Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
164 commits
Select commit Hold shift + click to select a range
2cc754a
cc-wrapper: Fortran: disable stackprotector hardening on darwin aarch64
doronbehar Dec 24, 2021
f87f5ae
libxml2: re-enable tests for darwin
risicle May 5, 2022
6e6f33a
openldap: remove deprecated options
kwohlfahrt Jun 4, 2022
d1f55ce
openldap: change default ldapi directory
kwohlfahrt Jun 4, 2022
d72f89a
openldap: Allow notify outside of main thread
kwohlfahrt Jun 4, 2022
38ead94
openldap: run in foreground
kwohlfahrt Jun 4, 2022
fd7d901
openldap: run under systemd-defined user/group
kwohlfahrt Jun 4, 2022
ad5acb9
openldap: use specialisations for tests
kwohlfahrt Jun 5, 2022
8a7193f
openldap: test and fix mutable config
kwohlfahrt Jun 5, 2022
334d622
openldap: test starting with empty DB
kwohlfahrt Jun 5, 2022
60d1c1d
openldap: change runtime directory
kwohlfahrt Jun 5, 2022
ba1efa7
stdenv: substituteInPlace: accept multiple filenames
Artturin Jun 29, 2022
b060076
cc-wrapper: broaden explicit libc++abi linking for LLVM stdenv
Itaros Jul 13, 2022
8dc0768
git: don't doInstallCheck on darwin by default
risicle Jul 16, 2022
769956d
gcc: drop outdated sed for system headers clobber
trofi Jul 18, 2022
e11279e
openldap: 2.6.2 -> 2.6.3
mweinelt Jul 19, 2022
940b020
qtbase: Fix build for aarch64-darwin
Jul 19, 2022
34b9256
glibc: remove obsolete configure option
ajs124 Jul 20, 2022
8f3c8ae
glibc: explicitly enable stack-protector
ajs124 Jul 20, 2022
1487fab
glibc: enable Intel CET on x86
ajs124 Jul 20, 2022
457d109
Merge pull request #179597 from Mic92/openldap-path
mweinelt Jul 21, 2022
1ad8081
Merge pull request #182078 from mweinelt/openldap-2.6.3
mweinelt Jul 21, 2022
e682dd8
bintools-wrapper: symlink unsymlinked binaries from -unwrapped
Artturin Jul 21, 2022
df9f22a
Merge staging-next into staging
github-actions[bot] Jul 22, 2022
b30534e
openldap: load client config from /etc, not the nix store
danc86 Jul 19, 2022
3707e38
Merge staging-next into staging
github-actions[bot] Jul 22, 2022
c9183d3
nixos/systemd: make sure all the device nodes are created in stage1
K900 Jun 30, 2022
ad29dc1
Merge pull request #182436 from K900/systemd-initrd-fixes
flokli Jul 22, 2022
e7de3e8
gitMinimal: set perlSupport=false
stigtsp Jul 21, 2022
dec2508
Merge staging-next into staging
github-actions[bot] Jul 22, 2022
a98d434
perlPackages.LWP: 6.49 -> 6.67
stigtsp Jul 22, 2022
946c3d8
Merge pull request #181485 from Itaros/normal-clang-llvm-redirection
toonn Jul 22, 2022
8998b24
Merge pull request #182457 from stigtsp/package/perl-LWP-6.67
Artturin Jul 22, 2022
b4832ba
Merge staging-next into staging
github-actions[bot] Jul 22, 2022
17f413f
setup-hooks/strip.sh: use STRIP_FOR_TARGET, not TARGET_STRIP
trofi Jul 22, 2022
54571d1
Merge staging-next into staging
github-actions[bot] Jul 22, 2022
f348f9e
sqlite: 3.39.1 -> 3.39.2
zowoq Jul 21, 2022
4670c3a
perlPackages.SOAPLite: add HTTPDaemon test dependency
stigtsp Jul 22, 2022
5a5a4cd
Merge staging-next into staging
github-actions[bot] Jul 23, 2022
981d9c0
Merge pull request #182385 from Artturin/bintoolswrapper1
Artturin Jul 23, 2022
272fc53
glibc: 2.34-210 -> 2.35-163
