chore(idp): sys accounts

2026-02-09 04:19:19 -08:00 · 2024-04-02 13:52:06 -07:00 · 2024-04-02 13:52:06 -07:00 · 34d1b400e1
commit 34d1b400e1
parent db2f7d27b3
10 changed files with 561 additions and 81 deletions
--- a/modules/nixos/ldap/hosts.nix
+++ b/modules/nixos/ldap/hosts.nix
@ -1,11 +1,70 @@
 {
  config,
  lib,
+  inputs,
  ...
 }: let
-  inherit (lib.options) mkOption;
+  inherit (inputs.self.lib.lib) mkAlmostOptionDefault mapListToAttrs;
+  inherit (lib.options) mkOption mkEnableOption;
+  inherit (lib.modules) mkOptionDefault;
+  inherit (lib.attrsets) mapAttrsToList;
+  inherit (lib.lists) filter;
+  cfg = config.users.ldap;
+  ldap'lib = config.lib.ldap;
+  sysaccountModule = {config, nixosConfig, name, ldap, ...}: {
+    options = with lib.types; {
+      enable = mkEnableOption "sys account" // {
+        default = true;
+      };
+      uid = mkOption {
+        type = str;
+        default = name;
+      };
+      passwordFile = mkOption {
+        type = nullOr path;
+        default = null;
+      };
+      object = mkOption {
+        type = ldap.lib.objectSettingsType;
+      };
+    };
+    config = {
+      object = {
+        enable = mkAlmostOptionDefault config.enable;
+        dn = mkOptionDefault (ldap.lib.withBaseDn "uid=${config.uid},${ldap.sysAccountDnSuffix}");
+        settings = {
+          changeType = mkAlmostOptionDefault "add";
+          settings = {
+            uid = mkOptionDefault config.uid;
+            objectClass' = {
+              name = "objectClass";
+              initial = true;
+              value = [ "account" "simplesecurityobject" ];
+            };
+            userPassword = {
+              initial = true;
+              value = mkOptionDefault "initial123";
+            };
+            passwordExpirationTime = {
+              initial = true;
+              value = mkOptionDefault "20010101031407Z";
+            };
+          };
+        };
+      };
+    };
+  };
 in {
  options.users.ldap = with lib.types; {
+    management = {
+      sysAccounts = mkOption {
+        type = attrsOf (submoduleWith {
+          modules = [ sysaccountModule ];
+          inherit (config.lib.ldap) specialArgs;
+        });
+        default = { };
+      };
+    };
    domainDnSuffix = mkOption {
      type = str;
      default = "";
@ -14,6 +73,10 @@ in {
      type = str;
      default = "";
    };
+    hostGroupDnSuffix = mkOption {
+      type = str;
+      default = "";
+    };
    serviceDnSuffix = mkOption {
      type = str;
      default = "";
@ -23,4 +86,10 @@ in {
      default = "";
    };
  };
+  config.users.ldap = {
+    management.objects = let
+      sysAccountObjects = mapAttrsToList (_: acc: acc.object) cfg.management.sysAccounts;
+      enabledObjects = filter (object: object.enable) sysAccountObjects;
+    in mapListToAttrs ldap'lib.mapObjectSettingsToPair enabledObjects;
+  };
 }