From 2f0cb2fedf083030b14789336b42c7c2fb59fba5 Mon Sep 17 00:00:00 2001 From: Dustin Frisch Date: Fri, 2 Jun 2023 10:58:37 +0200 Subject: [PATCH] LDAP login --- .sops.yaml | 2 ++ machines/manager/ldap.nix | 11 ++++++++++ machines/manager/users.nix | 6 ++--- machines/node/users.nix | 4 ++-- secrets.yaml | 45 ++++++++++++++++++++++++-------------- secrets/cache-priv-key.pem | 10 ++++++--- shared/users.nix | 20 +++++++++++++---- 7 files changed, 69 insertions(+), 29 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index 8ddf506..f9c499b 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,6 +1,7 @@ keys: - &admin_fooker 3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE - &server_manager age1ys5pskgkjsgqfy2lr0afcnl2edry8jmryhymkwtked2se74e9g4s23gunn + - &server_node-00 age1q3tqh4w7yeae4xs0cxevtp5tn4gm8xthc39fsht2kv9rq7xm4q3qxqt9sh creation_rules: - key_groups: @@ -8,4 +9,5 @@ creation_rules: - *admin_fooker age: - *server_manager + - *server_node-00 path_regex: ^(secrets\.yaml|secrets/.+)$ diff --git a/machines/manager/ldap.nix b/machines/manager/ldap.nix index e7d3f60..be7fb17 100644 --- a/machines/manager/ldap.nix +++ b/machines/manager/ldap.nix @@ -45,6 +45,17 @@ in }; }; }; + declarativeContents.${baseDN} = '' + dn: ${baseDN} + objectClass: top + objectClass: dcObject + objectClass: organization + o: ${config.networking.domain} + + dn: ou=users,${baseDN} + objectClass: top + objectClass: organizationalUnit + ''; }; sops.secrets."ldap/root/password" = { diff --git a/machines/manager/users.nix b/machines/manager/users.nix index 855bbce..aacb625 100644 --- a/machines/manager/users.nix +++ b/machines/manager/users.nix @@ -11,10 +11,10 @@ with lib; }); extraConfig = '' - EnableSSHKeysign yes + EnableSSHKeysign yes - Host node-*.${config.networking.domain} - HostbasedAuthentication yes + Host node-*.${config.networking.domain} + HostbasedAuthentication yes ''; }; diff --git a/machines/node/users.nix b/machines/node/users.nix index dc28a6c..68b8f40 100644 --- a/machines/node/users.nix +++ b/machines/node/users.nix @@ -16,6 +16,8 @@ with lib; }; services.openssh = { + #logLevel = "DEBUG3"; + extraConfig = '' IgnoreRhosts no @@ -29,6 +31,4 @@ with lib; environment.etc."ssh/shosts.equiv".text = concatMapStringsSep "\n" (node: node.config.networking.fqdn) (attrValues nodes); - - users.groups."cluster" = { }; } diff --git a/secrets.yaml b/secrets.yaml index 15f516a..35f8939 100644 --- a/secrets.yaml +++ b/secrets.yaml @@ -1,6 +1,8 @@ ldap: root: password: