fmt: moving all ldap files into their folder.

2023-08-27 22:47:36 +01:00 · 2023-08-27 22:47:36 +01:00 · bd35b240be
commit bd35b240be
parent bfc0d81cf1
5 changed files with 9 additions and 9 deletions
--- a/applications/ldap/client.nix
+++ b/applications/ldap/client.nix
@ -0,0 +1,117 @@
+{ config, pkgs, lib, ... }:
+  with lib;
+  let
+    cfg = config.services.skynet_ldap_client;
+
+    # always ensure the admin group has access
+    create_filter_check_admin = (x: if !(builtins.elem "skynet-admins" x) then x ++ ["skynet-admins"] else x);
+
+    # create teh new strings
+    create_filter_array = map (x: "(skMemberOf=cn=${x},ou=groups,${cfg.base})");
+
+    create_filter_join = (x: concatStringsSep "" x);
+
+    # thought you could escape racket?
+    create_filter = (x: create_filter_join (create_filter_array (create_filter_check_admin x) ) );
+
+  in {
+
+  # these are needed for teh program in question
+  imports = [];
+
+  # give users access to this server
+  #services.skynet_ldap_client.groups = ["skynet-users-linux"];
+
+  options.services.skynet_ldap_client = {
+    # options that need to be passed in to make this work
+
+    enable = mkEnableOption "Skynet LDAP client";
+
+    address = mkOption {
+      type = types.str;
+      default = "account.skynet.ie";
+      description = lib.mdDoc "The domain the ldap is behind";
+    };
+
+    base = mkOption {
+      type = types.str;
+      default = "dc=skynet,dc=ie";
+      description = lib.mdDoc "The base address in the ldap server";
+    };
+
+    groups = mkOption {
+      type = types.listOf types.str;
+      default = [
+        "skynet-admins-linux"
+      ];
+      description = lib.mdDoc "Groups we want to allow access to the server";
+    };
+
+  };
+
+  config = mkIf cfg.enable {
+    # this is athe actual configuration that we need to do
+
+    security.sudo.extraRules = [
+      # admin group has sudo access
+      { groups = [ "skynet-admins-linux" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; }
+    ];
+
+
+    # give users a home dir
+    security.pam.services.sshd.makeHomeDir = true;
+
+    services.openssh = {
+      # only allow ssh keys
+      settings.PasswordAuthentication = false;
+
+      # tell users where tehy cna setup their ssh key
+      banner = ''
+        If you get 'Permission denied (publickey,keyboard-interactive)' you need to add an ssh key on https://${cfg.address}
+        '';
+    };
+
+    services.sssd = {
+      enable = true;
+
+      sshAuthorizedKeysIntegration = true;
+
+      config = ''
+[domain/skynet.ie]
+id_provider = ldap
+auth_provider = ldap
+sudo_provider = ldap
+
+ldap_uri = ldaps://${cfg.address}:636
+
+ldap_search_base = ${cfg.base}
+# thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d
+ldap_user_search_base = ou=users,${cfg.base}?sub?(|${create_filter cfg.groups})
+ldap_group_search_base = ou=groups,${cfg.base}
+ldap_sudo_search_base = cn=skynet-admins-linux,ou=groups,${cfg.base}
+
+ldap_group_nesting_level = 5
+
+cache_credentials = false
+entry_cache_timeout = 1
+
+ldap_user_member_of = skMemberOf
+
+[sssd]
+config_file_version = 2
+services = nss, pam, sudo, ssh
+domains = skynet.ie
+
+[nss]
+# override_homedir = /home/%u
+
+[pam]
+
+[sudo]
+
+[autofs]
+      '';
+    };
+
+  };
+}