2024-11-10 14:07:33 +02:00
|
|
|
{ cluster, config, lib, pkgs, utils, ... }:
|
2023-06-10 18:54:03 +03:00
|
|
|
|
|
|
|
let
|
|
|
|
frontendLink = cluster.config.links.idm;
|
|
|
|
in
|
|
|
|
|
|
|
|
{
|
2023-06-11 03:00:46 +03:00
|
|
|
systemd.services.kanidm-unixd.serviceConfig = {
|
2024-07-08 19:41:51 +03:00
|
|
|
EnvironmentFile = cluster.config.services.idm.secrets.serviceAccountCredentials.path;
|
2023-06-11 03:00:46 +03:00
|
|
|
};
|
|
|
|
|
2023-06-10 18:54:03 +03:00
|
|
|
services.kanidm = {
|
|
|
|
enableClient = true;
|
|
|
|
clientSettings = {
|
|
|
|
uri = frontendLink.url;
|
|
|
|
};
|
2023-06-11 03:00:46 +03:00
|
|
|
enablePam = true;
|
|
|
|
unixSettings = {
|
|
|
|
default_shell = utils.toShellPath config.users.defaultUserShell;
|
|
|
|
home_alias = "name";
|
|
|
|
uid_attr_map = "name";
|
|
|
|
gid_attr_map = "name";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
environment.etc."ssh/authorized_keys_command_kanidm" = {
|
|
|
|
mode = "0755";
|
|
|
|
text = ''
|
|
|
|
#!/bin/sh
|
2024-08-02 13:50:02 +03:00
|
|
|
exec ${config.services.kanidm.package}/bin/kanidm_ssh_authorizedkeys "$@"
|
2023-06-11 03:00:46 +03:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
services.openssh = {
|
|
|
|
authorizedKeysCommand = "/etc/ssh/authorized_keys_command_kanidm";
|
|
|
|
authorizedKeysCommandUser = "nobody";
|
2023-06-10 18:54:03 +03:00
|
|
|
};
|
|
|
|
|
2023-12-06 02:01:09 +02:00
|
|
|
security = {
|
|
|
|
pam.services.sudo = { config, ... }: {
|
|
|
|
rules.auth.rssh = {
|
2024-11-10 14:07:33 +02:00
|
|
|
enable = lib.mkForce true;
|
2023-12-06 02:01:09 +02:00
|
|
|
order = config.rules.auth.unix.order - 10;
|
|
|
|
settings = {
|
|
|
|
authorized_keys_command = "/etc/ssh/authorized_keys_command_kanidm";
|
|
|
|
authorized_keys_command_user = "nobody";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
sudo.extraConfig = ''
|
|
|
|
Defaults env_keep+=SSH_AUTH_SOCK
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2023-06-10 18:54:03 +03:00
|
|
|
environment.systemPackages = let
|
|
|
|
idmAlias = pkgs.runCommand "kanidm-idm-alias" {} ''
|
|
|
|
mkdir -p $out/bin
|
2024-08-02 13:50:02 +03:00
|
|
|
ln -s ${config.services.kanidm.package}/bin/kanidm $out/bin/idm
|
2023-06-10 18:54:03 +03:00
|
|
|
mkdir -p $out/share/bash-completion/completions
|
|
|
|
cat >$out/share/bash-completion/completions/idm.bash <<EOF
|
2024-08-02 13:50:02 +03:00
|
|
|
source ${config.services.kanidm.package}/share/bash-completion/completions/kanidm.bash
|
2023-06-10 18:54:03 +03:00
|
|
|
complete -F _kanidm -o bashdefault -o default idm
|
|
|
|
EOF
|
|
|
|
'';
|
|
|
|
in [ idmAlias ];
|
2023-06-11 03:00:46 +03:00
|
|
|
|
|
|
|
# i32 bug https://github.com/nix-community/nsncd/issues/6
|
|
|
|
services.nscd.enableNsncd = false;
|
2023-06-10 18:54:03 +03:00
|
|
|
}
|