ENC[AES256_GCM,data:bYuw+9ywfRDNVt0nrLDmWE8+f8aHQvGd,iv:JHU3MxmNdxI2a62Dcky8xhHhjhcxyjM0Z0xLEnLxJwU=,tag:3VW0zTlRFxLDI8WxGu1lew==,type:str] + login: + password: ENC[AES256_GCM,data:IFPwehOGSYore+HEv7MyymCKaOKn5XEH,iv:JTrZucSL/MohMgUdWqalpgjCCh7ueXd3cgNB0FuJo/U=,tag:o/1nvTrfojYsXYeuvxKfNg==,type:str] beegfs: connection: ENC[AES256_GCM,data:YTHMg76+5Azb+ex5ArUHt4xP+YYWr9Ph,iv:TEf8i+yezPsaW12Lg5jRnhds9uW9WhV6duZPdxeW9co=,tag:bPGsl7ofwE1Jh+FTyHJqzQ==,type:str] sops: @@ -12,28 +14,37 @@ sops: - recipient: age1ys5pskgkjsgqfy2lr0afcnl2edry8jmryhymkwtked2se74e9g4s23gunn enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnL2N1SVQzcVFHRC9KRmM4 - Wmd0dVE1TmIxZTR3QmhVbnRxT21kcFA4VEJVCnhrRUY0d2xJVFdaR2xRQXBEM2t2 - Qllha1AvRGxFNWxta1JNSzBNSUNIdjQKLS0tIEJ2TWpnTFArdzhPU2JIZjlhOGVy - REpyVVlBL3BMSnF5QThBSGxNSEVGNHcKWqozLpGac2RlrpmR9DuJTcD4ue5zjwnz - b0eyJ2gD3gr81zG9DSifjLg8BLyt1mSml4wia5uHOP4DxhX4EOLDJw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSVVdBd0hvWG0zT3BTRGVh + NWxtdlJocy8wSnIvMUdoOVZYM0owMW9TWGxnCmZLcStDdzVvNlh3dzVQN0NvVUJw + S1l5aG9ocVp3RWNJbWl5bjVxT3U3WjQKLS0tIEZkdHk4dGM4YnloR2FZSkNWOWxo + cXg2OTd4OTRzN1MxWmtIczRleXdBU0UKID449Ln3KBshJVgn2RyZS5M73WGDWMs8 + HxrSlpf8HajxtU/iPpgkIRHLNIVa0C/1NlQOTvxPyDhEvuV31xm/JQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-05-29T12:51:30Z" - mac: ENC[AES256_GCM,data:02jKHbEZGs3QiNzXEQxcB8v/i5UVB/pCciz4hSI220+GEYPgQK6qR1cZJaMAyrHKjzJLhNZq3Gfgsj4zfA+FMg/d12vp2QNTMRrVD/hSh67NgloZ/iTmJC//S8OJfiHEPdGKkq7zXCVajnkGMT/0yLNWAKISAwL451ohgMzMQYw=,iv:8hqKXUolNA7WatnnYwwUN2EgOyZjTISG2bfToENYc7c=,tag:5y43RQJgZbPK8g3Cw8CBzQ==,type:str] + - recipient: age1q3tqh4w7yeae4xs0cxevtp5tn4gm8xthc39fsht2kv9rq7xm4q3qxqt9sh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkM0ErekJGUlVRZDFQMFpN + UlBOdUpIMENSbEVMZnhKcFRLelBFZUlFdjFjCk9ucFExMmFGSjVnT0Mxdml0MVRI + NWNzeHM3cVpSMzE1STlHQkdKUW9NTm8KLS0tIDFSS2VWbHN4ckpCc3p0YXV3Mitp + T2h5bStSVFQ1YXM2TXgyQnk2amdQKzgKzncSU2ryAYQHlsSeFejE2NfHxoR9WJDm + jy2ALBMAInl7e5TP89QAEvthUrfyos3f8jV4GOQm7TIerYTr/5kctA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-06-01T13:46:17Z" + mac: ENC[AES256_GCM,data:Uei7c4/hHSqtv0bN2dLrF3mh6MYrx85N0KXO2R/Eu+78MTlwKPmCeD1H4tfyMTS4hJdjGYmk6H8Hj5K5B7irmb39BKnGWq86eFj9AxhODr4/nS0n1f+F4lX5R/3v5JJ4J54y0IymfQj/iN5QZsOGmVw9z8cFs5a9tUD118yYq3E=,iv:OXt5e854thU/SWFhoiy/YzDBqzF3M3GRXXIFaAX+Vrs=,tag:KuuxsINhybfd274v3z63qA==,type:str] pgp: - - created_at: "2023-05-30T15:22:50Z" + - created_at: "2023-06-01T13:41:20Z" enc: | -----BEGIN PGP