58 lines
1.7 KiB
Nix
58 lines
1.7 KiB
Nix
{ lib, config, pkgs, ... }:
|
|
let
|
|
ldapAuthorizedKeys =
|
|
pkgs.writeShellScript "ldap-authorized-keys" ''
|
|
exec ${pkgs.openldap}/bin/ldapsearch -LLL -x -H ldap://ldap.cloonar.com \
|
|
-D "cn=linuxbind,ou=system,ou=users,dc=cloonar,dc=com" \
|
|
-y ${config.sops.secrets.linuxbind-password.path} \
|
|
-b "ou=users,dc=cloonar,dc=com" \
|
|
"(uid=$1)" sshPublicKey \
|
|
| sed -n 's/^sshPublicKey: //p'
|
|
'';
|
|
in
|
|
{
|
|
environment.systemPackages = with pkgs; [ openldap ];
|
|
|
|
users.ldap = {
|
|
enable = true;
|
|
daemon.enable = true;
|
|
base = "ou=users,dc=cloonar,dc=com";
|
|
server = "ldap://ldap.cloonar.com/";
|
|
useTLS = true;
|
|
bind = {
|
|
policy = "soft";
|
|
distinguishedName = "cn=linuxbind,ou=system,ou=users,dc=cloonar,dc=com";
|
|
passwordFile = config.sops.secrets.linuxbind-password.path;
|
|
};
|
|
loginPam = true;
|
|
extraConfig = ''
|
|
ldap_version 3
|
|
# pam_password ssha
|
|
pam_filter objectClass=posixAccount
|
|
pam_login_attribute uid
|
|
pam_member_attribute gidNumber
|
|
'';
|
|
};
|
|
|
|
security.pam.services.login.makeHomeDir = true;
|
|
security.pam.services.systemd-user.makeHomeDir = true;
|
|
systemd.services.nslcd = {
|
|
after = [ "Network-Manager.service" ];
|
|
};
|
|
|
|
# evil, horrifying hack for dysfunctional nss_override_attribute_value
|
|
systemd.tmpfiles.rules = [
|
|
"L /bin/bash - - - - /run/current-system/sw/bin/bash"
|
|
];
|
|
|
|
services.openssh = {
|
|
settings = {
|
|
AuthorizedKeysCommand = ldapAuthorizedKeys;
|
|
AuthorizedKeysCommandUser = "nslcd"; # default is “nobody” :contentReference[oaicite:0]{index=0}
|
|
PubkeyAuthentication = "yes";
|
|
};
|
|
};
|
|
|
|
sops.secrets.linuxbind-password.owner = "nslcd";
|
|
}
|