lldap: automatic provision + system users + stalwart + whatever

2025-02-03 18:15:53 +01:00 · 2025-02-03 18:15:53 +01:00 · 82caf96d36
commit 82caf96d36
parent 4a0129585a
19 changed files with 405 additions and 285 deletions
--- a/machines/gerd/services/lldap/provision.nix
+++ b/machines/gerd/services/lldap/provision.nix
@ -0,0 +1,68 @@
+{ config, lib, ... }:
+
+{
+  imports = [
+    ./module
+  ];
+
+  services.lldap = {
+    provisionUsername = "admin";
+    provisionPasswordFile = config.age.secrets.lldap-admin-user-pass.path;
+
+    provision = config.mine.shared.lib.ldap.mkScope (lconfig: llib: {
+      # users
+      users = {
+        # normal users
+        testusername = {
+          membermail = "env:EMAIL_EMAIL0";
+          groups = [ config.services.lldap.provision.groups.system_mail.display_name ];
+        };
+
+        user1 = llib.mkProvisionUserNormal "thief420";
+
+        # admin users
+        admin = llib.mkProvisionUserAdmin "admin";
+        eyjhb = llib.mkProvisionUserAdmin "eyjhb";
+        rasmus = llib.mkProvisionUserAdmin "rasmus";
+
+        # system users - defined in each service
+        # should not be done here
+
+        # bind user
+        bind = {
+          user_id = "bind_user";
+          groups = [ lconfig.groups.password_manager lconfig.groups.strict_readonly ];
+        };
+      };
+
+      # groups
+      groups = {
+        "base_member" = {};
+        "system_service" = {};
+        "system_mail" = {};
+      };
+
+      # attributes
+      group_attributes = {
+        group_foo = {
+          attributeType = "STRING";
+          isEditable = true;
+          isVisible = true;
+        };
+      };
+      user_attributes = {
+        membermail = {
+          attributeType = "STRING";
+          isEditable = false;
+          isVisible = true;
+        };
+        membermaildiskquota = {
+          attributeType = "INTEGER";
+        };
+      };
+
+    });
+  };
+
+  systemd.services.lldapsetup.serviceConfig.EnvironmentFile = config.age.secrets.lldap-user-emails-env.path;
+}