pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / security / hologram-server.nix
at 25.11-pre 3.6 kB view raw
1{ 2 pkgs, 3 config, 4 lib, 5 ... 6}: 7let 8 cfg = config.services.hologram-server; 9 10 cfgFile = pkgs.writeText "hologram-server.json" ( 11 builtins.toJSON { 12 ldap = { 13 host = cfg.ldapHost; 14 bind = { 15 dn = cfg.ldapBindDN; 16 password = cfg.ldapBindPassword; 17 }; 18 insecureldap = cfg.ldapInsecure; 19 userattr = cfg.ldapUserAttr; 20 baseDN = cfg.ldapBaseDN; 21 enableldapRoles = cfg.enableLdapRoles; 22 roleAttr = cfg.roleAttr; 23 groupClassAttr = cfg.groupClassAttr; 24 }; 25 aws = { 26 account = cfg.awsAccount; 27 defaultrole = cfg.awsDefaultRole; 28 }; 29 stats = cfg.statsAddress; 30 listen = cfg.listenAddress; 31 cachetimeout = cfg.cacheTimeoutSeconds; 32 } 33 ); 34in 35{ 36 options = { 37 services.hologram-server = { 38 enable = lib.mkOption { 39 type = lib.types.bool; 40 default = false; 41 description = "Whether to enable the Hologram server for AWS instance credentials"; 42 }; 43 44 listenAddress = lib.mkOption { 45 type = lib.types.str; 46 default = "0.0.0.0:3100"; 47 description = "Address and port to listen on"; 48 }; 49 50 ldapHost = lib.mkOption { 51 type = lib.types.str; 52 description = "Address of the LDAP server to use"; 53 }; 54 55 ldapInsecure = lib.mkOption { 56 type = lib.types.bool; 57 default = false; 58 description = "Whether to connect to LDAP over SSL or not"; 59 }; 60 61 ldapUserAttr = lib.mkOption { 62 type = lib.types.str; 63 default = "cn"; 64 description = "The LDAP attribute for usernames"; 65 }; 66 67 ldapBaseDN = lib.mkOption { 68 type = lib.types.str; 69 description = "The base DN for your Hologram users"; 70 }; 71 72 ldapBindDN = lib.mkOption { 73 type = lib.types.str; 74 description = "DN of account to use to query the LDAP server"; 75 }; 76 77 ldapBindPassword = lib.mkOption { 78 type = lib.types.str; 79 description = "Password of account to use to query the LDAP server"; 80 }; 81 82 enableLdapRoles = lib.mkOption { 83 type = lib.types.bool; 84 default = false; 85 description = "Whether to assign user roles based on the user's LDAP group memberships"; 86 }; 87 88 groupClassAttr = lib.mkOption { 89 type = lib.types.str; 90 default = "groupOfNames"; 91 description = "The objectclass attribute to search for groups when enableLdapRoles is true"; 92 }; 93 94 roleAttr = lib.mkOption { 95 type = lib.types.str; 96 default = "businessCategory"; 97 description = "Which LDAP group attribute to search for authorized role ARNs"; 98 }; 99 100 awsAccount = lib.mkOption { 101 type = lib.types.str; 102 description = "AWS account number"; 103 }; 104 105 awsDefaultRole = lib.mkOption { 106 type = lib.types.str; 107 description = "AWS default role"; 108 }; 109 110 statsAddress = lib.mkOption { 111 type = lib.types.str; 112 default = ""; 113 description = "Address of statsd server"; 114 }; 115 116 cacheTimeoutSeconds = lib.mkOption { 117 type = lib.types.int; 118 default = 3600; 119 description = "How often (in seconds) to refresh the LDAP cache"; 120 }; 121 }; 122 }; 123 124 config = lib.mkIf cfg.enable { 125 systemd.services.hologram-server = { 126 description = "Provide EC2 instance credentials to machines outside of EC2"; 127 after = [ "network.target" ]; 128 wantedBy = [ "multi-user.target" ]; 129 130 serviceConfig = { 131 ExecStart = "${pkgs.hologram}/bin/hologram-server --debug --conf ${cfgFile}"; 132 }; 133 }; 134 }; 135}