nixos/applications/ldap/client.nix

139 lines
3.5 KiB
Nix
Raw Permalink Normal View History

{
config,
pkgs,
lib,
...
}:
with lib; let
name = "ldap_client";
cfg = config.services.skynet."${name}";
# always ensure the admin group has access
create_filter_check_admin = x:
if !(builtins.elem "skynet-admins" x)
then x ++ ["skynet-admins"]
else x;
# create teh new strings
create_filter_array = map (x: "(skMemberOf=cn=${x},ou=groups,${cfg.base})");
create_filter_join = x: concatStringsSep "" x;
# thought you could escape racket?
create_filter = x: create_filter_join (create_filter_array (create_filter_check_admin x));
sudo_create_filter = x: (concatStringsSep ", " (map (x: "cn=${x},ou=groups,${cfg.base}") x));
in {
2023-05-21 00:38:19 +00:00
# these are needed for teh program in question
imports = [];
# give users access to this server
#services.skynet.ldap_client.groups = ["skynet-users-linux"];
2023-05-21 00:38:19 +00:00
options.services.skynet."${name}" = {
2023-05-21 00:38:19 +00:00
# options that need to be passed in to make this work
enable = mkEnableOption "Skynet LDAP client";
address = mkOption {
type = types.str;
default = "account.skynet.ie";
2023-05-21 00:38:19 +00:00
description = lib.mdDoc "The domain the ldap is behind";
};
base = mkOption {
type = types.str;
default = "dc=skynet,dc=ie";
description = lib.mdDoc "The base address in the ldap server";
};
groups = mkOption {
type = types.listOf types.str;
default = [
"skynet-admins-linux"
2023-05-21 00:38:19 +00:00
];
description = lib.mdDoc "Groups we want to allow access to the server";
};
sudo_groups = mkOption {
type = types.listOf types.str;
default = [
"skynet-admins-linux"
];
description = lib.mdDoc "Groups we want to allow access to the server";
};
2023-05-21 00:38:19 +00:00
};
config = mkIf cfg.enable {
# this is athe actual configuration that we need to do
security.sudo.extraRules = [
# admin group has sudo access
{
groups = cfg.sudo_groups;
commands = [
{
command = "ALL";
options = ["NOPASSWD"];
}
];
}
];
2023-05-21 00:39:01 +00:00
# give users a home dir
security.pam.services.sshd.makeHomeDir = true;
2023-05-21 00:38:19 +00:00
services.openssh = {
# only allow ssh keys
2023-06-17 20:35:57 +00:00
settings.PasswordAuthentication = false;
# tell users where tehy cna setup their ssh key
banner = ''
If you get 'Permission denied (publickey,keyboard-interactive)' you need to add an ssh key on https://${cfg.address}
'';
};
2023-05-21 00:38:19 +00:00
services.sssd = {
enable = true;
sshAuthorizedKeysIntegration = true;
config = ''
[domain/skynet.ie]
id_provider = ldap
auth_provider = ldap
sudo_provider = ldap
2023-05-21 00:38:19 +00:00
ldap_uri = ldaps://${cfg.address}:636
2023-05-21 00:38:19 +00:00
ldap_search_base = ${cfg.base}
# thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d
ldap_user_search_base = ou=users,${cfg.base}?sub?(|${create_filter cfg.groups})
ldap_group_search_base = ou=groups,${cfg.base}
# using commas from https://support.hpe.com/hpesc/public/docDisplay?docId=c02793175&docLocale=en_US
ldap_sudo_search_base, ${sudo_create_filter cfg.sudo_groups}
2023-05-21 00:38:19 +00:00
ldap_group_nesting_level = 5
2023-05-21 00:38:19 +00:00
cache_credentials = false
entry_cache_timeout = 1
2023-05-21 00:38:19 +00:00
ldap_user_member_of = skMemberOf
2023-05-21 00:38:19 +00:00
[sssd]
config_file_version = 2
services = nss, pam, sudo, ssh
domains = skynet.ie
2023-05-21 00:38:19 +00:00
[nss]
# override_homedir = /home/%u
2023-05-21 00:38:19 +00:00
[pam]
2023-05-21 00:38:19 +00:00
[sudo]
2023-05-21 00:38:19 +00:00
[autofs]
2023-05-21 00:38:19 +00:00
'';
};
};
}