Jump to content

Oncall: Difference between revisions

From NixOS Wiki
← Older edit
Visual
Onny (talk | contribs)
210 edits
Add OpenLDAP config for authentication
Onny (talk | contribs)
210 edits
Oncall use secrets option
 
Line 25: Line 25:
in
in
{
{
  environment.etc."oncall-secrets.yml".text = ''
  auth:
    ldap_bind_password: "${ldapRootPassword}"
  '';


   services.oncall = {
   services.oncall = {
Line 34: Line 39:
         ldap_user_suffix = "";
         ldap_user_suffix = "";
         ldap_bind_user = "cn=root,${ldapSuffix}";
         ldap_bind_user = "cn=root,${ldapSuffix}";
        ldap_bind_password = ldapRootPassword;
         ldap_base_dn = "ou=accounts,${ldapSuffix}";
         ldap_base_dn = "ou=accounts,${ldapSuffix}";
         ldap_search_filter = "(uid=%s)";
         ldap_search_filter = "(uid=%s)";
Line 46: Line 50:
       };
       };
     };
     };
    secrets = [ "/etc/oncall-secrets.yml" ];
   };
   };


Latest revision as of 05:00, 31 March 2025

Oncall is a web-app for shift planning, developed by LinkedIn.

Setup

Note: Parts of this module are not yet stable will be available with the upcoming NixOS release 25.05.
Warning: This setup example is for local and testing environments only. Please not that in this case secrets such as the passwords get copied into the Nix store and are globally readable.

To enable and run Oncall add following line to your system configuration and apply it 

{
  pkgs,
  lib,
  ...
}:
let
  ldapDomain = "example.org";
  ldapSuffix = "dc=example,dc=org";

  ldapRootUser = "root";
  ldapRootPassword = "foobar23";

  testUser = "myuser";
  testPassword = "foobar23";
in
{

  environment.etc."oncall-secrets.yml".text = ''
  auth:
    ldap_bind_password: "${ldapRootPassword}"
  '';

  services.oncall = {
    enable = true;
    settings = {
      auth = {
        module = "oncall.auth.modules.ldap_import";
        ldap_url = "ldap://localhost";
        ldap_user_suffix = "";
        ldap_bind_user = "cn=root,${ldapSuffix}";
        ldap_base_dn = "ou=accounts,${ldapSuffix}";
        ldap_search_filter = "(uid=%s)";
        import_user = true;
        attrs = {
          username = "uid";
          full_name = "cn";
          email = "mail";
          mobile = "mobile";
        };
      };
    };
    secrets = [ "/etc/oncall-secrets.yml" ];
  };

  services.openldap = {
    enable = true;
    settings = {
      children = {
        "cn=schema".includes = [
          "${pkgs.openldap}/etc/schema/core.ldif"
          "${pkgs.openldap}/etc/schema/cosine.ldif"
          "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
          "${pkgs.openldap}/etc/schema/nis.ldif"
        ];
        "olcDatabase={1}mdb" = {
          attrs = {
            objectClass = [
              "olcDatabaseConfig"
              "olcMdbConfig"
            ];
            olcDatabase = "{1}mdb";
            olcDbDirectory = "/var/lib/openldap/db";
            olcSuffix = ldapSuffix;
            olcRootDN = "cn=${ldapRootUser},${ldapSuffix}";
            olcRootPW = ldapRootPassword;
          };
        };
      };
    };
    declarativeContents = {
      ${ldapSuffix} = ''
        dn: ${ldapSuffix}
        objectClass: top
        objectClass: dcObject
        objectClass: organization
        o: ${ldapDomain}

        dn: ou=accounts,${ldapSuffix}
        objectClass: top
        objectClass: organizationalUnit

        dn: uid=${testUser},ou=accounts,${ldapSuffix}
        objectClass: person
        objectClass: posixAccount
        uid: ${testUser}
        homeDirectory: /home/${testUser}
        uidNumber: 1234
        gidNumber: 1234
        userPassword: ${testPassword}
        cn: "Test User"
        sn: "User"
      '';
    };
  };

}

Go to http://localhost to access it. Login with the test user myuser and the password foobar23.

Retrieved from "https://wiki.nixos.org/w/index.php?title=Oncall&oldid=21077"