Jump to content

Oncall: Difference between revisions

From NixOS Wiki
← Older edit
VisualWikitext
Onny (talk | contribs)
261 edits
Add OpenLDAP config for authentication
Onny (talk | contribs)
261 edits
mNo edit summary
 
(5 intermediate revisions by the same user not shown)
Line 2: Line 2:


== Setup ==
== Setup ==
{{Note|Parts of this module are not yet stable will be available with the upcoming NixOS release 25.05.}}


{{Warning|This setup example is for local and testing environments only. Please not that in this case secrets such as the passwords get copied into the Nix store and are globally readable.}}
{{Warning|This setup example is for local and testing environments only. Please not that in this case secrets such as the passwords get copied into the Nix store and are globally readable.}}
Line 25: Line 23:
in
in
{
{
  environment.etc."oncall-secrets.yml".text = ''
  auth:
    ldap_bind_password: "${ldapRootPassword}"
  '';


   services.oncall = {
   services.oncall = {
Line 34: Line 37:
         ldap_user_suffix = "";
         ldap_user_suffix = "";
         ldap_bind_user = "cn=root,${ldapSuffix}";
         ldap_bind_user = "cn=root,${ldapSuffix}";
        ldap_bind_password = ldapRootPassword;
         ldap_base_dn = "ou=accounts,${ldapSuffix}";
         ldap_base_dn = "ou=accounts,${ldapSuffix}";
         ldap_search_filter = "(uid=%s)";
         ldap_search_filter = "(uid=%s)";
Line 42: Line 44:
           full_name = "cn";
           full_name = "cn";
           email = "mail";
           email = "mail";
           mobile = "mobile";
           call = "telephoneNumber";
          sms = "mobile";
         };
         };
       };
       };
     };
     };
    secretFile = "/etc/oncall-secrets.yml";
   };
   };


Line 86: Line 90:


         dn: uid=${testUser},ou=accounts,${ldapSuffix}
         dn: uid=${testUser},ou=accounts,${ldapSuffix}
         objectClass: person
         objectClass: top
         objectClass: posixAccount
         objectClass: inetOrgPerson
         uid: ${testUser}
         uid: ${testUser}
        homeDirectory: /home/${testUser}
        uidNumber: 1234
        gidNumber: 1234
         userPassword: ${testPassword}
         userPassword: ${testPassword}
         cn: "Test User"
         cn: Test User
         sn: "User"
         sn: User
        mail: test@example.org
        telephoneNumber: 012345678910
        mobile: 012345678910
       '';
       '';
     };
     };

Latest revision as of 09:15, 1 June 2025

Oncall is a web-app for shift planning, developed by LinkedIn.

Setup

⚠︎
Warning: This setup example is for local and testing environments only. Please not that in this case secrets such as the passwords get copied into the Nix store and are globally readable.

To enable and run Oncall add following line to your system configuration and apply it 

{
  pkgs,
  lib,
  ...
}:
let
  ldapDomain = "example.org";
  ldapSuffix = "dc=example,dc=org";

  ldapRootUser = "root";
  ldapRootPassword = "foobar23";

  testUser = "myuser";
  testPassword = "foobar23";
in
{

  environment.etc."oncall-secrets.yml".text = ''
  auth:
    ldap_bind_password: "${ldapRootPassword}"
  '';

  services.oncall = {
    enable = true;
    settings = {
      auth = {
        module = "oncall.auth.modules.ldap_import";
        ldap_url = "ldap://localhost";
        ldap_user_suffix = "";
        ldap_bind_user = "cn=root,${ldapSuffix}";
        ldap_base_dn = "ou=accounts,${ldapSuffix}";
        ldap_search_filter = "(uid=%s)";
        import_user = true;
        attrs = {
          username = "uid";
          full_name = "cn";
          email = "mail";
          call = "telephoneNumber";
          sms = "mobile";
        };
      };
    };
    secretFile = "/etc/oncall-secrets.yml";
  };

  services.openldap = {
    enable = true;
    settings = {
      children = {
        "cn=schema".includes = [
          "${pkgs.openldap}/etc/schema/core.ldif"
          "${pkgs.openldap}/etc/schema/cosine.ldif"
          "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
          "${pkgs.openldap}/etc/schema/nis.ldif"
        ];
        "olcDatabase={1}mdb" = {
          attrs = {
            objectClass = [
              "olcDatabaseConfig"
              "olcMdbConfig"
            ];
            olcDatabase = "{1}mdb";
            olcDbDirectory = "/var/lib/openldap/db";
            olcSuffix = ldapSuffix;
            olcRootDN = "cn=${ldapRootUser},${ldapSuffix}";
            olcRootPW = ldapRootPassword;
          };
        };
      };
    };
    declarativeContents = {
      ${ldapSuffix} = ''
        dn: ${ldapSuffix}
        objectClass: top
        objectClass: dcObject
        objectClass: organization
        o: ${ldapDomain}

        dn: ou=accounts,${ldapSuffix}
        objectClass: top
        objectClass: organizationalUnit

        dn: uid=${testUser},ou=accounts,${ldapSuffix}
        objectClass: top
        objectClass: inetOrgPerson
        uid: ${testUser}
        userPassword: ${testPassword}
        cn: Test User
        sn: User
        mail: test@example.org
        telephoneNumber: 012345678910
        mobile: 012345678910
      '';
    };
  };

}

Go to http://localhost to access it. Login with the test user myuser and the password foobar23.

Retrieved from "https://wiki.nixos.org/w/index.php?title=Oncall&oldid=21902"