diff --git a/TODO.md b/TODO.md index 71cb5a0..eb1425c 100644 --- a/TODO.md +++ b/TODO.md @@ -1,17 +1,15 @@ # Tasks +- Lock installer shells +- Allow multiple users to log-in +- Check external SSH access + - Exim recovery + +- Quota per user on homedir + - Configure user env on client (using envfs?) -- Make installer work - Move ldap to subdomain -- Check external SSH access - Remove x-tools like xterm -- Quota per user on homedir -- Exim recovery - A fancy background image? -- Client Requirements: - - docker + docker-compose [name=könig] - - rstudio [name=james] - - quarto [name=james] - - miniconda [name=james] # Issuse - Cleartext password in sssd/ldap config diff --git a/client/default.nix b/client/default.nix index aa1005e..6c49669 100644 --- a/client/default.nix +++ b/client/default.nix @@ -23,7 +23,7 @@ in ]; deployment = optionalAttrs (client != null) { - inherit (client) targetHost; + targetHost = client.ip; tags = [ "client" ]; }; @@ -37,7 +37,7 @@ in then "client-${id}" else "client"); - useDHCP = mkForce true; + #useDHCP = mkForce true; }; services.hardware.bolt.enable = true; diff --git a/client/desktop.nix b/client/desktop.nix index 0362871..052b2ad 100644 --- a/client/desktop.nix +++ b/client/desktop.nix @@ -1,4 +1,6 @@ -{ pkgs, ... }: +{ pkgs, lib, ... }: + +with lib; { services = { @@ -61,8 +63,17 @@ "org/gnome/desktop/wm/keybindings".close = [ "q" ]; - "org/gnome/settings-daemon/plugins/power".power-button-action = "shutdown"; - "org/gnome/settings-daemon/plugins/power".sleep-inactive-ac-type = "nothing"; + "org/gnome/desktop/session".idle-delay = gvariant.mkUint32 180; + "org/gnome/desktop/screensaver".lock-delay = gvariant.mkUint32 0; + + # Prevent hibernation + "org/gnome/settings-daemon/plugins/power".power-button-action = "nothing"; + "org/gnome/settings-daemon/plugins/power".sleep-inactive-ac-type = "logout"; + "org/gnome/settings-daemon/plugins/power".sleep-inactive-ac-timeout = "900"; + + # Allow to switch users + "org/gnome/desktop/lockdown".disable-user-switching = false; + "org/gnome/desktop/screensaver".user-switch-enabled = true; }; } ]; diff --git a/client/hardware.nix b/client/hardware.nix index 005a8e1..e69c337 100644 --- a/client/hardware.nix +++ b/client/hardware.nix @@ -1,4 +1,4 @@ -{ modulesPath, ... }: +{ config, modulesPath, ... }: { imports = [ @@ -9,7 +9,14 @@ boot = { loader = { - grub.enable = true; + grub = { + enable = true; + users = { + root = { + hashedPassword = "grub.pbkdf2.sha512.10000.BAB138AB1F53A06E0BAB70B376C16ECCC123824748A9AF6725D24C5947C69EF3CB9AF87FB9F549902BAFE42817B7C58897D9222106B7FC6ECC0C47C945D7471B.D8F6D170B10709A748084EDB1C41D9E92E1AB97D03954C57F310D68E7C07D63AFF8794EF5E263DDCDE663C4482664E70600E7043A77D03E97C7679DA51D35719"; + }; + }; + }; }; consoleLogLevel = 3; diff --git a/client/users.nix b/client/users.nix index 98642a7..46134c6 100644 --- a/client/users.nix +++ b/client/users.nix @@ -58,6 +58,8 @@ in access_provider = ldap auth_provider = ldap + cache_credentials = true + # TODO: ldap_uri = ldaps://ldap${config.networking.domain}/ ldap_uri = ldaps://ldap-linuxlab.informatik.hs-fulda.de/ ldap_search_base = ou=users,${baseDN} @@ -75,6 +77,16 @@ in