gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions
infrastructure/nixos/ldap/permissions.nix
arcnmx 34d1b400e1 chore(idp): sys accounts
2024-04-03 12:04:38 -07:00

133 lines
4.1 KiB
Nix
Raw Blame History

{config, lib, ...}: let
inherit (lib.modules) mkDefault;
inherit (config.users) ldap;
inherit (ldap.management) permissions;
in {
config.users.ldap.management = {
enable = mkDefault true;
permissions = {
"Custom Anonymous User Read" = {
bindType = "anonymous";
targetType = "user";
attrs = [ "gidnumber" "homedirectory" "ipantsecurityidentifier" "loginshell" "manager" "objectclass" "title" "uid" "uidnumber" ];
};
"Custom Permission Admin" = {
location = ldap.permissionDnSuffix;
target = "cn=*";
rights = "all";
attrs = [
"member" "cn" "o" "ou" "owner" "description" "objectclass" "seealso" "businesscategory"
"ipapermtarget" "ipapermright" "ipapermincludedattr" "ipapermbindruletype" "ipapermexcludedattr" "ipapermtargetto" "ipapermissiontype" "ipapermlocation" "ipapermdefaultattr" "ipapermtargetfrom" "ipapermtargetfilter"
];
};
"Custom Privilege Admin" = {
location = ldap.privilegeDnSuffix;
target = "cn=*";
rights = "all";
attrs = [
"member" "memberof" "cn" "o" "ou" "owner" "description" "objectclass" "seealso" "businesscategory"
];
};
"Custom Role Admin" = {
location = ldap.roleDnSuffix;
target = "cn=*";
rights = "all";
attrs = [
"member" "memberof" "cn" "o" "ou" "owner" "description" "objectclass" "seealso" "businesscategory"
];
};
"Custom Role Modify" = {
targetType = "role";
rights = [ "write" "add" ];
attrs = permissions."Custom Role Admin".attrs;
};
"Custom Host Permission" = {
targetType = "host";
rights = [ "write" ];
attrs = [
"memberof"
];
};
"Custom SysAccount Permission" = {
targetType = "sysaccount";
rights = "all";
attrs = [
"member" "memberof" "uid" "o" "ou" "description" "objectclass" "seealso" "businesscategory"
"passwordExpirationTime" "nsIdleTimeout"
];
};
"Custom SysAccount Admin" = {
location = ldap.sysAccountDnSuffix;
target = "uid=*";
rights = [ "add" "write" "delete" ];
attrs = permissions."Custom SysAccount Permission".attrs ++ [
"userPassword"
];
};
"Custom Service Permission" = {
targetType = "service";
rights = [ "write" ];
attrs = [
"memberof"
];
};
};
privileges = {
"Custom Management Admin" = {
permissions = [
"Custom Permission Admin"
"Custom Privilege Admin"
"Custom Role Admin"
"Custom Role Modify"
"Custom Host Permission"
"Custom SysAccount Permission"
"Custom SysAccount Admin"
"Custom Service Permission"
];
};
};
roles = {
"Security Architect" = {
privileges = [
"Custom Management Admin"
# you can't manage roles if you can't see them .-.
"RBAC Readers"
];
# allow reimu to actually make these changes...
members = [
"fqdn=reimu.${config.networking.domain},${ldap.hostDnSuffix}"
];
};
};
sysAccounts = {
peep = {
passwordFile = config.sops.secrets.ldap-peep-password.path;
};
keycloak = {
passwordFile = config.sops.secrets.ldap-keycloak-password.path;
};
};
objects = {
# change default public access
"cn=System: Read User Compat Tree,${ldap.permissionDnSuffix}" = {
settings.ipaPermBindRuleType = "all";
};
"cn=System: Read User Views Compat Tree,${ldap.permissionDnSuffix}" = {
settings.ipaPermBindRuleType = "all";
};
"cn=System: Read User Standard Attributes,${ldap.permissionDnSuffix}" = {
settings.ipaPermBindRuleType = "all";
};
};
};
config.sops.secrets = let
sopsFile = mkDefault ../secrets/ldap.yaml;
in {
ldap-peep-password = {
inherit sopsFile;
};
ldap-keycloak-password = {
inherit sopsFile;
};
};
}
Reference in a new issue View git blame Copy permalink