nixpkgs/nixos/modules/services/security/hologram-server.nix

{pkgs, config, lib, ...}:

with lib;

let
  cfg = config.services.hologram-server;

  cfgFile = pkgs.writeText "hologram-server.json" (builtins.toJSON {
    ldap = {
      host = cfg.ldapHost;
      bind = {
        dn       = cfg.ldapBindDN;
        password = cfg.ldapBindPassword;
      };
      insecureldap    = cfg.ldapInsecure;
      userattr        = cfg.ldapUserAttr;
      baseDN          = cfg.ldapBaseDN;
      enableldapRoles = cfg.enableLdapRoles;
      roleAttr        = cfg.roleAttr;
      groupClassAttr  = cfg.groupClassAttr;
    };
    aws = {
      account     = cfg.awsAccount;
      defaultrole = cfg.awsDefaultRole;
    };
    stats        = cfg.statsAddress;
    listen       = cfg.listenAddress;
    cachetimeout = cfg.cacheTimeoutSeconds;
  });
in {
  options = {
    services.hologram-server = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = "Whether to enable the Hologram server for AWS instance credentials";
      };

      listenAddress = mkOption {
        type        = types.str;
        default     = "0.0.0.0:3100";
        description = "Address and port to listen on";
      };

      ldapHost = mkOption {
        type        = types.str;
        description = "Address of the LDAP server to use";
      };

      ldapInsecure = mkOption {
        type        = types.bool;
        default     = false;
        description = "Whether to connect to LDAP over SSL or not";
      };

      ldapUserAttr = mkOption {
        type        = types.str;
        default     = "cn";
        description = "The LDAP attribute for usernames";
      };

      ldapBaseDN = mkOption {
        type        = types.str;
        description = "The base DN for your Hologram users";
      };

      ldapBindDN = mkOption {
        type        = types.str;
        description = "DN of account to use to query the LDAP server";
      };

      ldapBindPassword = mkOption {
        type        = types.str;
        description = "Password of account to use to query the LDAP server";
      };

      enableLdapRoles = mkOption {
        type        = types.bool;
        default     = false;
        description = "Whether to assign user roles based on the user's LDAP group memberships";
      };

      groupClassAttr = mkOption {
        type = types.str;
        default = "groupOfNames";
        description = "The objectclass attribute to search for groups when enableLdapRoles is true";
      };

      roleAttr = mkOption {
        type        = types.str;
        default     = "businessCategory";
        description = "Which LDAP group attribute to search for authorized role ARNs";
      };

      awsAccount = mkOption {
        type        = types.str;
        description = "AWS account number";
      };

      awsDefaultRole = mkOption {
        type        = types.str;
        description = "AWS default role";
      };

      statsAddress = mkOption {
        type        = types.str;
        default     = "";
        description = "Address of statsd server";
      };

      cacheTimeoutSeconds = mkOption {
        type        = types.int;
        default     = 3600;
        description = "How often (in seconds) to refresh the LDAP cache";
      };
    };
  };

  config = mkIf cfg.enable {
    systemd.services.hologram-server = {
      description = "Provide EC2 instance credentials to machines outside of EC2";
      after       = [ "network.target" ];
      wantedBy    = [ "multi-user.target" ];

      serviceConfig = {
        ExecStart = "${pkgs.hologram.bin}/bin/hologram-server --debug --conf ${cfgFile}";
      };
    };
  };
}
Add hologram service 2015-04-23 19:34:41 +02:00			`{pkgs, config, lib, ...}:`

			`with lib;`

			`let`
			`cfg = config.services.hologram-server;`

			`cfgFile = pkgs.writeText "hologram-server.json" (builtins.toJSON {`
			`ldap = {`
			`host = cfg.ldapHost;`
			`bind = {`
			`dn = cfg.ldapBindDN;`
			`password = cfg.ldapBindPassword;`
			`};`
hologram: Enable configuring LDAP authorization In AdRoll/hologram#62 support was added to hologram to configure LDAP-based authorization of which roles a user was allowed to get credentials for. This adds the ability to configure that. Additionally, AdRoll/hologram/#94 added support to customize the LDAP group query, so this also feeds that configuration through. fixes #37393 2018-03-20 08:26:23 +01:00			`insecureldap = cfg.ldapInsecure;`
			`userattr = cfg.ldapUserAttr;`
			`baseDN = cfg.ldapBaseDN;`
			`enableldapRoles = cfg.enableLdapRoles;`
			`roleAttr = cfg.roleAttr;`
			`groupClassAttr = cfg.groupClassAttr;`
Add hologram service 2015-04-23 19:34:41 +02:00			`};`
			`aws = {`
			`account = cfg.awsAccount;`
			`defaultrole = cfg.awsDefaultRole;`
			`};`
hologram-server module: add cache timeout option The version of hologram we're using has supported this option for a while, but we didn't expose it through the NixOS module 2018-03-21 17:58:19 +01:00			`stats = cfg.statsAddress;`
			`listen = cfg.listenAddress;`
			`cachetimeout = cfg.cacheTimeoutSeconds;`
Add hologram service 2015-04-23 19:34:41 +02:00			`});`
			`in {`
			`options = {`
			`services.hologram-server = {`
			`enable = mkOption {`
			`type = types.bool;`
			`default = false;`
			`description = "Whether to enable the Hologram server for AWS instance credentials";`
			`};`

