NixOS deployment for LinuxLab
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

96 lines
2.0 KiB

2 weeks ago
2 weeks ago
  1. { pkgs, lib, config, ... }:
  2. with lib;
  3. let
  4. baseDN = concatMapStringsSep ","
  5. (part: "dc=${part}")
  6. (splitString "." "informatik.hs-fulda.de");
  7. in
  8. {
  9. security.pam.services = {
  10. sshd = {
  11. makeHomeDir = true;
  12. sssdStrictAccess = true;
  13. unixAuth = lib.mkForce true;
  14. };
  15. login = {
  16. makeHomeDir = true;
  17. sssdStrictAccess = true;
  18. unixAuth = lib.mkForce true;
  19. };
  20. lightdm = {
  21. makeHomeDir = true;
  22. sssdStrictAccess = true;
  23. unixAuth = lib.mkForce true;
  24. };
  25. systemd-user = {
  26. makeHomeDir = true;
  27. sssdStrictAccess = true;
  28. unixAuth = lib.mkForce true;
  29. };
  30. };
  31. services.sssd = {
  32. enable = true;
  33. config = ''
  34. [sssd]
  35. config_file_version = 2
  36. services = nss, pam, ssh, ifp
  37. domains = hsfd
  38. debug_level = 8
  39. [nss]
  40. override_homedir = /home/%u
  41. override_shell = /run/current-system/sw/bin/bash
  42. filter_users = root
  43. filter_groups = root
  44. reconnection_retries = 3
  45. [pam]
  46. [domain/hsfd]
  47. id_provider = ldap
  48. access_provider = ldap
  49. auth_provider = ldap
  50. # TODO: ldap_uri = ldaps://ldap${config.networking.domain}/
  51. ldap_uri = ldaps://ldap-linuxlab.informatik.hs-fulda.de/
  52. ldap_search_base = ou=users,${baseDN}
  53. ldap_tls_reqcert = demand
  54. ldap_id_use_start_tls = true
  55. ldap_default_bind_dn = cn=login,dc=informatik,dc=hs-fulda,dc=de
  56. ldap_default_authtok_type = password
  57. ldap_default_authtok = TXyk&6G?Ta/B[DZ2^g'KmpUw
  58. ldap_access_order = filter
  59. ldap_access_filter = (objectClass=*)
  60. ldap_user_object_class = posixAccount
  61. ldap_user_name = cn
  62. override_gid = ${toString config.users.groups."users".gid}
  63. cache_credentials = true
  64. min_id = 1000
  65. enumerate = false
  66. '';
  67. };
  68. users.users."root".packages = with pkgs; [
  69. sss-cli
  70. ];
  71. #sops.secrets."ldap/login/password" = {
  72. # owner = "nslcd";
  73. # sopsFile = ./secrets.yaml;
  74. #};
  75. }