pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #1292 from jozko/openldap-fixes

Added openldap user, group and configure service so its not running as root

Domen Kožar 4da38835 32fbf27b

+27 -2
unified split
+2
nixos/modules/misc/ids.nix
··· 107 107 redis = 96; 108 108 haproxy = 97; 109 109 mongodb = 98; 110 + openldap = 99; 110 111 111 112 # When adding a uid, make sure it doesn't match an existing gid. 112 113 ··· 194 195 amule = 90; 195 196 minidlna = 91; 196 197 haproxy = 92; 198 + openldap = 93; 197 199 198 200 # When adding a gid, make sure it doesn't match an existing uid. 199 201
+25 -2
nixos/modules/services/databases/openldap.nix
··· 26 26 "; 27 27 }; 28 28 29 + user = mkOption { 30 + default = "openldap"; 31 + description = "User account under which slapd runs."; 32 + }; 33 + 34 + group = mkOption { 35 + default = "openldap"; 36 + description = "Group account under which slapd runs."; 37 + }; 38 + 29 39 extraConfig = mkOption { 30 40 default = ""; 31 41 description = " ··· 49 59 after = [ "network.target" ]; 50 60 preStart = '' 51 61 mkdir -p /var/run/slapd 62 + chown -R ${cfg.user}:${cfg.group} /var/run/slapd 63 + mkdir -p /var/db/openldap 64 + chown -R ${cfg.user}:${cfg.group} /var/db/openldap 52 65 ''; 53 - serviceConfig.ExecStart = "${openldap}/libexec/slapd -d 0 -f ${configFile}"; 66 + serviceConfig.ExecStart = "${openldap}/libexec/slapd -u openldap -g openldap -d 0 -f ${configFile}"; 54 67 }; 55 68 56 - }; 69 + users.extraUsers = optionalAttrs (cfg.user == "openldap") (singleton 70 + { name = "openldap"; 71 + group = "openldap"; 72 + uid = config.ids.uids.openldap; 73 + }); 74 + 75 + users.extraGroups = optionalAttrs (cfg.group == "openldap") (singleton 76 + { name = "openldap"; 77 + gid = config.ids.gids.openldap; 78 + }); 57 79 80 + }; 58 81 }