feat: many changes

2025-08-01 19:48:49 +02:00
parent 7f01dc4cac
commit 3990566fe5
21 changed files with 363 additions and 170 deletions
--- a/utils/modules/borgbackup.nix
+++ b/utils/modules/borgbackup.nix
@@ -77,6 +77,8 @@ in {
        "/var/cache"
        "/var/tmp"
        "/var/log"
+        "var/lib/microvms"
+        "/var/lib/nixos-containers"
      ];
      environment.BORG_RSH = "ssh -p23 -i ${config.sops.secrets.borg-ssh-key.path}";
      repo = repo;
--- a/utils/modules/ldap-auth.nix
+++ b/utils/modules/ldap-auth.nix
@@ -0,0 +1,57 @@
+{ lib, config, pkgs, ... }:
+let
+  ldapAuthorizedKeys =
+    pkgs.writeShellScript "ldap-authorized-keys" ''
+      exec ${pkgs.openldap}/bin/ldapsearch -LLL -x -H ldap://ldap.cloonar.com \
+        -D "cn=linuxbind,ou=system,ou=users,dc=cloonar,dc=com" \
+        -y ${config.sops.secrets.linuxbind-password.path} \
+        -b "ou=users,dc=cloonar,dc=com" \
+        "(uid=$1)" sshPublicKey \
+      | sed -n 's/^sshPublicKey: //p'
+    '';
+in
+{
+  environment.systemPackages = with pkgs; [ openldap ];
+
+  users.ldap = {
+    enable = true;
+    daemon.enable = true;
+    base = "ou=users,dc=cloonar,dc=com";
+    server = "ldap://ldap.cloonar.com/";
+    useTLS = true;
+    bind = {
+      policy = "soft";
+      distinguishedName = "cn=linuxbind,ou=system,ou=users,dc=cloonar,dc=com";
+      passwordFile = config.sops.secrets.linuxbind-password.path;
+    };
+    loginPam = true;
+    extraConfig = ''
+      ldap_version 3
+      # pam_password ssha
+      pam_filter objectClass=posixAccount
+      pam_login_attribute uid
+      pam_member_attribute gidNumber
+    '';
+  };
+
+  security.pam.services.login.makeHomeDir = true;
+  security.pam.services.systemd-user.makeHomeDir = true;
+  systemd.services.nslcd = {
+    after = [ "Network-Manager.service" ];
+  };
+
+  # evil, horrifying hack for dysfunctional nss_override_attribute_value
+  systemd.tmpfiles.rules = [
+    "L /bin/bash - - - - /run/current-system/sw/bin/bash"
+  ];
+
+  services.openssh = {
+    settings = {
+      AuthorizedKeysCommand      = ldapAuthorizedKeys;
+      AuthorizedKeysCommandUser  = "nslcd";   # default is “nobody” :contentReference[oaicite:0]{index=0}
+      PubkeyAuthentication       = "yes";
+    };
+  };
+
+  sops.secrets.linuxbind-password.owner = "nslcd";
+}