diff --git a/hosts/web-arm/configuration.nix b/hosts/web-arm/configuration.nix index d6b5186..c4acebe 100644 --- a/hosts/web-arm/configuration.nix +++ b/hosts/web-arm/configuration.nix @@ -23,7 +23,7 @@ ./utils/modules/autoupgrade.nix ./utils/modules/promtail ./utils/modules/borgbackup.nix - # ./utils/modules/ldap-auth.nix + ./utils/modules/ldap-auth.nix ./modules/set-nix-channel.nix # Automatically manage nix-channel from /var/bento/channel ./hardware-configuration.nix diff --git a/hosts/web-arm/secrets.yaml b/hosts/web-arm/secrets.yaml index 703c203..714856d 100644 --- a/hosts/web-arm/secrets.yaml +++ b/hosts/web-arm/secrets.yaml @@ -14,6 +14,7 @@ grafana-ldap-password: ENC[AES256_GCM,data:hNB6CRtXW98yqUqInD3LsZ75sA+lVfmbooehn grafana-admin-password: ENC[AES256_GCM,data:365efRy8xD7SHBnVz6ZJO3l8/lfiZ5vZPZZbxnUmjKKJTMeebLY+P54moStY0wsbU9vk7sCKATCxrS5xy+FQJSgKLoajfz50OMA4+1k3Shl+skbeIikHKwFxqrljFa6HRQ2HTW6KLDPu6Z5Agkima5xdfrtc5R1SnOFg5b6D5NU=,iv:0yZGZVQd35Itj66Ff5hDfDYYx5xsNs/wc887bgMV1MY=,tag:9t8Iffg7kxSjE5eo7iv/RQ==,type:str] grafana-oauth-secret: ENC[AES256_GCM,data:OXsKChjgnDEKG58LarUpdJlDy4FJTrs1lrHH9I4wO+OGb+XdOPokyXSq0Om7aYhp2g40rBcQzfj5tQcgjmvZ27He93HfgxST,iv:pSiu/2G+D/wd2+FormfGiXMm2Ps/5iDDHqUnsIJ37EY=,tag:UN2IZ6/aJJSEcTmXeD9CAQ==,type:str] linuxbind-password: ENC[AES256_GCM,data:zWIQyVQvB7vMS/IG2+ZW2pzFy9toBae12wEo73VkQRdyRLe3ElC6XWZku/GQWNBXpqWjh3ULlBwowQJ6IblGTw==,iv:kXDbTD/c+d60meMbzzeIXcjLOIlSCYOz7pkWyZN/cQ4=,tag:Ey4V/IPceDNKA0GQl9awcA==,type:str] +sssd-environment: ENC[AES256_GCM,data:3HD94JLYAwr3TxHKhoqZ/EdHeyPuzsQuDWW1efFOLeb5bOJRuO7ckyYJK/YirMdYNimnsz5O1fvYYogewNvTLcQzfJ3pp9G+vwp/kaZT2GxiJskYdPUBTtStIA==,iv:uPoePg0imKZZrtHvs9t9rZSNN7xlQHr83e3ljyx3d/Y=,tag:NCYUTtsjlB/Zt39JTDDOJw==,type:str] promtail-nginx-password: ENC[AES256_GCM,data:zk/Wq+Nss6Md0GdhoOcysPrDBqfoAobmqb4LMDkJBjpCn/mdP3/HPiIYdZnZ0vV0JmYpQVqgVFPMlA==,iv:TA19kKllw0Vco6RRlbW4eUqeGQ0SQJRr/TATmyZBMrs=,tag:10/87/svXdL1hpUcTOtY0w==,type:str] victoria-nginx-password: ENC[AES256_GCM,data:+rKDzML5eQX47JF1i/ZU9jwdeLgRXPyzwSCt+iDzsCx8RKSn+omTESs/P4lj9dBPO0zjo6w=,iv:o4JW6EIwTMt3SAqhGscnc9iQBwWr6VYFSIA5sc86+pc=,tag:OvupW1Py8pCu5IAemdc81w==,type:str] nextcloud-adminpass: ENC[AES256_GCM,data:/vt17v+aaucz8sq/uYUA0hlj1urKNYcmCN0LbgGAMhWoTiTwzYr5FzrygOuZWZBeaAFH1pWItTZRXj74OX8XqutLPlYDg/jZqLszU0/9HgSBoHb5ZnPUpzIjNI9dpMttPphpo5TVrYKoh/vR3OWjJa3ObcpGLdvMQc1r8ABEvvg=,iv:0xW7++80CwZy0O4J3bFElqp0ZMC+RpO5kcczshM1pzg=,tag:PJj5PHfkoHE8jRbS4mpq6Q==,type:str] @@ -62,7 +63,7 @@ sops: elpYSDg2Y09Ia1VEaE9yUWRYMlk4V0UKcsiKxtTdtAT7odCCua7wV/3879QEp2YJ iIVgZIrTg34tEGj8VbACcGINZfid3SSkUM4hnydP72ZOOfijIN21Ew== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-08-01T17:49:05Z" - mac: ENC[AES256_GCM,data:JIkQOXcs/i90TPDn7Wf9cqNfq8LTyqlQlo5yqA8I2FKDPRYShT6jAC+SYN+lA2hE2brujYex/5pO55u7INVC92L15T/zj0DCQgKgXGMVm65Z0lNFLbcj5jAh0kLLVstS851yytgaRVCRG6b9pUsou/NW9THjdB4Q3j3+ViSa+yA=,iv:HByqjeQ2YP8vucW5spSGAGpeTWCW8rVU8KohEZCJcR0=,tag:kBBM3VhRZPv+KbBDi2HWgw==,type:str] + lastmodified: "2025-08-01T19:06:34Z" + mac: ENC[AES256_GCM,data:gSChxNZosx/pFT61RzHoxJZJGlWyFOFgoItL8uArKIb4rEpKKe+2zHCY59ufIEwaXV1XBHleBqRXc+NvSYFNpwe+5y0GXx6XyU8uezxxC9AwFcr1JZK6+747tY+LNbTBxSURPOAxuGAT63Ivjq+jyTTv2FsfhzdUanF39k2m3xw=,iv:mCNpOh1tTn4PA2+a6l0uijnrorUnyGJbzwQ8Y43Ldhk=,tag:frVneXTzLYljrFrO68Jmog==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 diff --git a/utils/modules/ldap-auth.nix b/utils/modules/ldap-auth.nix index 7a5aba1..3d35b34 100644 --- a/utils/modules/ldap-auth.nix +++ b/utils/modules/ldap-auth.nix @@ -1,8 +1,8 @@ -{ lib, config, pkgs, ... }: +{ config, pkgs, ... }: let ldapAuthorizedKeys = pkgs.writeShellScript "ldap-authorized-keys" '' - exec ${pkgs.openldap}/bin/ldapsearch -LLL -x -H ldap://ldap.cloonar.com \ + exec ${pkgs.openldap}/bin/ldapsearch -LLL -ZZ -o ldif-wrap=no -x -H ldap://ldap.cloonar.com \ -D "cn=linuxbind,ou=system,ou=users,dc=cloonar,dc=com" \ -y ${config.sops.secrets.linuxbind-password.path} \ -b "ou=users,dc=cloonar,dc=com" \ @@ -11,47 +11,54 @@ let ''; in { - environment.systemPackages = with pkgs; [ openldap ]; - - users.ldap = { + services.sssd = { enable = true; - daemon.enable = true; - base = "ou=users,dc=cloonar,dc=com"; - server = "ldap://ldap.cloonar.com/"; - useTLS = true; - bind = { - policy = "soft"; - distinguishedName = "cn=linuxbind,ou=system,ou=users,dc=cloonar,dc=com"; - passwordFile = config.sops.secrets.linuxbind-password.path; - }; - loginPam = true; - extraConfig = '' - ldap_version 3 - # pam_password ssha - pam_filter objectClass=posixAccount - pam_login_attribute uid - pam_member_attribute gidNumber + config = '' + [sssd] + config_file_version = 2 + services = nss, pam + domains = cloonar.com + + [domain/cloonar.com] + default_shell = /run/current-system/sw/bin/bash + cache_credentials = true + enumerate = true + + id_provider = ldap + auth_provider = ldap + + ldap_uri = ldap://ldap.cloonar.com + ldap_search_base = dc=cloonar,dc=com + ldap_user_search_base = ou=users,dc=cloonar,dc=com + ldap_group_search_base = cn=linux,ou=groups,dc=cloonar,dc=com + ldap_id_use_start_tls = true + chpass_provider = ldap + entry_cache_timeout = 604800 + ldap_network_timeout = 2 + + ldap_default_bind_dn = cn=linuxbind,ou=system,ou=users,dc=cloonar,dc=com + ldap_default_authtok = $SSSD_LDAP_DEFAULT_AUTHTOK + + ldap_schema = rfc2307 + ldap_group_member = memberUid ''; + environmentFile = config.sops.secrets.sssd-environment.path; }; security.pam.services.login.makeHomeDir = true; security.pam.services.systemd-user.makeHomeDir = true; - systemd.services.nslcd = { - after = [ "Network-Manager.service" ]; - }; - - # evil, horrifying hack for dysfunctional nss_override_attribute_value systemd.tmpfiles.rules = [ "L /bin/bash - - - - /run/current-system/sw/bin/bash" ]; services.openssh = { settings = { - AuthorizedKeysCommand = ldapAuthorizedKeys; + AuthorizedKeysCommand = toString ldapAuthorizedKeys; AuthorizedKeysCommandUser = "nslcd"; # default is “nobody” :contentReference[oaicite:0]{index=0} PubkeyAuthentication = "yes"; }; }; - sops.secrets.linuxbind-password.owner = "nslcd"; + sops.secrets.sssd-environment = {}; + sops.secrets.linuxbind-password = {}; }