lovesegfault Jul 23, 2022
f036546
Merge staging-next into staging
github-actions[bot] Jul 23, 2022
b38a181
Merge staging-next into staging
github-actions[bot] Jul 23, 2022
bc22178
perlPackages.Tirex: add HTTPDaemon dependency
stigtsp Jul 23, 2022
58aa5ef
python3.pkgs.pygobject3: 3.42.1 → 3.42.2
jtojnar Jul 23, 2022
c8cbb6f
vala: 0.56.1 → 0.56.2
jtojnar Jul 23, 2022
34636ef
gcc: pass --with-build-sysroot=/ for gcc builds
trofi Jul 18, 2022
b29a700
Merge pull request #182588 from jtojnar/gnome-staging
jtojnar Jul 23, 2022
649646d
openssl: split runtime dependencies of static builds into a separate …
robx Jul 23, 2022
79e8669
Merge pull request #179603 from Artturin/subplacemultiple
Artturin Jul 24, 2022
21966e1
Merge pull request #181943 from trofi/fix-cross-built-gcc
Ericson2314 Jul 24, 2022
64e6cc1
go-(modules|packages): don't set trimpath for tests
Mic92 Jul 24, 2022
ea8e124
gcc: always enable inhibit_libc=true for --without-headers builds
trofi Jul 24, 2022
981a1ce
Merge pull request #182665 from Mic92/go-modules
Mic92 Jul 24, 2022
4a6e124
Merge staging-next into staging
github-actions[bot] Jul 24, 2022
16e8c11
harfbuzz: 3.3.2 → 5.0.1
jtojnar Jul 23, 2022
9e11882
Merge pull request #182666 from trofi/fix-non-cross-cross
trofi Jul 24, 2022
c7062b9
Merge pull request #181994 from trofi/gcc-drop-outdated-sed
trofi Jul 24, 2022
30a8dc7
libva: 2.14.0 -> 2.15.0
SuperSandro2000 Jul 22, 2022
3a848d7
Merge staging-next into staging
github-actions[bot] Jul 24, 2022
a5a3f67
Merge staging-next into staging
github-actions[bot] Jul 25, 2022
450f3ea
Merge staging-next into staging
github-actions[bot] Jul 25, 2022
ab4d64d
pciutils, ntfs3g: don't pull in `kmod` on darwin
trofi Jul 24, 2022
0f45ce6
setup-hooks/strip.sh: add strip{All,Debug}ListTarget variables
trofi Jul 22, 2022
0507725
setup-hooks/strip.sh: run RANLIB on static archives after stripping
trofi Jul 23, 2022
eece5d0
gcc: enable stripping for cross-compilers
trofi Jul 22, 2022
e8387a9
Merge pull request #182469 from SuperSandro2000/libva
SuperSandro2000 Jul 25, 2022
5f72e17
nettle: 3.7.3 -> 3.8
minijackson Jul 25, 2022
d31202e
Merge staging-next into staging
github-actions[bot] Jul 25, 2022
ccac7fd
linux-wifi-hotspot: fix path
SCOTT-HAMILTON Jul 23, 2022
a3ed2eb
Merge pull request #182720 from trofi/drop-kmod-on-darwin
SuperSandro2000 Jul 25, 2022
f327509
Merge pull request #182616 from jtojnar/harfbuzz
jtojnar Jul 25, 2022
65b9c17
kmod: drop darwin support
trofi Jul 24, 2022
2aa98a3
Merge staging-next into staging
github-actions[bot] Jul 25, 2022
47c3a3e
SDL2: restore udev support by default on linux
Artturin Jul 25, 2022
4d1e04c
go_1_18: backport CL417615
flokli Jul 25, 2022
3ac326a
Revert "gopass*: build with Go with CL417615"
flokli Jul 25, 2022
020ca65
alsa-lib: 1.2.7.1 -> 1.2.7.2
zhaofengli Jul 25, 2022
4defba0
Merge staging-next into staging
github-actions[bot] Jul 26, 2022
6c4cc74
Merge pull request #182891 from zhaofengli/alsa-lib-1.2.7.2
lovesegfault Jul 26, 2022
52e7c12
Merge staging-next into staging
github-actions[bot] Jul 26, 2022
05a5753
openal: 1.22.0 -> 1.22.2
Mic92 Jul 26, 2022
c93997f
Merge pull request #182924 from Mic92/openal