			`listenAddress = mkOption {`
			`type = types.str;`
			`default = "0.0.0.0:3100";`
			`description = "Address and port to listen on";`
			`};`

			`ldapHost = mkOption {`
			`type = types.str;`
			`description = "Address of the LDAP server to use";`
			`};`

			`ldapInsecure = mkOption {`
			`type = types.bool;`
			`default = false;`
			`description = "Whether to connect to LDAP over SSL or not";`
			`};`

			`ldapUserAttr = mkOption {`
			`type = types.str;`
			`default = "cn";`
			`description = "The LDAP attribute for usernames";`
			`};`

			`ldapBaseDN = mkOption {`
			`type = types.str;`
			`description = "The base DN for your Hologram users";`
			`};`

			`ldapBindDN = mkOption {`
			`type = types.str;`
			`description = "DN of account to use to query the LDAP server";`
			`};`

			`ldapBindPassword = mkOption {`
			`type = types.str;`
			`description = "Password of account to use to query the LDAP server";`
			`};`

hologram: Enable configuring LDAP authorization In AdRoll/hologram#62 support was added to hologram to configure LDAP-based authorization of which roles a user was allowed to get credentials for. This adds the ability to configure that. Additionally, AdRoll/hologram/#94 added support to customize the LDAP group query, so this also feeds that configuration through. fixes #37393 2018-03-20 08:26:23 +01:00			`enableLdapRoles = mkOption {`
			`type = types.bool;`
			`default = false;`
			`description = "Whether to assign user roles based on the user's LDAP group memberships";`
			`};`

			`groupClassAttr = mkOption {`
			`type = types.str;`
			`default = "groupOfNames";`
			`description = "The objectclass attribute to search for groups when enableLdapRoles is true";`
			`};`

			`roleAttr = mkOption {`
			`type = types.str;`
			`default = "businessCategory";`
			`description = "Which LDAP group attribute to search for authorized role ARNs";`
			`};`

Add hologram service 2015-04-23 19:34:41 +02:00			`awsAccount = mkOption {`
			`type = types.str;`
			`description = "AWS account number";`
			`};`

			`awsDefaultRole = mkOption {`
			`type = types.str;`
			`description = "AWS default role";`
			`};`

			`statsAddress = mkOption {`
			`type = types.str;`
			`default = "";`
			`description = "Address of statsd server";`
			`};`
hologram-server module: add cache timeout option The version of hologram we're using has supported this option for a while, but we didn't expose it through the NixOS module 2018-03-21 17:58:19 +01:00
			`cacheTimeoutSeconds = mkOption {`
			`type = types.int;`
			`default = 3600;`
			`description = "How often (in seconds) to refresh the LDAP cache";`
			`};`
Add hologram service 2015-04-23 19:34:41 +02:00			`};`
			`};`

			`config = mkIf cfg.enable {`
			`systemd.services.hologram-server = {`
			`description = "Provide EC2 instance credentials to machines outside of EC2";`
			`after = [ "network.target" ];`
			`wantedBy = [ "multi-user.target" ];`

Revert "Simple proof of concept for how to do other types of services" This reverts commit 7c3253e519a572f90a907fc56bb6407da004b24c. I included this in another push by accident and never intended for it to be in mainline. See https://github.com/NixOS/nixpkgs/pull/26075 if you want more. 2017-10-13 15:17:13 +02:00			`serviceConfig = {`
			`ExecStart = "${pkgs.hologram.bin}/bin/hologram-server --debug --conf ${cfgFile}";`
			`};`
Add hologram service 2015-04-23 19:34:41 +02:00			`};`
			`};`
			`}`