nixos/openldap: fix path + base64 value types

2020-09-27 18:03:40 +01:00 · 2020-09-27 18:03:40 +01:00 · ce1acd97a7
parent b2ebffe186
commit ce1acd97a7
2 changed files with 17 additions and 27 deletions
--- a/nixos/modules/services/databases/openldap.nix
+++ b/nixos/modules/services/databases/openldap.nix
@ -7,31 +7,14 @@ let
  configDir = if cfg.configDir != null then cfg.configDir else "/etc/openldap/slapd.d";

  ldapValueType = let
-    singleLdapValueType = types.oneOf [
-      types.str
-      (types.submodule {
-        options = {
-          path = mkOption {
-            type = types.path;
-            description = ''
-              A path containing the LDAP attribute. This is included at run-time, so
-              is recommended for storing secrets.
-            '';
-          };
-        };
-      })
-      (types.submodule {
-        options = {
-          base64 = mkOption {
-            type = types.str;
-            description = ''
-              A base64-encoded LDAP attribute. Useful for storing values which
-              contain special characters (e.g. newlines) in LDIF files.
-            '';
-          };
-        };
-      })
-    ];
+    # Can't do types.either with multiple non-overlapping submodules, so define our own
+    singleLdapValueType = lib.mkOptionType rec {
+      name = "LDAP";
+      description = "LDAP value";
+      check = x: lib.isString x || (lib.isAttrs x && (x ? "path" || x ? "base64"));
+      merge = lib.mergeEqualOption;
+    };
+    # We don't coerce to lists of single values, as some values must be unique
  in types.either singleLdapValueType (types.listOf singleLdapValueType);

  ldapAttrsType =
--- a/nixos/tests/openldap.nix
+++ b/nixos/tests/openldap.nix
@ -21,6 +21,7 @@ in {
    name = "openldap";

    machine = { pkgs, ... }: {
+      environment.etc."openldap/root_password".text = "notapassword";
      services.openldap = {
        enable = true;
        defaultSchemas = null;
@ -37,13 +38,19 @@ in {
              ];
            };
            "olcDatabase={1}mdb" = {
+              # This tests string, base64 and path values, as well as lists of string values
              attrs = {
                objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
                olcDatabase = "{1}mdb";
                olcDbDirectory = "/var/db/openldap";
                olcSuffix = "dc=example";
-                olcRootDN = "cn=root,dc=example";
-                olcRootPW = "notapassword";
+                olcRootDN = {
+                  # cn=root,dc=example
+                  base64 = "Y249cm9vdCxkYz1leGFtcGxl";
+                };
+                olcRootPW = {
+                  path = "/etc/openldap/root_password";
+                };
              };
            };
          };