{ config, pkgs, lib, ... }: with lib; let cfg = config.services.skynet_ldap_client; # always ensure the admin group has access create_filter_check_admin = (x: if !(builtins.elem "skynet-admins" x) then x ++ ["skynet-admins"] else x); # create teh new strings create_filter_array = map (x: "(skMemberOf=cn=${x},ou=groups,${cfg.base})"); create_filter_join = (x: concatStringsSep "" x); # thought you could escape racket? create_filter = (x: create_filter_join (create_filter_array (create_filter_check_admin x) ) ); in { # these are needed for teh program in question imports = []; options.services.skynet_ldap_client = { # options that need to be passed in to make this work enable = mkEnableOption "Skynet LDAP client"; address = mkOption { type = types.str; default = "sso.skynet.ie"; description = lib.mdDoc "The domain the ldap is behind"; }; base = mkOption { type = types.str; default = "dc=skynet,dc=ie"; description = lib.mdDoc "The base address in the ldap server"; }; groups = mkOption { type = types.listOf types.str; default = [ "skynet-admins" ]; description = lib.mdDoc "Groups we want to allow access to the server"; }; }; config = mkIf cfg.enable { # this is athe actual configuration that we need to do services.sssd = { enable = true; sshAuthorizedKeysIntegration = true; config = '' [domain/skynet.ie] #debug_level = 4 id_provider = ldap auth_provider = ldap sudo_provider = ldap ldap_uri = ldap://${cfg.address}:389 ldap_search_base = ${cfg.base} # thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d ldap_user_search_base = ou=users,${cfg.base}?sub?(|${create_filter cfg.groups}) ldap_group_search_base = ou=groups,${cfg.base} ldap_sudo_search_base = cn=skynet-admins,ou=groups,${cfg.base} ldap_group_nesting_level = 5 cache_credentials = false entry_cache_timeout = 1 ldap_user_member_of = skMemberOf [sssd] config_file_version = 2 services = nss, pam, sudo, ssh domains = skynet.ie [nss] override_homedir = /home/%u [pam] [sudo] [autofs] ''; }; }; }