serviceConfig = {
StateDirectory = "lldap";
StateDirectoryMode = "0750";
WorkingDirectory = "%S/lldap";
UMask = "0027";
User = "lldap";
Group = "lldap";
DynamicUser = true;
EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile;
};
inherit (cfg) environment;
};
};
}
Reference in New Issue View Git Blame Copy Permalink