NixOS deployment for LinuxLab
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
|
|
{ pkgs, lib, config, ... }:
with lib;
let baseDN = concatMapStringsSep "," (part: "dc=${part}") (splitString "." "informatik.hs-fulda.de");
in { security.pam.services = { sshd = { makeHomeDir = true; sssdStrictAccess = true; unixAuth = lib.mkForce true; }; login = { makeHomeDir = true; sssdStrictAccess = true; unixAuth = lib.mkForce true; }; lightdm = { makeHomeDir = true; sssdStrictAccess = true; unixAuth = lib.mkForce true; }; systemd-user = { makeHomeDir = true; sssdStrictAccess = true; unixAuth = lib.mkForce true; }; };
services.sssd = { enable = true; config = ''
[sssd] config_file_version = 2 services = nss, pam, ssh, ifp domains = hsfd
debug_level = 8
[nss] override_homedir = /home/%u override_shell = /run/current-system/sw/bin/bash
filter_users = root filter_groups = root
reconnection_retries = 3 [pam] [domain/hsfd] id_provider = ldap access_provider = ldap auth_provider = ldap
cache_credentials = true
# TODO: ldap_uri = ldaps://ldap${config.networking.domain}/ ldap_uri = ldaps://ldap-linuxlab.informatik.hs-fulda.de/ ldap_search_base = ou=users,${baseDN}
ldap_tls_reqcert = demand ldap_id_use_start_tls = true
ldap_default_bind_dn = cn=login,dc=informatik,dc=hs-fulda,dc=de ldap_default_authtok_type = password ldap_default_authtok = TXyk&6G?Ta/B[DZ2^g'KmpUw
ldap_access_order = filter ldap_access_filter = (objectClass=*)
ldap_user_object_class = posixAccount ldap_user_name = cn
ldap_search_timeout = 10 ldap_network_timeout = 10
ldap_deref_threshold = 0
ignore_group_members = true subdomain_inherit = ignore_group_members
entry_negative_timeout = 3
override_gid = ${toString config.users.groups."users".gid}
cache_credentials = true
min_id = 1000 enumerate = false '';
};
users.users."root".packages = with pkgs; [ sss-cli ];
#sops.secrets."ldap/login/password" = { # owner = "nslcd"; # sopsFile = ./secrets.yaml; #}; }
|