fix: now using two sets of ldap groups, one for linux, one for everything else

applications/gitlab.nix

@@ -161,7 +161,7 @@
               active_directory = false;
               #base = "ou=users,${cfg.ldap.base}?sub?(|(skMemberOf=cn=skynet-users,ou=groups,${cfg.ldap.base}))";
               base = "ou=users,${cfg.ldap.base}";
-              user_filter = "(skEnabled=TRUE)";
+              user_filter = "(memberOf=cn=skynet-users,ou=groups,${cfg.ldap.base}))";
 
               attributes = {
                 username = "uid";

applications/ldap.nix

@@ -140,7 +140,7 @@ Gonna use a priper nixos module for this
           "cn=modules".attrs = {
             objectClass = [ "olcModuleList" ];
             cn =  "modules";
-            olcModuleLoad = ["dynlist" "memberof" "pw-sha2"];
+            olcModuleLoad = ["dynlist" "memberof" "refint" "pw-sha2"];
           };
 
           "olcDatabase={-1}frontend".attrs = {
@@ -190,6 +190,17 @@ Gonna use a priper nixos module for this
                 olcOverlay =  "dynlist";
                 olcDlAttrSet = "skPerson labeledURI skMemberOf";
               };
+
+              "olcOverlay=memberof".attrs = {
+                objectClass = [ "olcOverlayConfig" "olcMemberOf" "olcConfig" "top" ];
+                olcOverlay =  "memberof";
+
+                olcMemberOfDangling = "ignore";
+                olcMemberOfRefInt = "TRUE";
+                olcMemberOfGroupOC = "groupOfUniqueNames";
+                olcMemberOfMemberAD = "uniqueMember";
+                olcMemberOfMemberOfAD = "memberOf";
+              };
             };
 
 

applications/ldap_client.nix

@@ -21,7 +21,7 @@
   imports = [];
 
   # give users access to this server
-  #services.skynet_ldap_client.groups = ["skynet-users"];
+  #services.skynet_ldap_client.groups = ["skynet-users-linux"];
 
   options.services.skynet_ldap_client = {
     # options that need to be passed in to make this work
@@ -43,7 +43,7 @@
     groups = mkOption {
       type = types.listOf types.str;
       default = [
-        "skynet-admins"
+        "skynet-admins-linux"
       ];
       description = lib.mdDoc "Groups we want to allow access to the server";
     };
@@ -53,6 +53,12 @@
   config = mkIf cfg.enable {
     # this is athe actual configuration that we need to do
 
+    security.sudo.extraRules = [
+      # admin group has sudo access
+      { groups = [ "skynet-admins-linux" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; }
+    ];
+
+
     # give users a home dir
     security.pam.services.sshd.makeHomeDir = true;
 
@@ -85,7 +91,7 @@
         # thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d
         ldap_user_search_base = ou=users,${cfg.base}?sub?(|${create_filter cfg.groups})
         ldap_group_search_base = ou=groups,${cfg.base}
-        ldap_sudo_search_base = cn=skynet-admins,ou=groups,${cfg.base}
+        ldap_sudo_search_base = cn=skynet-admins-linux,ou=groups,${cfg.base}
 
         ldap_group_nesting_level = 5
 

machines/_base.nix

@@ -34,11 +34,6 @@
     ];
   };
 
-  security.sudo.extraRules = [
-    # admin group has sudo access
-    { groups = [ "skynet-admins" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; }
-  ];
-
   # skynet-admin will always be added, individual servers can override the grpoups option
   services.skynet_ldap_client.enable = true;
 
@@ -84,5 +79,6 @@
     pkgs.bind
     pkgs.zip
     pkgs.traceroute
+    pkgs.openldap
   ];
 }