cluster/services/idm: enable unixd
This commit is contained in:
parent
1bca1b4585
commit
3f7667aa2a
13 changed files with 1536 additions and 6 deletions
1461
cluster/services/idm/backports/pam.nix
Normal file
1461
cluster/services/idm/backports/pam.nix
Normal file
File diff suppressed because it is too large
Load diff
|
@ -1,15 +1,49 @@
|
||||||
{ cluster, pkgs, ... }:
|
{ cluster, config, pkgs, utils, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
frontendLink = cluster.config.links.idm;
|
frontendLink = cluster.config.links.idm;
|
||||||
in
|
in
|
||||||
|
|
||||||
{
|
{
|
||||||
|
disabledModules = [
|
||||||
|
"security/pam.nix"
|
||||||
|
];
|
||||||
|
|
||||||
|
imports = [
|
||||||
|
./backports/pam.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
age.secrets.idmServiceAccountCredentials.file = ./secrets/service-account-${config.networking.hostName}.age;
|
||||||
|
|
||||||
|
systemd.services.kanidm-unixd.serviceConfig = {
|
||||||
|
EnvironmentFile = config.age.secrets.idmServiceAccountCredentials.path;
|
||||||
|
};
|
||||||
|
|
||||||
services.kanidm = {
|
services.kanidm = {
|
||||||
enableClient = true;
|
enableClient = true;
|
||||||
clientSettings = {
|
clientSettings = {
|
||||||
uri = frontendLink.url;
|
uri = frontendLink.url;
|
||||||
};
|
};
|
||||||
|
enablePam = true;
|
||||||
|
unixSettings = {
|
||||||
|
default_shell = utils.toShellPath config.users.defaultUserShell;
|
||||||
|
home_alias = "name";
|
||||||
|
uid_attr_map = "name";
|
||||||
|
gid_attr_map = "name";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
environment.etc."ssh/authorized_keys_command_kanidm" = {
|
||||||
|
mode = "0755";
|
||||||
|
text = ''
|
||||||
|
#!/bin/sh
|
||||||
|
exec ${pkgs.kanidm}/bin/kanidm_ssh_authorizedkeys "$@"
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
services.openssh = {
|
||||||
|
authorizedKeysCommand = "/etc/ssh/authorized_keys_command_kanidm";
|
||||||
|
authorizedKeysCommandUser = "nobody";
|
||||||
};
|
};
|
||||||
|
|
||||||
environment.systemPackages = let
|
environment.systemPackages = let
|
||||||
|
@ -23,4 +57,7 @@ in
|
||||||
EOF
|
EOF
|
||||||
'';
|
'';
|
||||||
in [ idmAlias ];
|
in [ idmAlias ];
|
||||||
|
|
||||||
|
# i32 bug https://github.com/nix-community/nsncd/issues/6
|
||||||
|
services.nscd.enableNsncd = false;
|
||||||
}
|
}
|
||||||
|
|
|
@ -14,7 +14,10 @@
|
||||||
};
|
};
|
||||||
nixos = {
|
nixos = {
|
||||||
server = ./server.nix;
|
server = ./server.nix;
|
||||||
client = ./client.nix;
|
client = [
|
||||||
|
./client.nix
|
||||||
|
./policies/infra-admins.nix
|
||||||
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
17
cluster/services/idm/policies/infra-admins.nix
Normal file
17
cluster/services/idm/policies/infra-admins.nix
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
{ lib, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
services.kanidm.unixSettings = {
|
||||||
|
pam_allowed_login_groups = [
|
||||||
|
"infra_admins"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
security.sudo.extraRules = lib.singleton {
|
||||||
|
groups = [ "infra_admins" ];
|
||||||
|
commands = lib.singleton {
|
||||||
|
command = "ALL";
|
||||||
|
options = [ "SETENV" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
BIN
cluster/services/idm/secrets/service-account-VEGAS.age
Normal file
BIN
cluster/services/idm/secrets/service-account-VEGAS.age
Normal file
Binary file not shown.
BIN
cluster/services/idm/secrets/service-account-checkmate.age
Normal file
BIN
cluster/services/idm/secrets/service-account-checkmate.age
Normal file
Binary file not shown.
BIN
cluster/services/idm/secrets/service-account-prophet.age
Normal file
BIN
cluster/services/idm/secrets/service-account-prophet.age
Normal file
Binary file not shown.
