cluster/services/idm: enable unixd

This commit is contained in:
Max Headroom 2023-06-11 02:00:46 +02:00
parent 1bca1b4585
commit 3f7667aa2a
13 changed files with 1536 additions and 6 deletions

File diff suppressed because it is too large Load diff

View file

@ -1,15 +1,49 @@
{ cluster, pkgs, ... }: { cluster, config, pkgs, utils, ... }:
let let
frontendLink = cluster.config.links.idm; frontendLink = cluster.config.links.idm;
in in
{ {
disabledModules = [
"security/pam.nix"
];
imports = [
./backports/pam.nix
];
age.secrets.idmServiceAccountCredentials.file = ./secrets/service-account-${config.networking.hostName}.age;
systemd.services.kanidm-unixd.serviceConfig = {
EnvironmentFile = config.age.secrets.idmServiceAccountCredentials.path;
};
services.kanidm = { services.kanidm = {
enableClient = true; enableClient = true;
clientSettings = { clientSettings = {
uri = frontendLink.url; uri = frontendLink.url;
}; };
enablePam = true;
unixSettings = {
default_shell = utils.toShellPath config.users.defaultUserShell;
home_alias = "name";
uid_attr_map = "name";
gid_attr_map = "name";
};
};
environment.etc."ssh/authorized_keys_command_kanidm" = {
mode = "0755";
text = ''
#!/bin/sh
exec ${pkgs.kanidm}/bin/kanidm_ssh_authorizedkeys "$@"
'';
};
services.openssh = {
authorizedKeysCommand = "/etc/ssh/authorized_keys_command_kanidm";
authorizedKeysCommandUser = "nobody";
}; };
environment.systemPackages = let environment.systemPackages = let
@ -23,4 +57,7 @@ in
EOF EOF
''; '';
in [ idmAlias ]; in [ idmAlias ];
# i32 bug https://github.com/nix-community/nsncd/issues/6
services.nscd.enableNsncd = false;
} }

View file

@ -14,7 +14,10 @@
}; };
nixos = { nixos = {
server = ./server.nix; server = ./server.nix;
client = ./client.nix; client = [
./client.nix
./policies/infra-admins.nix
];
}; };
}; };
} }

View file

@ -0,0 +1,17 @@
{ lib, ... }:
{
services.kanidm.unixSettings = {
pam_allowed_login_groups = [
"infra_admins"
];
};
security.sudo.extraRules = lib.singleton {
groups = [ "infra_admins" ];
commands = lib.singleton {
command = "ALL";
options = [ "SETENV" ];
};
};
}

Binary file not shown.

View file

@ -0,0 +1,12 @@
age-encryption.org/v1
-> ssh-ed25519 NO562A 9Os91rQ4j/7/AyLMi2bngHI6aEln1Ij1rJh63xPjeQA
cpmJRRIL+j9wHYbNSLzbXmpnZAc40+Og1vcWGyJMUkM
-> ssh-ed25519 5/zT0w vajc7L8iJoodwX4oIgYyY/TAd0TWUNL2wl6wMyeNLi4
QMe/bKmjUypzQHDdxoTkA/HDZypF+hByf99bahE73EU
-> ssh-ed25519 FfIUuQ 7pwwH1jSFSNayCLUk8lir1UKOyunozrXHDA4vYqLQjo
LsMeAhUGlZCNipaECYWE2oHPku8otsAFHV9GWIrtOg0
-> s*r|b-grease Yu M>1\\ M!frVhk%
jub17NjQWtGOyIFnF5na4ize1ifOjv6Nv6aqAa+ZJQHREUjPr2D7Rd2Fi6oyIRFo
xWV0WDab7iWL
--- n432BjqdbuNkeP9eW0TDEUyho88/RRdZ9TUKcWlVsok
§â™n<EFBFBD>Ø €1;U9ì(•koT™®·Ã«·–{}¤nÉêãgüÞnãíÝ€B½LZj¯°¦zM'“T«ôÞZñÎëAø͸=Ô¾?T(<28>°Ìøæ ¶;<3B>êá“Òظ Ø´¦ÝÆ8¿<IÕE8BÊØ N6žº$t®

View file

@ -9,7 +9,6 @@
depot.inputs.agenix.nixosModules.age depot.inputs.agenix.nixosModules.age
depot.nixosModules.hyprspace depot.nixosModules.hyprspace
depot.nixosModules.sss
depot.nixosModules.serverBase depot.nixosModules.serverBase
]; ];

View file

@ -10,7 +10,6 @@
depot.nixosModules.hyprspace depot.nixosModules.hyprspace
depot.nixosModules.nix-builder depot.nixosModules.nix-builder
depot.nixosModules.sss
depot.nixosModules.serverBase depot.nixosModules.serverBase
]; ];

View file

@ -9,7 +9,6 @@
depot.inputs.agenix.nixosModules.age depot.inputs.agenix.nixosModules.age
depot.nixosModules.hyprspace depot.nixosModules.hyprspace
depot.nixosModules.sss
depot.nixosModules.serverBase depot.nixosModules.serverBase
]; ];

View file

@ -60,7 +60,6 @@ in
backboneBase = group [ backboneBase = group [
serverBase serverBase
sss
]; ];
}; };
} }

View file

@ -20,6 +20,10 @@ in with hosts;
"cluster/services/hercules-ci-multi-agent/secrets/hci-token-nixpak-prophet.age".publicKeys = max ++ map systemKeys [ prophet ]; "cluster/services/hercules-ci-multi-agent/secrets/hci-token-nixpak-prophet.age".publicKeys = max ++ map systemKeys [ prophet ];
"cluster/services/hercules-ci-multi-agent/secrets/hci-token-private-void-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "cluster/services/hercules-ci-multi-agent/secrets/hci-token-private-void-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"cluster/services/hercules-ci-multi-agent/secrets/hci-token-private-void-prophet.age".publicKeys = max ++ map systemKeys [ prophet ]; "cluster/services/hercules-ci-multi-agent/secrets/hci-token-private-void-prophet.age".publicKeys = max ++ map systemKeys [ prophet ];
"cluster/services/idm/secrets/service-account-checkmate.age".publicKeys = max ++ map systemKeys [ checkmate ];
"cluster/services/idm/secrets/service-account-prophet.age".publicKeys = max ++ map systemKeys [ prophet ];
"cluster/services/idm/secrets/service-account-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"cluster/services/idm/secrets/service-account-thunderskin.age".publicKeys = max ++ map systemKeys [ thunderskin ];
"cluster/services/ipfs/cluster-secret.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ]; "cluster/services/ipfs/cluster-secret.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
"cluster/services/ipfs/cluster-pinsvc-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ]; "cluster/services/ipfs/cluster-pinsvc-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
"cluster/services/irc/irc-peer-key.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ]; "cluster/services/irc/irc-peer-key.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];