diff options
| author | Jörg Thalheim <joerg@thalheim.io> | 2019-04-23 15:13:45 +0100 |
|---|---|---|
| committer | Jörg Thalheim <joerg@thalheim.io> | 2019-04-23 16:35:33 +0100 |
| commit | d43dc68db3f414a527cad632a3f1fb868fc1c902 (patch) | |
| tree | c65c9baee3183e827fb9fbc0ba6c922734f97dc7 /nixos/modules/services/databases/openldap.nix | |
| parent | 9d127f2450875d229af8c1863b9648f4ac24d8f4 (diff) | |
| download | nixpkgs-d43dc68db3f414a527cad632a3f1fb868fc1c902.tar nixpkgs-d43dc68db3f414a527cad632a3f1fb868fc1c902.tar.gz nixpkgs-d43dc68db3f414a527cad632a3f1fb868fc1c902.tar.bz2 nixpkgs-d43dc68db3f414a527cad632a3f1fb868fc1c902.tar.lz nixpkgs-d43dc68db3f414a527cad632a3f1fb868fc1c902.tar.xz nixpkgs-d43dc68db3f414a527cad632a3f1fb868fc1c902.tar.zst nixpkgs-d43dc68db3f414a527cad632a3f1fb868fc1c902.zip | |
nixos/openldap: make rootpw option optional
This allows to store passwords in external files outside of the world-readable nix store.
Diffstat (limited to 'nixos/modules/services/databases/openldap.nix')
| -rw-r--r-- | nixos/modules/services/databases/openldap.nix | 33 |
1 files changed, 28 insertions, 5 deletions
diff --git a/nixos/modules/services/databases/openldap.nix b/nixos/modules/services/databases/openldap.nix index c101e7375af..c2f458c0379 100644 --- a/nixos/modules/services/databases/openldap.nix +++ b/nixos/modules/services/databases/openldap.nix @@ -18,7 +18,11 @@ let database ${cfg.database} suffix ${cfg.suffix} rootdn ${cfg.rootdn} - rootpw ${cfg.rootpw} + ${if (cfg.rootpw != null) then '' + rootpw ${cfg.rootpw} + '' else '' + include ${cfg.rootpwFile} + ''} directory ${cfg.dataDir} ${cfg.extraDatabaseConfig} ''); @@ -106,10 +110,23 @@ in }; rootpw = mkOption { - type = types.str; + type = types.nullOr types.str; + default = null; description = '' Password for the root user. This setting will be ignored if configDir is set. + Using this option will store the root password in plain text in the + world-readable nix store. To avoid this the <literal>rootpwFile</literal> can be used. + ''; + }; + + rootpwFile = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Password file for the root user. + The file should contain the string <literal>rootpw</literal> followed by the password. + e.g.: <literal>rootpw mysecurepassword</literal> ''; }; @@ -140,9 +157,9 @@ in include ${pkgs.openldap.out}/etc/schema/inetorgperson.schema include ${pkgs.openldap.out}/etc/schema/nis.schema - database bdb - suffix dc=example,dc=org - rootdn cn=admin,dc=example,dc=org + database bdb + suffix dc=example,dc=org + rootdn cn=admin,dc=example,dc=org # NOTE: change after first start rootpw secret directory /var/db/openldap @@ -218,6 +235,12 @@ in ###### implementation config = mkIf cfg.enable { + assertions = [ + { + assertion = cfg.rootpwFile != null || cfg.rootpw != null; + message = "Either services.openldap.rootpw or services.openldap.rootpwFile must be set"; + } + ]; environment.systemPackages = [ openldap ]; |