gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-10 04:49:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions
infrastructure/nixos/ldap/permissions.nix
arcnmx 9903866044 chore: nf-fmt-nix
2024-05-13 15:31:34 -07:00

184 lines
4.5 KiB
Nix
Raw Blame History

{
config,
lib,
...
}: let
inherit (lib.modules) mkDefault;
inherit (config.users) ldap;
inherit (ldap.management) permissions;
in {
config.users.ldap.management = {
enable = mkDefault true;
permissions = {
"Custom Anonymous User Read" = {
bindType = "anonymous";
targetType = "user";
attrs = ["gidnumber" "homedirectory" "ipantsecurityidentifier" "loginshell" "manager" "objectclass" "title" "uid" "uidnumber"];
};
"Custom Permission Admin" = {
location = ldap.permissionDnSuffix;
target = "cn=*";
rights = "all";
attrs = [
"member"
"cn"
"o"
"ou"
"owner"
"description"
"objectclass"
"seealso"
"businesscategory"
"ipapermtarget"
"ipapermright"
"ipapermincludedattr"
"ipapermbindruletype"
"ipapermexcludedattr"
"ipapermtargetto"
"ipapermissiontype"
"ipapermlocation"
"ipapermdefaultattr"
"ipapermtargetfrom"
"ipapermtargetfilter"
];
};
"Custom Privilege Admin" = {
location = ldap.privilegeDnSuffix;
target = "cn=*";
rights = "all";
attrs = [
"member"
"memberof"
"cn"
"o"
"ou"
"owner"
"description"
"objectclass"
"seealso"
"businesscategory"
];
};
"Custom Role Admin" = {
location = ldap.roleDnSuffix;
target = "cn=*";
rights = "all";
attrs = [
"member"
"memberof"
"cn"
"o"
"ou"
"owner"
"description"
"objectclass"
"seealso"
"businesscategory"
];
};
"Custom Role Modify" = {
targetType = "role";
rights = ["write" "add"];
attrs = permissions."Custom Role Admin".attrs;
};
"Custom Host Permission" = {
targetType = "host";
rights = ["write"];
attrs = [
"memberof"
];
};
"Custom SysAccount Permission" = {
targetType = "sysaccount";
rights = "all";
attrs = [
"member"
"memberof"
"uid"
"o"
"ou"
"description"
"objectclass"
"seealso"
"businesscategory"
"passwordExpirationTime"
"nsIdleTimeout"
];
};
"Custom SysAccount Admin" = {
location = ldap.sysAccountDnSuffix;
target = "uid=*";
rights = ["add" "write" "delete"];
attrs =
permissions."Custom SysAccount Permission".attrs
++ [
"userPassword"
];
};
"Custom Service Permission" = {
targetType = "service";
rights = ["write"];
attrs = [
"memberof"
];
};
};
privileges = {
"Custom Management Admin" = {
permissions = [
"Custom Permission Admin"
"Custom Privilege Admin"
"Custom Role Admin"
"Custom Role Modify"
"Custom Host Permission"
"Custom SysAccount Permission"
"Custom SysAccount Admin"
"Custom Service Permission"
];
};
};
roles = {
"Security Architect" = {
privileges = [
"Custom Management Admin"
# you can't manage roles if you can't see them .-.
"RBAC Readers"
];
# allow reimu to actually make these changes...
members = [
"fqdn=reimu.${config.networking.domain},${ldap.hostDnSuffix}"
];
};
};
sysAccounts = {
peep = {
passwordFile = config.sops.secrets.ldap-peep-password.path;
};
keycloak = {
passwordFile = config.sops.secrets.ldap-keycloak-password.path;
};
};
objects = {
# change default public access
"cn=System: Read User Compat Tree,${ldap.permissionDnSuffix}" = {
settings.ipaPermBindRuleType = "all";
};
"cn=System: Read User Views Compat Tree,${ldap.permissionDnSuffix}" = {
settings.ipaPermBindRuleType = "all";
};
"cn=System: Read User Standard Attributes,${ldap.permissionDnSuffix}" = {
settings.ipaPermBindRuleType = "all";
};
};
};
config.sops.secrets = let
sopsFile = mkDefault ../secrets/ldap.yaml;
in {
ldap-peep-password = {
inherit sopsFile;
};
ldap-keycloak-password = {
inherit sopsFile;
};
};
}
Reference in a new issue View git blame Copy permalink