Mic92 Jul 26, 2022
77b896b
Merge staging-next into staging
github-actions[bot] Jul 26, 2022
3ba8ede
Merge pull request #182574 from stigtsp/package/perl-LWP-6.67-fixup
stigtsp Jul 26, 2022
7774b5b
Merge pull request #182538 from NixOS/glibc-2.35
Ma27 Jul 26, 2022
9834020
Merge pull request #182714 from trofi/fix-kmod-for-darwin
SuperSandro2000 Jul 26, 2022
b21eff1
Merge staging-next into staging
github-actions[bot] Jul 26, 2022
b21e1b5
opencv: Use OpenJPEG from nixpkgs instead of vendored copy
kevinmehall Jul 25, 2022
54f2dac
Merge staging-next into staging
github-actions[bot] Jul 27, 2022
36658a0
Merge staging-next into staging
github-actions[bot] Jul 27, 2022
9d9ca15
Merge #182810: nettle: 3.7.3 -> 3.8 (into staging)
vcunat Jul 27, 2022
d776e7b
prelink: disable tests
NickCao Jul 27, 2022
9153131
Merge staging-next into staging
github-actions[bot] Jul 27, 2022
c5298a1
Merge staging-next into staging
github-actions[bot] Jul 27, 2022
1006e90
Merge pull request #183074 from NickCao/prelink-tests
Artturin Jul 27, 2022
9e58f0a
Merge pull request #182851 from Artturin/sdl2restoreudev
Artturin Jul 27, 2022
cfca7fe
Merge pull request #182893 from kevinmehall/opencv-openjpeg
risicle Jul 27, 2022
da1ea54
gobject-introspection: use objdump -p instead of prelink-rtld
Artturin Jul 27, 2022
5de6b3e
Merge pull request #182281 from helsinki-systems/feat/glibc-sec
Mic92 Jul 27, 2022
c77d922
libqrtr-glib: fix cross
Artturin Jul 27, 2022
64ddb6a
Merge pull request #183145 from Artturin/introspeobj
Artturin Jul 27, 2022
dbcce48
Merge master into staging-next
github-actions[bot] Jul 28, 2022
18e044c
Merge staging-next into staging
github-actions[bot] Jul 28, 2022
b0ffabd
python3Packages.tomlkit: 0.10.1 -> 0.11.1
onny Jul 26, 2022
d6e8500
Merge master into staging-next
github-actions[bot] Jul 28, 2022
0049ace
Merge staging-next into staging
github-actions[bot] Jul 28, 2022
88c63ca
Merge pull request #182513 from trofi/strip-for-host-and-target
lovesegfault Jul 28, 2022
a802ad3
Merge pull request #182459 from stigtsp/fix/gitminimal-no-perl
lovesegfault Jul 28, 2022
0d7024c
Merge master into staging-next
github-actions[bot] Jul 28, 2022
437247f
Merge staging-next into staging
github-actions[bot] Jul 28, 2022
2bfcdf6
fluidsynth: 2.2.7 -> 2.2.8
r-ryantm Jul 28, 2022
7b009ed
Merge master into staging-next
github-actions[bot] Jul 28, 2022
6a1cd17
Merge staging-next into staging
github-actions[bot] Jul 28, 2022
f478386
Merge pull request #183291 from r-ryantm/auto-update/fluidsynth
marsam Jul 28, 2022
73ee7ee
accountsservice: fix cross
Artturin Jul 28, 2022
98b734d
lightdm: fix cross
Artturin Jul 28, 2022
ce7e118
libbpf: 0.8.0 -> 0.8.1
r-ryantm Jul 28, 2022
0e16aa7
bintools-wrapper: symlink ar too
Artturin Jul 28, 2022
594eef6
Merge pull request #182967 from onny/tomlkit
risicle Jul 28, 2022
2679e22
Merge pull request #183461 from Artturin/crossfixes1
Artturin Jul 28, 2022
603c8a8
Merge master into staging-next
github-actions[bot] Jul 29, 2022
a2df1eb
Merge staging-next into staging
github-actions[bot] Jul 29, 2022
05cc23e
Merge pull request #183474 from r-ryantm/auto-update/libbpf
ryantm Jul 29, 2022
e9afd43
Merge master into staging-next
