Skynet/nixos
7
1
Fork 0
Code Issues 45 Pull requests 1 Projects Releases Packages Wiki Activity Actions

feat: added a formatter and some instructions

Browse source
This commit is contained in:
silver 2023-09-17 20:51:08 +01:00
parent 14ae0a9065
commit 7f3dc8946e
39 changed files with 1739 additions and 1348 deletions
Download patch file Download diff file Expand all files Collapse all files

96
applications/ldap/client.nix
View file

@ -1,21 +1,26 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.services.skynet_ldap_client;
{
config,
pkgs,
lib,
...
}:
with lib; let
cfg = config.services.skynet_ldap_client;
# always ensure the admin group has access
create_filter_check_admin = (x: if !(builtins.elem "skynet-admins" x) then x ++ ["skynet-admins"] else x);
# always ensure the admin group has access
create_filter_check_admin = x:
if !(builtins.elem "skynet-admins" x)
then x ++ ["skynet-admins"]
else x;
# create teh new strings
create_filter_array = map (x: "(skMemberOf=cn=${x},ou=groups,${cfg.base})");
# create teh new strings
create_filter_array = map (x: "(skMemberOf=cn=${x},ou=groups,${cfg.base})");
create_filter_join = (x: concatStringsSep "" x);
# thought you could escape racket?
create_filter = (x: create_filter_join (create_filter_array (create_filter_check_admin x) ) );
in {
create_filter_join = x: concatStringsSep "" x;
# thought you could escape racket?
create_filter = x: create_filter_join (create_filter_array (create_filter_check_admin x));
in {
# these are needed for teh program in question
imports = [];
@ -46,7 +51,6 @@
];
description = lib.mdDoc "Groups we want to allow access to the server";
};
};
config = mkIf cfg.enable {
@ -54,10 +58,17 @@
security.sudo.extraRules = [
# admin group has sudo access
{ groups = [ "skynet-admins-linux" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; }
{
groups = ["skynet-admins-linux"];
commands = [
{
command = "ALL";
options = ["NOPASSWD"];
}
];
}
];
# give users a home dir
security.pam.services.sshd.makeHomeDir = true;
@ -68,7 +79,7 @@
# tell users where tehy cna setup their ssh key
banner = ''
If you get 'Permission denied (publickey,keyboard-interactive)' you need to add an ssh key on https://${cfg.address}
'';
'';
};
services.sssd = {
@ -77,41 +88,40 @@
sshAuthorizedKeysIntegration = true;
config = ''
[domain/skynet.ie]
id_provider = ldap
auth_provider = ldap
sudo_provider = ldap
[domain/skynet.ie]
id_provider = ldap
auth_provider = ldap
sudo_provider = ldap
ldap_uri = ldaps://${cfg.address}:636
ldap_uri = ldaps://${cfg.address}:636
ldap_search_base = ${cfg.base}
# thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d
ldap_user_search_base = ou=users,${cfg.base}?sub?(|${create_filter cfg.groups})
ldap_group_search_base = ou=groups,${cfg.base}
ldap_sudo_search_base = cn=skynet-admins-linux,ou=groups,${cfg.base}
ldap_search_base = ${cfg.base}
# thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d
ldap_user_search_base = ou=users,${cfg.base}?sub?(|${create_filter cfg.groups})
ldap_group_search_base = ou=groups,${cfg.base}
ldap_sudo_search_base = cn=skynet-admins-linux,ou=groups,${cfg.base}
ldap_group_nesting_level = 5
ldap_group_nesting_level = 5
cache_credentials = false
entry_cache_timeout = 1
cache_credentials = false
entry_cache_timeout = 1
ldap_user_member_of = skMemberOf
ldap_user_member_of = skMemberOf
[sssd]
config_file_version = 2
services = nss, pam, sudo, ssh
domains = skynet.ie
[sssd]
config_file_version = 2
services = nss, pam, sudo, ssh
domains = skynet.ie
[nss]
# override_homedir = /home/%u
[nss]
# override_homedir = /home/%u
[pam]
[pam]
[sudo]
[sudo]
[autofs]
[autofs]
'';
};
};
}
}