MESSAGE----- - hQEMA5ntoryXZPD4AQf/csXiLfUOCPX0jNdz6V2YzStTD1tiYM8+SyqS433ZC8ii - CR1vD5UlrXHEzfXX5Wt1iHO6Y5BCtvv4nVOaYPldV0n17FisXhAbKciTj5Om43uu - rbfY2xgHdZaFU3nMC147xDh5cOVa297mOY6jaCDX2bpfxp35NYz2vUNyfevG61Tl - sT6y0ISi2eN+x4xmlbDBs7/8LLiwjXvJu3UBXcEYNK18lYzALVPZWeCQvM5ALGS7 - IC/vw6lhudNGXCSiT4SyPuQgIvFEyQvmIx4a/N35EARp6bXHH6gHalgJBTmulKaT - DGwewIjEw6FdmdLO4r3bpC7FvS0Pllo6HFTxh7OkVtJeASYywgWX1n/O6xT4pisQ - 5dHHYoPtEe3wnuF/xb+mRsidGdKG3Tiu6rA3SoFbK6m7QSHOaDgsC8hDVDLw1XBs - FIJWhBoHIodOj+aaScZmFGZnJAbwhYiYrmZs8qJdtg== - =Vjvo + hQEMA5ntoryXZPD4AQf/X1yiMrb68+TJkcOH010pRLVUu6Wlsr51nFsuObSx+8Vs + I43EPxiFEHa5fQvi6KMqUgfc50aYfjcS8ZKy67B6Hf4F7h5kB2dGCkOjjmBLYX2W + dc20han6qDfPUFnp+owoNEspMvHjcGAhm1CKKFXS7cr4VgdRZCQPfmQwhHSnMk/B + ii4j1sgCNoOnzXUuEfZ0InN+VVKCxGtidAiFXjBtaoqordlFllje4znxXDjIHM8/ + APzRYtP1TcZG6c/WorgkOpwSIX4tz8ZNePmXdkbg9wxvg0lAb+ACX8vRGXBnbZ8d + oQ1dHcGfIaA+GWVF5uTuabShbHqL7cg2D+TJUWh1CdJeAYBQqSl/8mE2N9i8Vojx + shSnO2hCF2cTKU/gzSy8VYmvHiZTPKUcyffDRoTqBj77gmCwLUE0aIF2R7YkQor5 + SNe+HeQ6WxIJD2D09wvhDg+TD+jNskxEcjI8EMueZQ== + =l0Nv -----END PGP MESSAGE----- fp: 3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE unencrypted_suffix: _unencrypted diff --git a/secrets/cache-priv-key.pem b/secrets/cache-priv-key.pem index db56f8c..dab33f0 100644 --- a/secrets/cache-priv-key.pem +++ b/secrets/cache-priv-key.pem @@ -8,15 +8,19 @@ "age": [ { "recipient": "age1ys5pskgkjsgqfy2lr0afcnl2edry8jmryhymkwtked2se74e9g4s23gunn", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1bkJEK1lXZDRpbHd1WXNL\nYkdId3NicUwrK09ScVVuWnhIUjA3QTRXZDA0CkticldtQUUvK1E2emhLckxDaklx\nNDdMT2VxOGVSdEwxS1FZRldYMzRvQmcKLS0tIE5UeUFVVGVrdEkxNUltYUs5RUNV\nSEIwNzFXUk4xZStiYm5JRWRZUDBPblEKjM4GZg+YPgoQl9pXp7SM1SOBO1vH1rfb\nEWIHIZc5kx2VPnD+jSUqqFApZuPSpDtdyWXJWJQLIWBOXeUmx/KJKA==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwcnAzWkhKbGdjQ1g4WjVw\na3YrRjkzczVuNjYrQjJ5Yk9qeFFOS0dEdlVVCncwdU9JdVB2ekJSdXhNQmtJd0dH\neEIyK25pdVhpTzIzTUdvYlJGaDBvQVEKLS0tIDNsQ2J0ampueWZuQkNnQ2tFWEwv\nOVdyYzI2emh5SktqQUljbUhuajR3NTQKfG5O3ToSgBzR+/LHLyq7IUkLNRFeI6zh\n9u2pkCMncrUHAqpHJUfhnd39pke4Hg8op2DPLq9y7vj0s3DJ2HyJWQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1q3tqh4w7yeae4xs0cxevtp5tn4gm8xthc39fsht2kv9rq7xm4q3qxqt9sh", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCZE1ndVZUenBCa2dva3dh\nT1hLMEFJSVNzejVtdXZnSStrWGtRd3IxZHlzClkxMmN5Q3FtL1pUcklkZXB6alZr\nNjJ6RzRwdFBDaFY5K2I0dlI4WWF3SVEKLS0tIE1zMGZkZWNTTjJEcnFNcWxlb0E4\nbmd3ejZ4S0V5alh1ZFZRd2IrckpybUkKY9KS0r71NIye4Bf8Ekqi90e4/7I8hg/V\nOA1bfKGo+sb9nD5HTBKEc+ssTVN21xWd9z6GksVjU9l2M5VoLwTkhQ==\n-----END