From cb691265b65bd207741dc2798ff3cc911ff01437 Mon Sep 17 00:00:00 2001
From: Jozko Skrablin <jozko@zomg.si>
Date: Thu, 28 Nov 2013 22:21:50 +0100
Subject: Added openldap user, group and configure service so its not running
 as root.

---
 nixos/modules/misc/ids.nix                    |  2 ++
 nixos/modules/services/databases/openldap.nix | 27 +++++++++++++++++++++++++--
 2 files changed, 27 insertions(+), 2 deletions(-)

(limited to 'nixos')

diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix
index 0b4274b13e6..ccd75d5b915 100644
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@@ -107,6 +107,7 @@
       redis = 96;
       haproxy = 97;
       mongodb = 98;
+      openldap = 99;
 
       # When adding a uid, make sure it doesn't match an existing gid.
 
@@ -194,6 +195,7 @@
       amule = 90;
       minidlna = 91;
       haproxy = 92;
+      openldap = 93;
 
       # When adding a gid, make sure it doesn't match an existing uid.
 
diff --git a/nixos/modules/services/databases/openldap.nix b/nixos/modules/services/databases/openldap.nix
index a4dd30be1fb..0fc8b88c652 100644
--- a/nixos/modules/services/databases/openldap.nix
+++ b/nixos/modules/services/databases/openldap.nix
@@ -26,6 +26,16 @@ in
         ";
       };
 
+      user = mkOption {
+        default = "openldap";
+        description = "User account under which slapd runs.";
+      };
+
+      group = mkOption {
+        default = "openldap";
+        description = "Group account under which slapd runs.";
+      };
+
       extraConfig = mkOption {
         default = "";
         description = "
@@ -49,10 +59,23 @@ in
       after = [ "network.target" ];
       preStart = ''
         mkdir -p /var/run/slapd
+        chown -R ${cfg.user}:${cfg.group} /var/run/slapd
+        mkdir -p /var/db/openldap
+        chown -R ${cfg.user}:${cfg.group} /var/db/openldap
       '';
-      serviceConfig.ExecStart = "${openldap}/libexec/slapd -d 0 -f ${configFile}";
+      serviceConfig.ExecStart = "${openldap}/libexec/slapd -u openldap -g openldap -d 0 -f ${configFile}";
     };
 
-  };
+    users.extraUsers = optionalAttrs (cfg.user == "openldap") (singleton
+      { name = "openldap";
+        group = "openldap";
+        uid = config.ids.uids.openldap;
+      });
+
+    users.extraGroups = optionalAttrs (cfg.group == "openldap") (singleton
+      { name = "openldap";
+        gid = config.ids.gids.openldap;
+     });
 
+  };
 }
-- 
cgit 1.4.1