ldap: client is properly working now

applications/ldap_client.nix

@@ -0,0 +1,100 @@
+{ config, pkgs, lib, ... }:
+  with lib;
+  let
+    cfg = config.services.skynet_ldap_client;
+
+
+    # always ensure the admin group has access
+    create_filter_check_admin = (x: if !(builtins.elem "skynet-admins" x) then x ++ ["skynet-admins"] else x);
+
+    # create teh new strings
+    create_filter_array = map (x: "(skMemberOf=cn=${x},ou=groups,${cfg.base})");
+
+    create_filter_join = (x: concatStringsSep "" x);
+
+    # thought you could escape racket?
+    create_filter = (x: create_filter_join (create_filter_array (create_filter_check_admin x) ) );
+
+  in {
+
+  # these are needed for teh program in question
+  imports = [];
+
+
+  options.services.skynet_ldap_client = {
+    # options that need to be passed in to make this work
+
+    enable = mkEnableOption "Skynet LDAP client";
+
+    address = mkOption {
+      type = types.str;
+      default = "sso.skynet.ie";
+      description = lib.mdDoc "The domain the ldap is behind";
+    };
+
+    base = mkOption {
+      type = types.str;
+      default = "dc=skynet,dc=ie";
+      description = lib.mdDoc "The base address in the ldap server";
+    };
+
+    groups = mkOption {
+      type = types.listOf types.str;
+      default = [
+        "skynet-admins"
+      ];
+      description = lib.mdDoc "Groups we want to allow access to the server";
+    };
+
+  };
+
+  config = mkIf cfg.enable {
+    # this is athe actual configuration that we need to do
+
+
+    services.sssd = {
+      enable = true;
+
+      sshAuthorizedKeysIntegration = true;
+
+      config = ''
+        [domain/skynet.ie]
+        #debug_level = 4
+
+        id_provider = ldap
+        auth_provider = ldap
+        sudo_provider = ldap
+
+        ldap_uri = ldap://${cfg.address}:389
+
+        ldap_search_base = ${cfg.base}
+        # thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d
+        ldap_user_search_base = ou=users,${cfg.base}?sub?(|${create_filter cfg.groups})
+        ldap_group_search_base = ou=groups,${cfg.base}
+        ldap_sudo_search_base = cn=skynet-admins,ou=groups,${cfg.base}
+
+        ldap_group_nesting_level = 5
+
+        cache_credentials = false
+        entry_cache_timeout = 1
+
+        ldap_user_member_of = skMemberOf
+
+        [sssd]
+        config_file_version = 2
+        services = nss, pam, sudo, ssh
+        domains = skynet.ie
+
+        [nss]
+        override_homedir = /home/%u
+
+        [pam]
+
+        [sudo]
+
+        [autofs]
+      '';
+    };
+
+  };
+}

machines/optimus.nix

@@ -25,6 +25,9 @@ in {
     ../applications/dns.nix
     ../applications/games.nix
 
+
+    ../applications/ldap_client.nix
+
     # for testing
     ../applications/ldap.nix
   ];
@@ -66,47 +69,11 @@ in {
     };
   };
 
-  services.sssd = {
+
+  services.skynet_ldap_client = {
     enable = true;
-
+    # skynet-admin will always be added
-    sshAuthorizedKeysIntegration = true;
+    groups = [ "skynet-users"];
-
-    config = ''
-      [domain/skynet.ie]
-      debug_level = 4
-
-      id_provider = ldap
-      auth_provider = ldap
-      sudo_provider = ldap
-
-      ldap_uri = ldap://193.1.99.112:389
-
-      ldap_search_base = dc=skynet,dc=ie
-      # thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d
-      ldap_user_search_base = ou=users,dc=skynet,dc=ie?sub?(|(skMemberOf=cn=skynet-users,ou=groups,dc=skynet,dc=ie))
-      ldap_group_search_base = ou=groups,dc=skynet,dc=ie
-      ldap_sudo_search_base = cn=skynet-admins,ou=groups,dc=skynet,dc=ie
-
-      ldap_group_nesting_level = 5
-
-      cache_credentials = false
-      entry_cache_timeout = 1
-
-      ldap_user_member_of = skMemberOf
-
-      [sssd]
-      config_file_version = 2
-      services = nss, pam, sudo, ssh
-      domains = skynet.ie
-
-      [nss]
-
-      [pam]
-
-      [sudo]
-
-      [autofs]
-    '';
   };
 
