hpc
/
nixcfg
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
NixOS configuration for HPC cluster https://docs.hpc.informatik.hs-fulda.de/
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
64 Commits
1 Branch
0 Tags
379 KiB
Tree: 92010ee643
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '92010ee643'
${ noResults }
nixcfg/shared/users.nix

127 lines
2.6 KiB
Raw Normal View History

use sssd for ldap
2 months ago
SSH host based auth
2 years ago
Secrets, netinstall, ldap and stuff
2 years ago
SSH host based auth
2 years ago
Inital import
2 years ago
Progress
2 years ago
Inital import
2 years ago
SSH host based auth
2 years ago
use sssd for ldap
2 months ago
LDAP login
2 years ago
Unlimited locks for cluster users
1 year ago
use sssd for ldap
2 months ago
Secrets, netinstall, ldap and stuff
2 years ago
SSH host based auth
2 years ago
Inital import
2 years ago
  1. { lib, config, ... }:
  3. with lib;
  5. let
  6. baseDN = concatMapStringsSep ","
  7. (part: "dc=${part}")
  8. (splitString "." config.networking.domain);
  10. in
  11. {
  12. users.mutableUsers = false;
  14. users.users."root" = {
  15. hashedPassword = "$y$j9T$tz8ojZ2gVOQ5AUp6GMhoj.$mAeE0eTGGsKNGddC7ebk/zFr5IMDyIpOpMP/6o.GI6D";
  17. openssh.authorizedKeys.keys = [
  18. "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2nkarN0+uSuP5sGwDCb9KRu+FCjO/+da4VypGanPUZ fooker@k-2so"
  19. ];
  20. };
  22. security.pam.services = {
  23. sshd = {
  24. makeHomeDir = true;
  25. sssdStrictAccess = true;
  26. unixAuth = lib.mkForce true;
  27. };
  28. login = {
  29. makeHomeDir = true;
  30. sssdStrictAccess = true;
  31. unixAuth = lib.mkForce true;
  32. };
  33. lightdm = {
  34. makeHomeDir = true;
  35. sssdStrictAccess = true;
  36. unixAuth = lib.mkForce true;
  37. };
  38. systemd-user = {
  39. makeHomeDir = true;
  40. sssdStrictAccess = true;
  41. unixAuth = lib.mkForce true;
  42. };
  43. };
  45. security.pam.loginLimits = [
  46. {
  47. domain = "@cluster";
  48. item = "memlock";
  49. type = "-";
  50. value = "unlimited";
  51. }
  52. ];
  54. services.sssd = {
  55. enable = true;
  57. environmentFile = config.sops.secrets."ldap/login/environment".path;
  59. config = ''
  60. [sssd]
  61. config_file_version = 2
  62. services = nss, pam, ssh, ifp
  63. domains = hsfd
  65. debug_level = 8
  67. [nss]
  68. override_homedir = /home/%u
  69. override_shell = /run/current-system/sw/bin/bash
  71. filter_users = root
  72. filter_groups = root
  74. reconnection_retries = 3
  76. [pam]
  78. [domain/hsfd]
  79. id_provider = ldap
  80. access_provider = ldap
  81. auth_provider = ldap
  83. cache_credentials = true
  85. ldap_uri = ldaps://ldap.${config.networking.domain}/
  86. ldap_search_base = ou=users,${baseDN}
  88. ldap_tls_reqcert = demand
  89. ldap_id_use_start_tls = true
  91. ldap_default_bind_dn = cn=login,${baseDN}
  92. ldap_default_authtok_type = password
  93. ldap_default_authtok = $SSSD_LDAP_DEFAULT_AUTHTOK
  95. ldap_access_order = filter
  96. ldap_access_filter = (objectClass=*)
  98. ldap_user_object_class = posixAccount
  99. ldap_user_name = cn
  101. ldap_search_timeout = 10
  102. ldap_network_timeout = 10
  104. ldap_deref_threshold = 0
  106. ignore_group_members = true
  107. subdomain_inherit = ignore_group_members
  109. entry_negative_timeout = 3
  111. override_gid = ${toString config.users.groups."cluster".gid}
  113. cache_credentials = true
  115. min_id = 1000
  116. enumerate = true
  117. '';
  118. };
  120. users.groups."cluster" = {
  121. gid = 1000; # Fixed, becaused it is used for LDAP users
  122. };
  124. sops.secrets."ldap/login/environment" = {
  125. sopsFile = ./secrets.yaml;
  126. };
  127. }