depot/cluster/services/idm/client.nix

71 lines
1.9 KiB
Nix
Raw Permalink Normal View History

2024-11-10 14:07:33 +02:00
{ cluster, config, lib, pkgs, utils, ... }:
2023-06-10 18:54:03 +03:00
let
frontendLink = cluster.config.links.idm;
in
{
2023-06-11 03:00:46 +03:00
systemd.services.kanidm-unixd.serviceConfig = {
EnvironmentFile = cluster.config.services.idm.secrets.serviceAccountCredentials.path;
2023-06-11 03:00:46 +03:00
};
2023-06-10 18:54:03 +03:00
services.kanidm = {
enableClient = true;
clientSettings = {
uri = frontendLink.url;
};
2023-06-11 03:00:46 +03:00
enablePam = true;
unixSettings = {
default_shell = utils.toShellPath config.users.defaultUserShell;
home_alias = "name";
uid_attr_map = "name";
gid_attr_map = "name";
};
};
environment.etc."ssh/authorized_keys_command_kanidm" = {
mode = "0755";
text = ''
#!/bin/sh
exec ${config.services.kanidm.package}/bin/kanidm_ssh_authorizedkeys "$@"
2023-06-11 03:00:46 +03:00
'';
};
services.openssh = {
authorizedKeysCommand = "/etc/ssh/authorized_keys_command_kanidm";
authorizedKeysCommandUser = "nobody";
2023-06-10 18:54:03 +03:00
};
security = {
pam.services.sudo = { config, ... }: {
rules.auth.rssh = {
2024-11-10 14:07:33 +02:00
enable = lib.mkForce true;
order = config.rules.auth.unix.order - 10;
settings = {
authorized_keys_command = "/etc/ssh/authorized_keys_command_kanidm";
authorized_keys_command_user = "nobody";
};
};
};
sudo.extraConfig = ''
Defaults env_keep+=SSH_AUTH_SOCK
'';
};
2023-06-10 18:54:03 +03:00
environment.systemPackages = let
idmAlias = pkgs.runCommand "kanidm-idm-alias" {} ''
mkdir -p $out/bin
ln -s ${config.services.kanidm.package}/bin/kanidm $out/bin/idm
2023-06-10 18:54:03 +03:00
mkdir -p $out/share/bash-completion/completions
cat >$out/share/bash-completion/completions/idm.bash <<EOF
source ${config.services.kanidm.package}/share/bash-completion/completions/kanidm.bash
2023-06-10 18:54:03 +03:00
complete -F _kanidm -o bashdefault -o default idm
EOF
'';
in [ idmAlias ];
2023-06-11 03:00:46 +03:00
# i32 bug https://github.com/nix-community/nsncd/issues/6
services.nscd.enableNsncd = false;
2023-06-10 18:54:03 +03:00
}