From 61bd023737280ba99f8e974c1f888fe27d78b04f Mon Sep 17 00:00:00 2001 From: Brendan Golden Date: Thu, 15 Jun 2023 14:29:06 +0100 Subject: [PATCH] fix: now using two sets of ldap groups, one for linux, one for everything else --- applications/gitlab.nix | 2 +- applications/ldap.nix | 13 ++++++++++++- applications/ldap_client.nix | 12 +++++++++--- machines/_base.nix | 6 +----- 4 files changed, 23 insertions(+), 10 deletions(-) diff --git a/applications/gitlab.nix b/applications/gitlab.nix index ae54043..3a7d4ed 100644 --- a/applications/gitlab.nix +++ b/applications/gitlab.nix @@ -161,7 +161,7 @@ active_directory = false; #base = "ou=users,${cfg.ldap.base}?sub?(|(skMemberOf=cn=skynet-users,ou=groups,${cfg.ldap.base}))"; base = "ou=users,${cfg.ldap.base}"; - user_filter = "(skEnabled=TRUE)"; + user_filter = "(memberOf=cn=skynet-users,ou=groups,${cfg.ldap.base}))"; attributes = { username = "uid"; diff --git a/applications/ldap.nix b/applications/ldap.nix index ffcb080..18ee1b1 100644 --- a/applications/ldap.nix +++ b/applications/ldap.nix @@ -140,7 +140,7 @@ Gonna use a priper nixos module for this "cn=modules".attrs = { objectClass = [ "olcModuleList" ]; cn = "modules"; - olcModuleLoad = ["dynlist" "memberof" "pw-sha2"]; + olcModuleLoad = ["dynlist" "memberof" "refint" "pw-sha2"]; }; "olcDatabase={-1}frontend".attrs = { @@ -190,6 +190,17 @@ Gonna use a priper nixos module for this olcOverlay = "dynlist"; olcDlAttrSet = "skPerson labeledURI skMemberOf"; }; + + "olcOverlay=memberof".attrs = { + objectClass = [ "olcOverlayConfig" "olcMemberOf" "olcConfig" "top" ]; + olcOverlay = "memberof"; + + olcMemberOfDangling = "ignore"; + olcMemberOfRefInt = "TRUE"; + olcMemberOfGroupOC = "groupOfUniqueNames"; + olcMemberOfMemberAD = "uniqueMember"; + olcMemberOfMemberOfAD = "memberOf"; + }; }; diff --git a/applications/ldap_client.nix b/applications/ldap_client.nix index c82b6ba..354bcac 100644 --- a/applications/ldap_client.nix +++ b/applications/ldap_client.nix @@ -21,7 +21,7 @@ imports = []; # give users access to this server - #services.skynet_ldap_client.groups = ["skynet-users"]; + #services.skynet_ldap_client.groups = ["skynet-users-linux"]; options.services.skynet_ldap_client = { # options that need to be passed in to make this work @@ -43,7 +43,7 @@ groups = mkOption { type = types.listOf types.str; default = [ - "skynet-admins" + "skynet-admins-linux" ]; description = lib.mdDoc "Groups we want to allow access to the server"; }; @@ -53,6 +53,12 @@ config = mkIf cfg.enable { # this is athe actual configuration that we need to do + security.sudo.extraRules = [ + # admin group has sudo access + { groups = [ "skynet-admins-linux" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; } + ]; + + # give users a home dir security.pam.services.sshd.makeHomeDir = true; @@ -85,7 +91,7 @@ # thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d ldap_user_search_base = ou=users,${cfg.base}?sub?(|${create_filter cfg.groups}) ldap_group_search_base = ou=groups,${cfg.base} - ldap_sudo_search_base = cn=skynet-admins,ou=groups,${cfg.base} + ldap_sudo_search_base = cn=skynet-admins-linux,ou=groups,${cfg.base} ldap_group_nesting_level = 5 diff --git a/machines/_base.nix b/machines/_base.nix index 4f0c854..09b7bf2 100644 --- a/machines/_base.nix +++ b/machines/_base.nix @@ -34,11 +34,6 @@ ]; }; - security.sudo.extraRules = [ - # admin group has sudo access - { groups = [ "skynet-admins" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; } - ]; - # skynet-admin will always be added, individual servers can override the grpoups option services.skynet_ldap_client.enable = true; @@ -84,5 +79,6 @@ pkgs.bind pkgs.zip pkgs.traceroute + pkgs.openldap ]; }