 }

secrets/ldap/pw.age

@@ -1,18 +1,16 @@
 age-encryption.org/v1
--> ssh-ed25519 V1pwNA AX0kN3epMM74LV5rSkk9YSmkjEBVcpOHgMsiD4lybB8
+-> ssh-ed25519 V1pwNA V4QvbdBo3D00G0QMPavaedBzI3smISaWhIh7h2M0sDI
-3wPFbon7wHTBI67xENlyXrvNobeFH391lIu6Mtz57QE
+Ia1Vn97nivnRptyzxR1455g7ckz7k51Js8d3vgp5Byw
--> ssh-ed25519 rIwlvw +SiD/4Z54cHwpfrwZY2TDTZdbnriUYG0tsnVeL1OnBs
+-> ssh-ed25519 rIwlvw rx58n2W9AjhLqoCBwEjR4ejjhirYBgSstkaSa/herhc
-ycXT27Ghr9XVq8lVPfbFwrahF6cPjRL0zYQLNMsBjmk
+3bvUhmaedHfJTiCeXm1jrS8MsVN0ZoavxL4KY8VmlfM
--> ssh-ed25519 q8eJgg lu1vgV7TlY0F9d7YeWrBDCX18tBWWSxvpa4k91NNXSE
+-> ssh-ed25519 q8eJgg jDok0EyHw8UX8i7aD6t1moaNWUkiwWXTgLVwfekdzQo
-BEPBLvzttBLxsj7RoKUCrs2ET6zJiN0XXdaLdJ/0EHQ
+6VBxw3mLoWCKEqkEWe2zPXWMY26fX9rdaIy3gpfOiJI
--> ssh-ed25519 DVzSig LmuwjlScGcud/rcBTzHIF2NzqpudSq4FknGz+EKM830
+-> ssh-ed25519 DVzSig 7NiJObICE/uqfuiXrdzNfkXFbAr/alXs8wZ+wq2ZYH0
-BxWb3k53smGaCC7ZgIC9nj2qTpHXRPfqVHkHr5jb9fw
+fqx3dBAC4CbWs1cvMKHzJ1S5sqEV/GDh9+TpFDLGdZE
--> ssh-ed25519 IzAMqA HtoBkw5Kw+3Q0No18g6fKeYkyYp2CNvCiKLOYchZuy4
+-> ssh-ed25519 IzAMqA 9z5qMjT+dYbCUQS+tiI+4rlhcLsDs7MXZ9aGTc22HWo
-JROp4CYz4Iu0QZ4lnzJdYwwqlGeTuKRSQGzIhEEo+bo
+IibOz7H30m4KnacP+wHlkPnjLGxP/nV2NaX35YagANQ
--> F-grease 2~ G1v
+-> DsqU-grease K+O|m ZDW
-amft7S+//HEUloHGXN6JZkMwTH+93wF/MqmJkqz+03nK1DCxuV5LwePQfMS1pSJi
+JEflT3m/pkH3JNhoaeEB4UyFpnqVS2j0TBdyi5cDTgo+8tqGxqpA
-srcTmQG8A7WcpOvUj21ljato1kPgjfAVVeD2RC+k4gurgmY21Pf+mTs10qT0AmY2
+--- IHUjYTMWIfH1a58/rNn4hvR3n5rRABAj9yA7m8NIX44
-oO9l
+¦*<<3C>KÉ؇XÞ+–Α
---- eUA2j4lvZQfuMA9ugmeGBosgJDDlJVbVE09OUSxV9HA
+™ËPl	|Ú)!’KÀ¸ÎÞqXªŽç.tü˜‹Æo<C386>`Êažxl’b¤S‰33ã£ÕæÆeÎ÷%š–˃èDó¤‰
{`üGh#.bý©2—ÏuîNº°c$ÉÁ<>ÎHn×Â8IÜ"ÄÙrÝèÈF¾é¢Þ†ÔÉòÏ<02>ò¯ARhë¨é£bJÏAZ<41>Ö“
-^)' ¿öQNÃøÇ5!rôõ÷i]™ðŒinÔ(8ŸŸUü<55>~!<21>8(|¬&_q ’Üm
-! žI>†3òÅÄ5	„ª¥Ì÷Qcç'Ü#ØAÆæ’ÒÐÞW
ðþhÚ^l|SÈæv€9ýQ—ßg;ý„£nÞ4ô•z´UÔàŠù<C5A0>âÖ‰Þûÿ…½]ð°=Ñ°È_<Rr¯ª•ÊºC<>åîØ•‹P