AGE ENCRYPTED FILE-----\n" } ], "lastmodified": "2023-05-26T08:59:34Z", "mac": "ENC[AES256_GCM,data:8h8NREXye3DDL7DpvT7sVr1lyaAfEgDwOoaDMuCzzRyHFWPSELQHnjLjEjmexoRrrsE/U608/h62PU7m9EDSYuWlJsvuNBZ+HezR/Ve8oFrZ5ZE3HIoEt2aeM2enSEHGP+aYFL4jEZJJDn9xoW3chFu3JLTSez0NOAhuejghjnU=,iv:Dfxlfa/mwKswYL077oPV+rylKk5y67qKPz+6UFCje9c=,tag:lmM0U8H5FlVRMO51mqTZgg==,type:str]", "pgp": [ { - "created_at": "2023-05-30T15:22:58Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA5ntoryXZPD4AQf+M9eb4mKfNadMmoAZ/OHOpKTl52jUDympCZblXF6yHS+8\ny7uchp+69vtXif+ZPLC+NMEZLtAnwPG3KhBXTK5c+6+dqZN4DI3MvGq1HKy3nEU0\nDqk2vQKPH29EvsVO4QgEZqGoNRVW7MXHzcq8WYKkKWXvNRcGzNPANqp1pCS+Chns\neeFCVynsd7QUTYkvSw1/BZuMY135+Ubd2Vm9At6GI6xI87KTVQh/o+vFKQpdnRHj\nENuPBF2z4TbZHweH4gGYibfdiWsyWzAlu7G9OtNww+AdoydctaMDeH+N4LGCCqBS\nnLfNY7aRYfLxQ/zcuPhzl1jiJeQeLcMiXyssoyNwRtJeASov2wKOpLAYlSVE+frW\n4CY9iw2694Cidw66l2i15hk/Q9IiUSPYpghdiowVvZgNnNaAl8TYhcN08uPFhLvT\nASzWUOwnhgVTu11bhqYEIjt3tY4JrKzynY8tDy+Z3Q==\n=ZSOF\n-----END PGP MESSAGE-----\n", + "created_at": "2023-06-01T13:41:29Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA5ntoryXZPD4AQf/STkH8HafCMan6au+LKbb5DriplyRLLPLzDcCvNn/VD5H\nYQU8rn/iJajpvbKxgBYo8c3bgz9hz+qfM1aSF57ezHkuiDHd0DDlnEHXGDfEsy5b\nnxPxXA432d412sfbjC69cqBba9mGYV88URplVm40RqyqZr+drnF6bsu3r5gY1sJT\nwG5ZYyyhXTO02ePYuAlS5J0yihHzA3rtWR7VEL5zwJVRo3D1fhMA0ZEnjCc9j14E\nT9yrOQZ1fPhiAJcvbWWxGWwDa50DpVGVBRwZ+N8mWbRN+Py4/OsjEe8f8s2h2IEp\nGKGirTIcc6hRhoOBRTNBmNeuTDbI04r+ai8XZBYxNNJeARvh1kh+5lx7gln92R7r\nDcgWchi/PioCHvDr9lfusuhio6rbAfS7LZ5fVREyHqRomQJEfFuq9Vder6cBYT+0\nd2/TG3Qc02Q0Q1yKXT3Fm+O9g8tXTWPyuZNt70npRA==\n=q6EO\n-----END PGP MESSAGE-----\n", "fp": "3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE" } ], diff --git a/shared/users.nix b/shared/users.nix index 42d17f0..7eb97b8 100644 --- a/shared/users.nix +++ b/shared/users.nix @@ -25,11 +25,23 @@ in base = baseDN; daemon.enable = true; + + bind = { + distinguishedName = "cn=root,${baseDN}"; + passwordFile = config.sops.secrets."ldap/login/password".path; + }; + }; + + users.groups."cluster" = { + gid = 1000; # Fixed, becaused it is used for LDAP users }; - users.users."fooker" = { - isNormalUser = true; - group = "cluster"; - password = "asdasd123"; + security.pam.services."login".makeHomeDir = true; + security.pam.services."sshd".makeHomeDir = true; + security.pam.services."systemd-user".makeHomeDir = true; + + sops.secrets."ldap/login/password" = { + owner = "nslcd"; + key = "ldap/root/password"; }; }