github-actions[bot] Jul 29, 2022
dc9426f
Merge staging-next into staging
github-actions[bot] Jul 29, 2022
e3f7593
Merge master into staging-next
github-actions[bot] Jul 29, 2022
a37c393
Merge staging-next into staging
github-actions[bot] Jul 29, 2022
1b667eb
libwacom: 2.2.0 -> 2.4.0
r-ryantm Jul 28, 2022
ef45bf3
python3Packages.prompt-toolkit: Add note to failing test (#183337)
onny Jul 29, 2022
5b5843e
Merge #151983: wrapper: Fortran: disable stackprotector
vcunat Jul 29, 2022
e48c99e
Merge #171744: libxml2: re-enable tests for darwin
vcunat Jul 29, 2022
b6e73b8
Merge #181744: git: don't doInstallCheck on darwin by default
vcunat Jul 29, 2022
9cfb24a
Merge #180327: qtbase: Fix build for aarch64-darwin
vcunat Jul 29, 2022
db9cecd
Merge branch 'staging' into staging-next
vcunat Jul 29, 2022
50de8aa
Merge master into staging-next
github-actions[bot] Jul 29, 2022
6ed636d
Merge master into staging-next
github-actions[bot] Jul 30, 2022
93fa8ba
Merge master into staging-next
github-actions[bot] Jul 30, 2022
5ebd4b1
Merge master into staging-next
github-actions[bot] Jul 30, 2022
15686bd
Merge master into staging-next
github-actions[bot] Jul 30, 2022
95abc56
Merge master into staging-next
github-actions[bot] Jul 31, 2022
fc1fba2
dbx: update reference of path package
jonringer Jul 31, 2022
3b4a206
gnubg: use non-aliased python
jonringer Jul 31, 2022
8268080
nanotts: use non-aliased alsa-lib
jonringer Jul 31, 2022
3f24540
opencpn: use non-aliased libusb1
jonringer Jul 31, 2022
9c547ce
python3Packages.jaxlib: provide non-alias default of cudnn
jonringer Jul 31, 2022
e1c4e30
Merge master into staging-next
github-actions[bot] Jul 31, 2022
bb10509
Merge master into staging-next
github-actions[bot] Jul 31, 2022
7c9bb70
Merge master into staging-next
github-actions[bot] Jul 31, 2022
b003abd
system76-keyboard-configurator: use non-aliased pkg-config
jonringer Jul 31, 2022
0893e1f
webex: use non-aliased alsa-lib
jonringer Jul 31, 2022
83256fd
Merge master into staging-next
github-actions[bot] Aug 1, 2022
4c653b0
Merge master into staging-next
github-actions[bot] Aug 1, 2022
c8b4067
Merge master into staging-next
github-actions[bot] Aug 1, 2022
e8ce2f4
Merge master into staging-next
github-actions[bot] Aug 1, 2022
357ae16
crystal_1_0, crystal_1_1: fix build
K900 Aug 1, 2022
ad090ff
Merge master into staging-next
github-actions[bot] Aug 2, 2022
0f0010f
Merge master into staging-next
github-actions[bot] Aug 2, 2022
1093a01
Merge master into staging-next
github-actions[bot] Aug 2, 2022
411aad5
Merge master into staging-next
github-actions[bot] Aug 2, 2022
1e8102c
nixos/openldap: fix option description markdown
trofi Aug 2, 2022
58547ae
Merge pull request #184902 from trofi/fix-openldap-markdown
pennae Aug 2, 2022
537fbd1
Merge master into staging-next
github-actions[bot] Aug 3, 2022
d4de563
Merge master into staging-next
github-actions[bot] Aug 3, 2022
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 10 additions & 2 deletions doc/stdenv/stdenv.chapter.md
Original file line number Diff line number Diff line change
Expand Up @@ -731,6 +731,10 @@ If set, files in `$out/sbin` are not moved to `$out/bin`. By default, they are.

