cluster/services/idm: enable unixd

2023-06-11 02:00:46 +02:00 · 2023-06-11 02:00:46 +02:00 · 3f7667aa2a
commit 3f7667aa2a
parent 1bca1b4585
13 changed files with 1536 additions and 6 deletions
--- a/cluster/services/idm/backports/pam.nix
+++ b/cluster/services/idm/backports/pam.nix
--- a/cluster/services/idm/client.nix
+++ b/cluster/services/idm/client.nix
@ -1,15 +1,49 @@
-{ cluster, pkgs, ... }:
+{ cluster, config, pkgs, utils, ... }:

 let
  frontendLink = cluster.config.links.idm;
 in

 {
+  disabledModules = [
+    "security/pam.nix"
+  ];
+
+  imports = [
+    ./backports/pam.nix
+  ];
+
+  age.secrets.idmServiceAccountCredentials.file = ./secrets/service-account-${config.networking.hostName}.age;
+
+  systemd.services.kanidm-unixd.serviceConfig = {
+    EnvironmentFile = config.age.secrets.idmServiceAccountCredentials.path;
+  };
+
  services.kanidm = {
    enableClient = true;
    clientSettings = {
      uri = frontendLink.url;
    };
+    enablePam = true;
+    unixSettings = {
+      default_shell = utils.toShellPath config.users.defaultUserShell;
+      home_alias = "name";
+      uid_attr_map = "name";
+      gid_attr_map = "name";
+    };
+  };
+
+  environment.etc."ssh/authorized_keys_command_kanidm" = {
+    mode = "0755";
+    text = ''
+      #!/bin/sh
+      exec ${pkgs.kanidm}/bin/kanidm_ssh_authorizedkeys "$@"
+    '';
+  };
+
+  services.openssh = {
+    authorizedKeysCommand = "/etc/ssh/authorized_keys_command_kanidm";
+    authorizedKeysCommandUser = "nobody";
  };

  environment.systemPackages = let
@ -23,4 +57,7 @@ in
      EOF
    '';
  in [ idmAlias ];
+
+  # i32 bug https://github.com/nix-community/nsncd/issues/6
+  services.nscd.enableNsncd = false;
 }
--- a/cluster/services/idm/default.nix
+++ b/cluster/services/idm/default.nix
@ -14,7 +14,10 @@
    };
    nixos = {
      server = ./server.nix;
-      client = ./client.nix;
+      client = [
+        ./client.nix
+        ./policies/infra-admins.nix
+      ];
    };
  };
 }
--- a/cluster/services/idm/policies/infra-admins.nix
+++ b/cluster/services/idm/policies/infra-admins.nix
@ -0,0 +1,17 @@
+{ lib, ... }:
+
+{
+  services.kanidm.unixSettings = {
+    pam_allowed_login_groups = [
+      "infra_admins"
+    ];
+  };
+
+  security.sudo.extraRules = lib.singleton {
+    groups = [ "infra_admins" ];
+    commands = lib.singleton {
+      command = "ALL";
+      options = [ "SETENV" ];
+    };
+  };
+}
--- a/cluster/services/idm/secrets/service-account-VEGAS.age
+++ b/cluster/services/idm/secrets/service-account-VEGAS.age
--- a/cluster/services/idm/secrets/service-account-checkmate.age
+++ b/cluster/services/idm/secrets/service-account-checkmate.age
--- a/cluster/services/idm/secrets/service-account-prophet.age
+++ b/cluster/services/idm/secrets/service-account-prophet.age
--- a/cluster/services/idm/secrets/service-account-thunderskin.age
+++ b/cluster/services/idm/secrets/service-account-thunderskin.age
@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 NO562A 9Os91rQ4j/7/AyLMi2bngHI6aEln1Ij1rJh63xPjeQA
+cpmJRRIL+j9wHYbNSLzbXmpnZAc40+Og1vcWGyJMUkM
+-> ssh-ed25519 5/zT0w vajc7L8iJoodwX4oIgYyY/TAd0TWUNL2wl6wMyeNLi4
+QMe/bKmjUypzQHDdxoTkA/HDZypF+hByf99bahE73EU
+-> ssh-ed25519 FfIUuQ 7pwwH1jSFSNayCLUk8lir1UKOyunozrXHDA4vYqLQjo
+LsMeAhUGlZCNipaECYWE2oHPku8otsAFHV9GWIrtOg0
+-> s*r|b-grease Yu M>1\\ M!frVhk%
+jub17NjQWtGOyIFnF5na4ize1ifOjv6Nv6aqAa+ZJQHREUjPr2D7Rd2Fi6oyIRFo
+xWV0WDab7iWL
+--- n432BjqdbuNkeP9eW0TDEUyho88/RRdZ9TUKcWlVsok
+§â™n<EFBFBD>Ø
€1;U9ì(•koT™®·Ã«·–{}¤nÉêãgüÞnãíÝ€›B½LZj¯°¦zM'“T«ôÞZñÎëAøÍ¸=Ô¾?T(<28>°Ìøæ ¶;<3B>êá“ÒØ¸“ Ø´¦ÝÆ8¿<IÕE8BÊØN6žº$t®›
--- a/hosts/checkmate/system.nix
+++ b/hosts/checkmate/system.nix
@ -9,7 +9,6 @@
      depot.inputs.agenix.nixosModules.age

      depot.nixosModules.hyprspace
-      depot.nixosModules.sss
      depot.nixosModules.serverBase
    ];

--- a/hosts/prophet/system.nix
+++ b/hosts/prophet/system.nix
@ -10,7 +10,6 @@

      depot.nixosModules.hyprspace
      depot.nixosModules.nix-builder
-      depot.nixosModules.sss

      depot.nixosModules.serverBase
    ];
--- a/hosts/thunderskin/system.nix
+++ b/hosts/thunderskin/system.nix
@ -9,7 +9,6 @@
      depot.inputs.agenix.nixosModules.age

      depot.nixosModules.hyprspace
-      depot.nixosModules.sss
      depot.nixosModules.serverBase
    ];

--- a/modules/part.nix
+++ b/modules/part.nix
@ -60,7 +60,6 @@ in

    backboneBase = group [
      serverBase
-      sss
    ];
  };
 }
--- a/secrets.nix
+++ b/secrets.nix
@ -20,6 +20,10 @@ in with hosts;
  "cluster/services/hercules-ci-multi-agent/secrets/hci-token-nixpak-prophet.age".publicKeys = max ++ map systemKeys [ prophet ];
  "cluster/services/hercules-ci-multi-agent/secrets/hci-token-private-void-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
  "cluster/services/hercules-ci-multi-agent/secrets/hci-token-private-void-prophet.age".publicKeys = max ++ map systemKeys [ prophet ];
+  "cluster/services/idm/secrets/service-account-checkmate.age".publicKeys = max ++ map systemKeys [ checkmate ];
+  "cluster/services/idm/secrets/service-account-prophet.age".publicKeys = max ++ map systemKeys [ prophet ];
+  "cluster/services/idm/secrets/service-account-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "cluster/services/idm/secrets/service-account-thunderskin.age".publicKeys = max ++ map systemKeys [ thunderskin ];
  "cluster/services/ipfs/cluster-secret.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
  "cluster/services/ipfs/cluster-pinsvc-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
  "cluster/services/irc/irc-peer-key.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];