fix: now using two sets of ldap groups, one for linux, one for everything else

2023-06-15 14:29:06 +01:00 · 2023-06-15 14:29:06 +01:00 · 61bd023737
commit 61bd023737
parent 0411c8e18c
4 changed files with 23 additions and 10 deletions
--- a/applications/gitlab.nix
+++ b/applications/gitlab.nix
@ -161,7 +161,7 @@
              active_directory = false;
              #base = "ou=users,${cfg.ldap.base}?sub?(|(skMemberOf=cn=skynet-users,ou=groups,${cfg.ldap.base}))";
              base = "ou=users,${cfg.ldap.base}";
-              user_filter = "(skEnabled=TRUE)";
+              user_filter = "(memberOf=cn=skynet-users,ou=groups,${cfg.ldap.base}))";

              attributes = {
                username = "uid";
--- a/applications/ldap.nix
+++ b/applications/ldap.nix
@ -140,7 +140,7 @@ Gonna use a priper nixos module for this
          "cn=modules".attrs = {
            objectClass = [ "olcModuleList" ];
            cn =  "modules";
-            olcModuleLoad = ["dynlist" "memberof" "pw-sha2"];
+            olcModuleLoad = ["dynlist" "memberof" "refint" "pw-sha2"];
          };

          "olcDatabase={-1}frontend".attrs = {
@ -190,6 +190,17 @@ Gonna use a priper nixos module for this
                olcOverlay =  "dynlist";
                olcDlAttrSet = "skPerson labeledURI skMemberOf";
              };
+
+              "olcOverlay=memberof".attrs = {
+                objectClass = [ "olcOverlayConfig" "olcMemberOf" "olcConfig" "top" ];
+                olcOverlay =  "memberof";
+
+                olcMemberOfDangling = "ignore";
+                olcMemberOfRefInt = "TRUE";
+                olcMemberOfGroupOC = "groupOfUniqueNames";
+                olcMemberOfMemberAD = "uniqueMember";
+                olcMemberOfMemberOfAD = "memberOf";
+              };
            };


--- a/applications/ldap_client.nix
+++ b/applications/ldap_client.nix
@ -21,7 +21,7 @@
  imports = [];

  # give users access to this server
-  #services.skynet_ldap_client.groups = ["skynet-users"];
+  #services.skynet_ldap_client.groups = ["skynet-users-linux"];

  options.services.skynet_ldap_client = {
    # options that need to be passed in to make this work
@ -43,7 +43,7 @@
    groups = mkOption {
      type = types.listOf types.str;
      default = [
-        "skynet-admins"
+        "skynet-admins-linux"
      ];
      description = lib.mdDoc "Groups we want to allow access to the server";
    };
@ -53,6 +53,12 @@
  config = mkIf cfg.enable {
    # this is athe actual configuration that we need to do

+    security.sudo.extraRules = [
+      # admin group has sudo access
+      { groups = [ "skynet-admins-linux" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; }
+    ];
+
+
    # give users a home dir
    security.pam.services.sshd.makeHomeDir = true;

@ -85,7 +91,7 @@
        # thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d
        ldap_user_search_base = ou=users,${cfg.base}?sub?(|${create_filter cfg.groups})
        ldap_group_search_base = ou=groups,${cfg.base}
-        ldap_sudo_search_base = cn=skynet-admins,ou=groups,${cfg.base}
+        ldap_sudo_search_base = cn=skynet-admins-linux,ou=groups,${cfg.base}

        ldap_group_nesting_level = 5

--- a/machines/_base.nix
+++ b/machines/_base.nix
@ -34,11 +34,6 @@
    ];
  };

-  security.sudo.extraRules = [
-    # admin group has sudo access
-    { groups = [ "skynet-admins" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; }
-  ];
-
  # skynet-admin will always be added, individual servers can override the grpoups option
  services.skynet_ldap_client.enable = true;

@ -84,5 +79,6 @@
    pkgs.bind
    pkgs.zip
    pkgs.traceroute
+    pkgs.openldap
  ];
 }