List of directories to search for libraries and executables from which *all* symbols should be stripped. By default, it’s empty. Stripping all symbols is risky, since it may remove not just debug symbols but also ELF information necessary for normal execution.

##### `stripAllListTarget` {#var-stdenv-stripAllListTarget}

Like `stripAllList`, but only applies to packages’ target platform. By default, it’s empty. Useful when supporting cross compilation.

##### `stripAllFlags` {#var-stdenv-stripAllFlags}

Flags passed to the `strip` command applied to the files in the directories listed in `stripAllList`. Defaults to `-s` (i.e. `--strip-all`).
Expand All @@ -739,6 +743,10 @@ Flags passed to the `strip` command applied to the files in the directories list

List of directories to search for libraries and executables from which only debugging-related symbols should be stripped. It defaults to `lib lib32 lib64 libexec bin sbin`.

##### `stripDebugListTarget` {#var-stdenv-stripDebugListTarget}

Like `stripDebugList`, but only applies to packages’ target platform. By default, it’s empty. Useful when supporting cross compilation.

##### `stripDebugFlags` {#var-stdenv-stripDebugFlags}

Flags passed to the `strip` command applied to the files in the directories listed in `stripDebugList`. Defaults to `-S` (i.e. `--strip-debug`).
Expand Down Expand Up @@ -913,9 +921,9 @@ substitute ./foo.in ./foo.out \
--subst-var someVar
```

### `substituteInPlace` \<file\> \<subs\> {#fun-substituteInPlace}
### `substituteInPlace` \<multiple files\> \<subs\> {#fun-substituteInPlace}

Like `substitute`, but performs the substitutions in place on the file \<file\>.
Like `substitute`, but performs the substitutions in place on the files passed.

### `substituteAll` \<infile\> \<outfile\> {#fun-substituteAll}

Expand Down
183 changes: 97 additions & 86 deletions nixos/modules/services/databases/openldap.nix
Original file line number Diff line number Diff line change
Expand Up @@ -3,15 +3,22 @@
with lib;
let
cfg = config.services.openldap;
legacyOptions = [ "rootpwFile" "suffix" "dataDir" "rootdn" "rootpw" ];
openldap = cfg.package;
configDir = if cfg.configDir != null then cfg.configDir else "/etc/openldap/slapd.d";

ldapValueType = let
# Can't do types.either with multiple non-overlapping submodules, so define our own
singleLdapValueType = lib.mkOptionType rec {
name = "LDAP";
description = "LDAP value";
# TODO: It would be nice to define a { secret = ...; } option, using
# systemd's LoadCredentials for secrets. That would remove the last
# barrier to using DynamicUser for openldap. This is blocked on
# systemd/systemd#19604
description = ''
LDAP value - either a string, or an attrset containing
<literal>path</literal> or <literal>base64</literal> for included
values or base-64 encoded values respectively.