ldap_user_object_class = posixAccount ldap_user_name = cn + ldap_search_timeout = 10 + ldap_network_timeout = 10 + + ldap_deref_threshold = 0 + + ignore_group_members = true + subdomain_inherit = ignore_group_members + + entry_negative_timeout = 3 + override_gid = ${toString config.users.groups."users".gid} cache_credentials = true diff --git a/clients.nix b/clients.nix index 4b90921..9bfa9b6 100644 --- a/clients.nix +++ b/clients.nix @@ -1,19 +1,28 @@ { - "01" = { - mac = ""; - }; - "02" = { - mac = ""; - }; - "03" = { - mac = ""; - }; - "04" = { - mac = ""; - }; - "13" = { - targetHost = "10.33.65.113"; - mac = ""; - }; + "00" = { ip = "10.33.65.100"; mac = "24:4B:FE:AD:40:AE"; }; + "01" = { ip = "10.33.65.101"; mac = "24:4B:FE:AD:3E:8E"; }; + "02" = { ip = "10.33.65.102"; mac = "24:4B:FE:AD:3E:8F"; }; + "03" = { ip = "10.33.65.103"; mac = "24:4B:FE:AD:3E:90"; }; + "04" = { ip = "10.33.65.104"; mac = "24:4B:FE:AD:3E:91"; }; + "05" = { ip = "10.33.65.105"; mac = "24:4B:FE:AD:3E:92"; }; + "06" = { ip = "10.33.65.106"; mac = "24:4B:FE:AD:3E:93"; }; + "07" = { ip = "10.33.65.107"; mac = "24:4B:FE:AD:3E:94"; }; + "08" = { ip = "10.33.65.108"; mac = "24:4B:FE:AD:3E:95"; }; + "09" = { ip = "10.33.65.109"; mac = "24:4B:FE:AD:3E:96"; }; + "10" = { ip = "10.33.65.110"; mac = "24:4B:FE:AD:3F:B0"; }; + "11" = { ip = "10.33.65.111"; mac = "24:4B:FE:AD:3F:B1"; }; + "12" = { ip = "10.33.65.112"; mac = "24:4B:FE:AD:3F:B2"; }; + "13" = { ip = "10.33.65.113"; mac = "24:4B:FE:AD:3F:B3"; }; + "14" = { ip = "10.33.65.114"; mac = "24:4B:FE:AD:3F:B4"; }; + "15" = { ip = "10.33.65.115"; mac = "24:4B:FE:AD:3F:B5"; }; + "16" = { ip = "10.33.65.116"; mac = "24:4B:FE:AD:3F:B6"; }; + "17" = { ip = "10.33.65.117"; mac = "24:4B:FE:AD:3F:B7"; }; + "18" = { ip = "10.33.65.118"; mac = "24:4B:FE:AD:3F:B8"; }; + "19" = { ip = "10.33.65.119"; mac = "24:4B:FE:AD:3F:B9"; }; + "20" = { ip = "10.33.65.120"; mac = "3C:7C:3F:41:1D:B6"; }; + "21" = { ip = "10.33.65.121"; mac = "3C:7C:3F:41:1D:B7"; }; + "22" = { ip = "10.33.65.122"; mac = "3C:7C:3F:41:1D:B9"; }; + "23" = { ip = "10.33.65.123"; mac = "3C:7C:3F:41:1D:BA"; }; + "24" = { ip = "10.33.65.124"; mac = "3C:7C:3F:41:1D:BC"; }; } diff --git a/machines/nfs/dhcp.nix b/machines/nfs/dhcp.nix index 40496cd..20822f5 100644 --- a/machines/nfs/dhcp.nix +++ b/machines/nfs/dhcp.nix @@ -1,5 +1,11 @@ -{ pkgs, config, ... }: +{ lib, config, ... }: +with lib; + +let + clients = import ../../clients.nix; + +in { services.kea.dhcp4 = { enable = true; @@ -23,6 +29,7 @@ subnet4 = [ { + id = 1; subnet = "10.33.64.0/20"; interface = "enp4s0f0"; @@ -53,8 +60,18 @@ data = config.networking.domain; } ]; + + "reservations" = mapAttrsToList + (_: client: { + "hw-address" = strings.toLower client.mac; + "ip-address" = client.ip; + }) + clients; } + { + # This net is only used during PXE boot + id = 2; subnet = "10.32.44.0/24"; interface = "enp4s0f1"; diff --git a/machines/nfs/netinstaller.nix b/machines/nfs/netinstaller.nix index c33308f..9d8b14a 100644 --- a/machines/nfs/netinstaller.nix +++ b/machines/nfs/netinstaller.nix @@ -28,7 +28,7 @@ let --no-root-password \ --verbose - umount -R /mnt + ${pkgs.util-linux}/bin/umount -R /mnt reboot '';