Oncall: Difference between revisions

Latest revision as of 16:16, 7 April 2025

Oncall is a web-app for shift planning, developed by LinkedIn.

Setup

Note: Parts of this module are not yet stable will be available with the upcoming NixOS release 25.05.

Warning: This setup example is for local and testing environments only. Please not that in this case secrets such as the passwords get copied into the Nix store and are globally readable.

To enable and run Oncall add following line to your system configuration and apply it

{
  pkgs,
  lib,
  ...
}:
let
  ldapDomain = "example.org";
  ldapSuffix = "dc=example,dc=org";

  ldapRootUser = "root";
  ldapRootPassword = "foobar23";

  testUser = "myuser";
  testPassword = "foobar23";
in
{

  environment.etc."oncall-secrets.yml".text = ''
  auth:
    ldap_bind_password: "${ldapRootPassword}"
  '';

  services.oncall = {
    enable = true;
    settings = {
      auth = {
        module = "oncall.auth.modules.ldap_import";
        ldap_url = "ldap://localhost";
        ldap_user_suffix = "";
        ldap_bind_user = "cn=root,${ldapSuffix}";
        ldap_base_dn = "ou=accounts,${ldapSuffix}";
        ldap_search_filter = "(uid=%s)";
        import_user = true;
        attrs = {
          username = "uid";
          full_name = "cn";
          email = "mail";
          mobile = "telephoneNumber";
          sms = "mobile";
        };
      };
    };
    secrets = [ "/etc/oncall-secrets.yml" ];
  };

  services.openldap = {
    enable = true;
    settings = {
      children = {
        "cn=schema".includes = [
          "${pkgs.openldap}/etc/schema/core.ldif"
          "${pkgs.openldap}/etc/schema/cosine.ldif"
          "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
          "${pkgs.openldap}/etc/schema/nis.ldif"
        ];
        "olcDatabase={1}mdb" = {
          attrs = {
            objectClass = [
              "olcDatabaseConfig"
              "olcMdbConfig"
            ];
            olcDatabase = "{1}mdb";
            olcDbDirectory = "/var/lib/openldap/db";
            olcSuffix = ldapSuffix;
            olcRootDN = "cn=${ldapRootUser},${ldapSuffix}";
            olcRootPW = ldapRootPassword;
          };
        };
      };
    };
    declarativeContents = {
      ${ldapSuffix} = ''
        dn: ${ldapSuffix}
        objectClass: top
        objectClass: dcObject
        objectClass: organization
        o: ${ldapDomain}

        dn: ou=accounts,${ldapSuffix}
        objectClass: top
        objectClass: organizationalUnit

        dn: uid=${testUser},ou=accounts,${ldapSuffix}
        objectClass: top
        objectClass: inetOrgPerson
        uid: ${testUser}
        userPassword: ${testPassword}
        cn: Test User
        sn: User
        mail: test@example.org
        telephoneNumber: 012345678910
        mobile: 012345678910
      '';
    };
  };

}

Go to http://localhost to access it. Login with the test user myuser and the password foobar23.