'';
check = x: lib.isString x || (lib.isAttrs x && (x ? path || x ? base64));
merge = lib.mergeEqualOption;
};
Expand Down Expand Up @@ -76,52 +83,12 @@ let
lib.flatten (lib.mapAttrsToList (name: value: attrsToLdif "${name},${dn}" value) children)
);
in {
imports = let
deprecationNote = "This option is removed due to the deprecation of `slapd.conf` upstream. Please migrate to `services.openldap.settings`, see the release notes for advice with this process.";
mkDatabaseOption = old: new:
lib.mkChangedOptionModule [ "services" "openldap" old ] [ "services" "openldap" "settings" "children" ]
(config: let
database = lib.getAttrFromPath [ "services" "openldap" "database" ] config;
value = lib.getAttrFromPath [ "services" "openldap" old ] config;
in lib.setAttrByPath ([ "olcDatabase={1}${database}" "attrs" ] ++ new) value);
in [
(lib.mkRemovedOptionModule [ "services" "openldap" "extraConfig" ] deprecationNote)
(lib.mkRemovedOptionModule [ "services" "openldap" "extraDatabaseConfig" ] deprecationNote)

(lib.mkChangedOptionModule [ "services" "openldap" "logLevel" ] [ "services" "openldap" "settings" "attrs" "olcLogLevel" ]
(config: lib.splitString " " (lib.getAttrFromPath [ "services" "openldap" "logLevel" ] config)))
(lib.mkChangedOptionModule [ "services" "openldap" "defaultSchemas" ] [ "services" "openldap" "settings" "children" "cn=schema" "includes"]
(config: lib.optionals (lib.getAttrFromPath [ "services" "openldap" "defaultSchemas" ] config) (
map (schema: "${openldap}/etc/schema/${schema}.ldif") [ "core" "cosine" "inetorgperson" "nis" ])))

(lib.mkChangedOptionModule [ "services" "openldap" "database" ] [ "services" "openldap" "settings" "children" ]
(config: let
database = lib.getAttrFromPath [ "services" "openldap" "database" ] config;
in {
"olcDatabase={1}${database}".attrs = {
# objectClass is case-insensitive, so don't need to capitalize ${database}
objectClass = [ "olcdatabaseconfig" "olc${database}config" ];
olcDatabase = "{1}${database}";
olcDbDirectory = lib.mkDefault "/var/db/openldap";
};
"cn=schema".includes = lib.mkDefault (
map (schema: "${openldap}/etc/schema/${schema}.ldif") [ "core" "cosine" "inetorgperson" "nis" ]
);
}))
(mkDatabaseOption "rootpwFile" [ "olcRootPW" "path" ])
(mkDatabaseOption "suffix" [ "olcSuffix" ])
(mkDatabaseOption "dataDir" [ "olcDbDirectory" ])
(mkDatabaseOption "rootdn" [ "olcRootDN" ])
(mkDatabaseOption "rootpw" [ "olcRootPW" ])
];
options = {
services.openldap = {
enable = mkOption {
type = types.bool;
default = false;
description = "
Whether to enable the ldap server.
";
description = "Whether to enable the ldap server.";
};

package = mkOption {
Expand Down Expand Up @@ -186,7 +153,7 @@ in {
attrs = {
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/db/ldap";
olcDbDirectory = "/var/lib/openldap/ldap";
olcDbIndex = [
"objectClass eq"
"cn pres,eq"
Expand All @@ -208,10 +175,20 @@ in {
default = null;
description = ''
Use this config directory instead of generating one from the
<literal>settings</literal> option. Overrides all NixOS settings. If
you use this option,ensure `olcPidFile` is set to `/run/slapd/slapd.conf`.
<literal>settings</literal> option. Overrides all NixOS settings.
'';
example = "/var/lib/openldap/slapd.d";
};

mutableConfig = mkOption {
type = types.bool;
default = false;
description = ''
Whether to allow writable on-line configuration. If
<literal>true</literal>, the NixOS settings will only be used to
initialize the OpenLDAP configuration if it does not exist, and are
subsequently ignored.
'';
example = "/var/db/slapd.d";
};

declarativeContents = mkOption {
Expand All @@ -225,6 +202,11 @@ in {
reboot of the server. Performance-wise the database and indexes are
rebuilt on each server startup, so this will slow down server startup,
especially with large databases.

Note that the root of the DB must be defined in
`services.openldap.settings` and the
`olcDbDirectory` must begin with
`"/var/lib/openldap"`.
