cluster/services/idm: enable unixd

2023-06-11 02:00:46 +02:00 · 2023-06-11 02:00:46 +02:00 · 3f7667aa2a
commit 3f7667aa2a
parent 1bca1b4585
13 changed files with 1536 additions and 6 deletions
--- a/cluster/services/idm/backports/pam.nix
+++ b/cluster/services/idm/backports/pam.nix
--- a/cluster/services/idm/client.nix
+++ b/cluster/services/idm/client.nix
@ -1,15 +1,49 @@
-{ cluster, pkgs, ... }:
+{ cluster, config, pkgs, utils, ... }:
 let
  frontendLink = cluster.config.links.idm;
 in
 {
  disabledModules = [
    "security/pam.nix"
  ];
  imports = [
    ./backports/pam.nix
  ];
  age.secrets.idmServiceAccountCredentials.file = ./secrets/service-account-${config.networking.hostName}.age;
  systemd.services.kanidm-unixd.serviceConfig = {
    EnvironmentFile = config.age.secrets.idmServiceAccountCredentials.path;
  };
  services.kanidm = {
    enableClient = true;
    clientSettings = {
      uri = frontendLink.url;
    };
    enablePam = true;
    unixSettings = {
      default_shell = utils.toShellPath config.users.defaultUserShell;
      home_alias = "name";
      uid_attr_map = "name";
      gid_attr_map = "name";
    };
  };
  environment.etc."ssh/authorized_keys_command_kanidm" = {
    mode = "0755";
    text = ''
      #!/bin/sh
      exec ${pkgs.kanidm}/bin/kanidm_ssh_authorizedkeys "$@"
    '';
  };
  services.openssh = {
    authorizedKeysCommand = "/etc/ssh/authorized_keys_command_kanidm";
    authorizedKeysCommandUser = "nobody";
  };
  environment.systemPackages = let
@ -23,4 +57,7 @@ in
      EOF
    '';
  in [ idmAlias ];
  # i32 bug https://github.com/nix-community/nsncd/issues/6
  services.nscd.enableNsncd = false;
 }
--- a/cluster/services/idm/default.nix
+++ b/cluster/services/idm/default.nix
@ -14,7 +14,10 @@
    };
    nixos = {
      server = ./server.nix;
-      client = ./client.nix;
+      client = [
        ./client.nix
        ./policies/infra-admins.nix
      ];
    };
  };
 }
--- a/cluster/services/idm/policies/infra-admins.nix
+++ b/cluster/services/idm/policies/infra-admins.nix
@ -0,0 +1,17 @@
 { lib, ... }:
 {
  services.kanidm.unixSettings = {
    pam_allowed_login_groups = [
      "infra_admins"
    ];
  };
  security.sudo.extraRules = lib.singleton {
    groups = [ "infra_admins" ];
    commands = lib.singleton {
      command = "ALL";
      options = [ "SETENV" ];
    };
  };
 }
--- a/cluster/services/idm/secrets/service-account-VEGAS.age
+++ b/cluster/services/idm/secrets/service-account-VEGAS.age
--- a/cluster/services/idm/secrets/service-account-checkmate.age
+++ b/cluster/services/idm/secrets/service-account-checkmate.age
--- a/cluster/services/idm/secrets/service-account-prophet.age
+++ b/cluster/services/idm/secrets/service-account-prophet.age
--- a/cluster/services/idm/secrets/service-account-thunderskin.age
+++ b/cluster/services/idm/secrets/service-account-thunderskin.age
@ -0,0 +1,12 @@
 age-encryption.org/v1
 -> ssh-ed25519 NO562A 9Os91rQ4j/7/AyLMi2bngHI6aEln1Ij1rJh63xPjeQA
 cpmJRRIL+j9wHYbNSLzbXmpnZAc40+Og1vcWGyJMUkM
 -> ssh-ed25519 5/zT0w vajc7L8iJoodwX4oIgYyY/TAd0TWUNL2wl6wMyeNLi4
 QMe/bKmjUypzQHDdxoTkA/HDZypF+hByf99bahE73EU
 -> ssh-ed25519 FfIUuQ 7pwwH1jSFSNayCLUk8lir1UKOyunozrXHDA4vYqLQjo
 LsMeAhUGlZCNipaECYWE2oHPku8otsAFHV9GWIrtOg0
 -> s*r|b-grease Yu M>1\\ M!frVhk%
 jub17NjQWtGOyIFnF5na4ize1ifOjv6Nv6aqAa+ZJQHREUjPr2D7Rd2Fi6oyIRFo
 xWV0WDab7iWL
 --- n432BjqdbuNkeP9eW0TDEUyho88/RRdZ9TUKcWlVsok
 §â™n<EFBFBD>Ø
€1;U9ì(•koT™®·Ã«·–{}¤nÉêãgüÞnãíÝ€›B½LZj¯°¦zM'“T«ôÞZñÎëAøÍ¸=Ô¾?T(<28>°Ìøæ ¶;<3B>êá“ÒØ¸“ Ø´¦ÝÆ8¿<IÕE8BÊØN6žº$t®›
--- a/hosts/checkmate/system.nix
+++ b/hosts/checkmate/system.nix
@ -9,7 +9,6 @@
      depot.inputs.agenix.nixosModules.age
      depot.nixosModules.hyprspace
      depot.nixosModules.sss
      depot.nixosModules.serverBase
    ];
--- a/hosts/prophet/system.nix
+++ b/hosts/prophet/system.nix
@ -10,7 +10,6 @@
      depot.nixosModules.hyprspace
      depot.nixosModules.nix-builder
      depot.nixosModules.sss
      depot.nixosModules.serverBase
    ];
--- a/hosts/thunderskin/system.nix
+++ b/hosts/thunderskin/system.nix
@ -9,7 +9,6 @@
      depot.inputs.agenix.nixosModules.age
      depot.nixosModules.hyprspace
      depot.nixosModules.sss
      depot.nixosModules.serverBase
    ];
--- a/modules/part.nix
+++ b/modules/part.nix
@ -60,7 +60,6 @@ in
    backboneBase = group [
      serverBase
      sss
    ];
  };
 }
--- a/secrets.nix
+++ b/secrets.nix
@ -20,6 +20,10 @@ in with hosts;
  "cluster/services/hercules-ci-multi-agent/secrets/hci-token-nixpak-prophet.age".publicKeys = max ++ map systemKeys [ prophet ];
  "cluster/services/hercules-ci-multi-agent/secrets/hci-token-private-void-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
  "cluster/services/hercules-ci-multi-agent/secrets/hci-token-private-void-prophet.age".publicKeys = max ++ map systemKeys [ prophet ];
  "cluster/services/idm/secrets/service-account-checkmate.age".publicKeys = max ++ map systemKeys [ checkmate ];
  "cluster/services/idm/secrets/service-account-prophet.age".publicKeys = max ++ map systemKeys [ prophet ];
  "cluster/services/idm/secrets/service-account-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
  "cluster/services/idm/secrets/service-account-thunderskin.age".publicKeys = max ++ map systemKeys [ thunderskin ];
  "cluster/services/ipfs/cluster-secret.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
  "cluster/services/ipfs/cluster-pinsvc-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
  "cluster/services/irc/irc-peer-key.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];