pyrox.dev
1{pkgs, config, lib, ...}:
2
3with lib;
4
5let
6 cfg = config.services.hologram-server;
7
8 cfgFile = pkgs.writeText "hologram-server.json" (builtins.toJSON {
9 ldap = {
10 host = cfg.ldapHost;
11 bind = {
12 dn = cfg.ldapBindDN;
13 password = cfg.ldapBindPassword;
14 };
15 insecureldap = cfg.ldapInsecure;
16 userattr = cfg.ldapUserAttr;
17 baseDN = cfg.ldapBaseDN;
18 enableldapRoles = cfg.enableLdapRoles;
19 roleAttr = cfg.roleAttr;
20 groupClassAttr = cfg.groupClassAttr;
21 };
22 aws = {
23 account = cfg.awsAccount;
24 defaultrole = cfg.awsDefaultRole;
25 };
26 stats = cfg.statsAddress;
27 listen = cfg.listenAddress;
28 cachetimeout = cfg.cacheTimeoutSeconds;
29 });
30in {
31 options = {
32 services.hologram-server = {
33 enable = mkOption {
34 type = types.bool;
35 default = false;
36 description = "Whether to enable the Hologram server for AWS instance credentials";
37 };
38
39 listenAddress = mkOption {
40 type = types.str;
41 default = "0.0.0.0:3100";
42 description = "Address and port to listen on";
43 };
44
45 ldapHost = mkOption {
46 type = types.str;
47 description = "Address of the LDAP server to use";
48 };
49
50 ldapInsecure = mkOption {
51 type = types.bool;
52 default = false;
53 description = "Whether to connect to LDAP over SSL or not";
54 };
55
56 ldapUserAttr = mkOption {
57 type = types.str;
58 default = "cn";
59 description = "The LDAP attribute for usernames";
60 };
61
62 ldapBaseDN = mkOption {
63 type = types.str;
64 description = "The base DN for your Hologram users";
65 };
66
67 ldapBindDN = mkOption {
68 type = types.str;
69 description = "DN of account to use to query the LDAP server";
70 };
71
72 ldapBindPassword = mkOption {
73 type = types.str;
74 description = "Password of account to use to query the LDAP server";
75 };
76
77 enableLdapRoles = mkOption {
78 type = types.bool;
79 default = false;
80 description = "Whether to assign user roles based on the user's LDAP group memberships";
81 };
82
83 groupClassAttr = mkOption {
84 type = types.str;
85 default = "groupOfNames";
86 description = "The objectclass attribute to search for groups when enableLdapRoles is true";
87 };
88
89 roleAttr = mkOption {
90 type = types.str;
91 default = "businessCategory";
92 description = "Which LDAP group attribute to search for authorized role ARNs";
93 };
94
95 awsAccount = mkOption {
96 type = types.str;
97 description = "AWS account number";
98 };
99
100 awsDefaultRole = mkOption {
101 type = types.str;
102 description = "AWS default role";
103 };
104
105 statsAddress = mkOption {
106 type = types.str;
107 default = "";
108 description = "Address of statsd server";
109 };
110
111 cacheTimeoutSeconds = mkOption {
112 type = types.int;
113 default = 3600;
114 description = "How often (in seconds) to refresh the LDAP cache";
115 };
116 };
117 };
118
119 config = mkIf cfg.enable {
120 systemd.services.hologram-server = {
121 description = "Provide EC2 instance credentials to machines outside of EC2";
122 after = [ "network.target" ];
123 wantedBy = [ "multi-user.target" ];
124
125 serviceConfig = {
126 ExecStart = "${pkgs.hologram.bin}/bin/hologram-server --debug --conf ${cfgFile}";
127 };
128 };
129 };
130}