'';
example = lib.literalExpression ''
{
Expand All @@ -247,19 +229,61 @@ in {

meta.maintainers = with lib.maintainers; [ kwohlfahrt ];

config = mkIf cfg.enable {
assertions = map (opt: {
assertion = ((getAttr opt cfg) != "_mkMergedOptionModule") -> (cfg.database != "_mkMergedOptionModule");
message = "Legacy OpenLDAP option `services.openldap.${opt}` requires `services.openldap.database` (use value \"mdb\" if unsure)";
}) legacyOptions;
config = let
dbSettings = mapAttrs' (name: { attrs, ... }: nameValuePair attrs.olcSuffix attrs)
(filterAttrs (name: { attrs, ... }: (hasPrefix "olcDatabase=" name) && attrs ? olcSuffix) cfg.settings.children);
settingsFile = pkgs.writeText "config.ldif" (lib.concatStringsSep "\n" (attrsToLdif "cn=config" cfg.settings));
writeConfig = pkgs.writeShellScript "openldap-config" ''
set -euo pipefail

${lib.optionalString (!cfg.mutableConfig) ''
chmod -R u+w ${configDir}
rm -rf ${configDir}/*
''}
if [ ! -e "${configDir}/cn=config.ldif" ]; then
${openldap}/bin/slapadd -F ${configDir} -bcn=config -l ${settingsFile}
fi
chmod -R ${if cfg.mutableConfig then "u+rw" else "u+r-w"} ${configDir}
'';

contentsFiles = mapAttrs (dn: ldif: pkgs.writeText "${dn}.ldif" ldif) cfg.declarativeContents;
writeContents = pkgs.writeShellScript "openldap-load" ''
set -euo pipefail

rm -rf $2/*
${openldap}/bin/slapadd -F ${configDir} -b $1 -l $3
'';
in mkIf cfg.enable {
assertions = [{
assertion = (cfg.declarativeContents != {}) -> cfg.configDir == null;
message = ''
Declarative DB contents (${attrNames cfg.declarativeContents}) are not
supported with user-managed configuration.
'';
}] ++ (map (dn: {
assertion = (getAttr dn dbSettings) ? "olcDbDirectory";
# olcDbDirectory is necessary to prepopulate database using `slapadd`.
message = ''
Declarative DB ${dn} does not exist in `services.openldap.settings`, or does not have
`olcDbDirectory` configured.
'';
}) (attrNames cfg.declarativeContents)) ++ (mapAttrsToList (dn: { olcDbDirectory ? null, ... }: {
# For forward compatibility with `DynamicUser`, and to avoid accidentally clobbering
# directories with `declarativeContents`.
assertion = (olcDbDirectory != null) ->
((hasPrefix "/var/lib/openldap/" olcDbDirectory) && (olcDbDirectory != "/var/lib/openldap/"));
message = ''
Database ${dn} has `olcDbDirectory` (${olcDbDirectory}) that is not a subdirectory of
`/var/lib/openldap/`.
'';
}) dbSettings);
environment.systemPackages = [ openldap ];

# Literal attributes must always be set
services.openldap.settings = {
attrs = {
objectClass = "olcGlobal";
cn = "config";
olcPidFile = "/run/slapd/slapd.pid";
};
children."cn=schema".attrs = {
cn = "schema";
Expand All @@ -276,44 +300,31 @@ in {
];
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ];
preStart = let
settingsFile = pkgs.writeText "config.ldif" (lib.concatStringsSep "\n" (attrsToLdif "cn=config" cfg.settings));

dbSettings = lib.filterAttrs (name: value: lib.hasPrefix "olcDatabase=" name) cfg.settings.children;
dataDirs = lib.mapAttrs' (name: value: lib.nameValuePair value.attrs.olcSuffix value.attrs.olcDbDirectory)
(lib.filterAttrs (_: value: value.attrs ? olcDbDirectory) dbSettings);
dataFiles = lib.mapAttrs (dn: contents: pkgs.writeText "${dn}.ldif" contents) cfg.declarativeContents;
mkLoadScript = dn: let
dataDir = lib.escapeShellArg (getAttr dn dataDirs);
in ''
rm -rf ${dataDir}/*