12
cluster/services/idm/secrets/service-account-thunderskin.age
Normal file
12
cluster/services/idm/secrets/service-account-thunderskin.age
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 NO562A 9Os91rQ4j/7/AyLMi2bngHI6aEln1Ij1rJh63xPjeQA
|
||||||
|
cpmJRRIL+j9wHYbNSLzbXmpnZAc40+Og1vcWGyJMUkM
|
||||||
|
-> ssh-ed25519 5/zT0w vajc7L8iJoodwX4oIgYyY/TAd0TWUNL2wl6wMyeNLi4
|
||||||
|
QMe/bKmjUypzQHDdxoTkA/HDZypF+hByf99bahE73EU
|
||||||
|
-> ssh-ed25519 FfIUuQ 7pwwH1jSFSNayCLUk8lir1UKOyunozrXHDA4vYqLQjo
|
||||||
|
LsMeAhUGlZCNipaECYWE2oHPku8otsAFHV9GWIrtOg0
|
||||||
|
-> s*r|b-grease Yu M>1\\ M!frVhk%
|
||||||
|
jub17NjQWtGOyIFnF5na4ize1ifOjv6Nv6aqAa+ZJQHREUjPr2D7Rd2Fi6oyIRFo
|
||||||
|
xWV0WDab7iWL
|
||||||
|
--- n432BjqdbuNkeP9eW0TDEUyho88/RRdZ9TUKcWlVsok
|
||||||
|
§â™n<EFBFBD>Ø
€1;U9ì(•koT™®·Ã«·–{}¤nÉêãgüÞnãíÝ€›B½LZj¯°¦zM'“T«ôÞZñÎëAø͸=Ô¾?T(<28>°Ìøæ ¶;<3B>êá“Òظ“ Ø´¦ÝÆ8¿<IÕE8BÊØN6žº$t®›
|
|
@ -9,7 +9,6 @@
|
||||||
depot.inputs.agenix.nixosModules.age
|
depot.inputs.agenix.nixosModules.age
|
||||||
|
|
||||||
depot.nixosModules.hyprspace
|
depot.nixosModules.hyprspace
|
||||||
depot.nixosModules.sss
|
|
||||||
depot.nixosModules.serverBase
|
depot.nixosModules.serverBase
|
||||||
];
|
];
|
||||||
|
|
||||||
|
|
|
@ -10,7 +10,6 @@
|
||||||
|
|
||||||
depot.nixosModules.hyprspace
|
depot.nixosModules.hyprspace
|
||||||
depot.nixosModules.nix-builder
|
depot.nixosModules.nix-builder
|
||||||
depot.nixosModules.sss
|
|
||||||
|
|
||||||
depot.nixosModules.serverBase
|
depot.nixosModules.serverBase
|
||||||
];
|
];
|
||||||
|
|
|
@ -9,7 +9,6 @@
|
||||||
depot.inputs.agenix.nixosModules.age
|
depot.inputs.agenix.nixosModules.age
|
||||||
|
|
||||||
depot.nixosModules.hyprspace
|
depot.nixosModules.hyprspace
|
||||||
depot.nixosModules.sss
|
|
||||||
depot.nixosModules.serverBase
|
depot.nixosModules.serverBase
|
||||||
];
|
];
|
||||||
|
|
||||||
|
|
|
@ -60,7 +60,6 @@ in
|
||||||
|
|
||||||
backboneBase = group [
|
backboneBase = group [
|
||||||
serverBase
|
serverBase
|
||||||
sss
|
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -20,6 +20,10 @@ in with hosts;
|
||||||
"cluster/services/hercules-ci-multi-agent/secrets/hci-token-nixpak-prophet.age".publicKeys = max ++ map systemKeys [ prophet ];
|
"cluster/services/hercules-ci-multi-agent/secrets/hci-token-nixpak-prophet.age".publicKeys = max ++ map systemKeys [ prophet ];
|
||||||
"cluster/services/hercules-ci-multi-agent/secrets/hci-token-private-void-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
"cluster/services/hercules-ci-multi-agent/secrets/hci-token-private-void-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||||
"cluster/services/hercules-ci-multi-agent/secrets/hci-token-private-void-prophet.age".publicKeys = max ++ map systemKeys [ prophet ];
|
"cluster/services/hercules-ci-multi-agent/secrets/hci-token-private-void-prophet.age".publicKeys = max ++ map systemKeys [ prophet ];
|
||||||
|
"cluster/services/idm/secrets/service-account-checkmate.age".publicKeys = max ++ map systemKeys [ checkmate ];
|
||||||
|
"cluster/services/idm/secrets/service-account-prophet.age".publicKeys = max ++ map systemKeys [ prophet ];
|
||||||
|
"cluster/services/idm/secrets/service-account-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||||
|
"cluster/services/idm/secrets/service-account-thunderskin.age".publicKeys = max ++ map systemKeys [ thunderskin ];
|
||||||
"cluster/services/ipfs/cluster-secret.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
|
"cluster/services/ipfs/cluster-secret.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
|
||||||
"cluster/services/ipfs/cluster-pinsvc-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
|
"cluster/services/ipfs/cluster-pinsvc-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
|
||||||
"cluster/services/irc/irc-peer-key.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
|
"cluster/services/irc/irc-peer-key.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
|
||||||
|
|
Loading…
Reference in a new issue