${openldap}/bin/slapadd -F ${lib.escapeShellArg configDir} -b ${dn} -l ${getAttr dn dataFiles}
chown -R "${cfg.user}:${cfg.group}" ${dataDir}
'';
in ''
mkdir -p /run/slapd
chown -R "${cfg.user}:${cfg.group}" /run/slapd

mkdir -p ${lib.escapeShellArg configDir} ${lib.escapeShellArgs (lib.attrValues dataDirs)}
chown "${cfg.user}:${cfg.group}" ${lib.escapeShellArg configDir} ${lib.escapeShellArgs (lib.attrValues dataDirs)}

${lib.optionalString (cfg.configDir == null) (''
rm -Rf ${configDir}/*
${openldap}/bin/slapadd -F ${configDir} -bcn=config -l ${settingsFile}
'')}
chown -R "${cfg.user}:${cfg.group}" ${lib.escapeShellArg configDir}

${lib.concatStrings (map mkLoadScript (lib.attrNames cfg.declarativeContents))}
${openldap}/bin/slaptest -u -F ${lib.escapeShellArg configDir}
'';
serviceConfig = {
User = cfg.user;
Group = cfg.group;
ExecStartPre = [
"!${pkgs.coreutils}/bin/mkdir -p ${configDir}"
"+${pkgs.coreutils}/bin/chown $USER ${configDir}"
] ++ (lib.optional (cfg.configDir == null) writeConfig)
++ (mapAttrsToList (dn: content: lib.escapeShellArgs [
writeContents dn (getAttr dn dbSettings).olcDbDirectory content
]) contentsFiles)
++ [ "${openldap}/bin/slaptest -u -F ${configDir}" ];
ExecStart = lib.escapeShellArgs ([
"${openldap}/libexec/slapd" "-u" cfg.user "-g" cfg.group "-F" configDir
"-h" (lib.concatStringsSep " " cfg.urlList)
"${openldap}/libexec/slapd" "-d" "0" "-F" configDir "-h" (lib.concatStringsSep " " cfg.urlList)
]);
Type = "notify";
# Fixes an error where openldap attempts to notify from a thread
# outside the main process:
# Got notification message from PID 6378, but reception only permitted for main PID 6377
NotifyAccess = "all";
PIDFile = cfg.settings.attrs.olcPidFile;
RuntimeDirectory = "openldap";
StateDirectory = ["openldap"]
++ (map ({olcDbDirectory, ... }: removePrefix "/var/lib/" olcDbDirectory) (attrValues dbSettings));
StateDirectoryMode = "700";
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
};
};

Expand Down
6 changes: 6 additions & 0 deletions nixos/modules/system/boot/systemd.nix
Original file line number Diff line number Diff line change
Expand Up @@ -592,6 +592,12 @@ in
systemd.services.systemd-importd.environment = proxy_env;
systemd.services.systemd-pstore.wantedBy = [ "sysinit.target" ]; # see #81138

# NixOS has kernel modules in a different location, so override that here.
systemd.services.kmod-static-nodes.unitConfig.ConditionFileNotEmpty = [
"" # required to unset the previous value!
"/run/booted-system/kernel-modules/lib/modules/%v/modules.devname"
];

# Don't bother with certain units in containers.
systemd.services.systemd-remount-fs.unitConfig.ConditionVirtualization = "!container";
systemd.services.systemd-random-seed.unitConfig.ConditionVirtualization = "!container";
Expand Down
3 changes: 3 additions & 0 deletions nixos/modules/system/boot/systemd/initrd.nix
Original file line number Diff line number Diff line change
Expand Up @@ -420,6 +420,9 @@ in {
services."systemd-makefs@" = lib.mkIf needMakefs { unitConfig.IgnoreOnIsolate = true; };
services."systemd-growfs@" = lib.mkIf needGrowfs { unitConfig.IgnoreOnIsolate = true; };

# make sure all the /dev nodes are set up
services.systemd-tmpfiles-setup-dev.wantedBy = ["sysinit.target"];

services.initrd-nixos-activation = {
after = [ "initrd-fs.target" ];
requiredBy = [ "initrd.target" ];
Expand Down
Loading