Browse Source

LDAP login

main
Dustin Frisch 1 year ago
parent
commit
2f0cb2fedf
No known key found for this signature in database GPG Key ID: B4C3BF012D9B26BE
  1. 2
      .sops.yaml
  2. 11
      machines/manager/ldap.nix
  3. 4
      machines/node/users.nix
  4. 45
      secrets.yaml
  5. 10
      secrets/cache-priv-key.pem
  6. 20
      shared/users.nix

2
.sops.yaml

@ -1,6 +1,7 @@
keys:
- &admin_fooker 3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE
- &server_manager age1ys5pskgkjsgqfy2lr0afcnl2edry8jmryhymkwtked2se74e9g4s23gunn
- &server_node-00 age1q3tqh4w7yeae4xs0cxevtp5tn4gm8xthc39fsht2kv9rq7xm4q3qxqt9sh
creation_rules:
- key_groups:
@ -8,4 +9,5 @@ creation_rules:
- *admin_fooker
age:
- *server_manager
- *server_node-00
path_regex: ^(secrets\.yaml|secrets/.+)$

11
machines/manager/ldap.nix

@ -45,6 +45,17 @@ in
};
};
};
declarativeContents.${baseDN} = ''
dn: ${baseDN}
objectClass: top
objectClass: dcObject
objectClass: organization
o: ${config.networking.domain}
dn: ou=users,${baseDN}
objectClass: top
objectClass: organizationalUnit
'';
};
sops.secrets."ldap/root/password" = {

4
machines/node/users.nix

@ -16,6 +16,8 @@ with lib;
};
services.openssh = {
#logLevel = "DEBUG3";
extraConfig = ''
IgnoreRhosts no
@ -29,6 +31,4 @@ with lib;
environment.etc."ssh/shosts.equiv".text = concatMapStringsSep "\n"
(node: node.config.networking.fqdn)
(attrValues nodes);
users.groups."cluster" = { };
}

45
secrets.yaml

@ -1,6 +1,8 @@
ldap:
root:
password: ENC[AES256_GCM,data:bYuw+9ywfRDNVt0nrLDmWE8+f8aHQvGd,iv:JHU3MxmNdxI2a62Dcky8xhHhjhcxyjM0Z0xLEnLxJwU=,tag:3VW0zTlRFxLDI8WxGu1lew==,type:str]
login:
password: ENC[AES256_GCM,data:IFPwehOGSYore+HEv7MyymCKaOKn5XEH,iv:JTrZucSL/MohMgUdWqalpgjCCh7ueXd3cgNB0FuJo/U=,tag:o/1nvTrfojYsXYeuvxKfNg==,type:str]
beegfs:
connection: ENC[AES256_GCM,data:YTHMg76+5Azb+ex5ArUHt4xP+YYWr9Ph,iv:TEf8i+yezPsaW12Lg5jRnhds9uW9WhV6duZPdxeW9co=,tag:bPGsl7ofwE1Jh+FTyHJqzQ==,type:str]
sops:
@ -12,28 +14,37 @@ sops:
- recipient: age1ys5pskgkjsgqfy2lr0afcnl2edry8jmryhymkwtked2se74e9g4s23gunn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnL2N1SVQzcVFHRC9KRmM4
Wmd0dVE1TmIxZTR3QmhVbnRxT21kcFA4VEJVCnhrRUY0d2xJVFdaR2xRQXBEM2t2
Qllha1AvRGxFNWxta1JNSzBNSUNIdjQKLS0tIEJ2TWpnTFArdzhPU2JIZjlhOGVy
REpyVVlBL3BMSnF5QThBSGxNSEVGNHcKWqozLpGac2RlrpmR9DuJTcD4ue5zjwnz
b0eyJ2gD3gr81zG9DSifjLg8BLyt1mSml4wia5uHOP4DxhX4EOLDJw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSVVdBd0hvWG0zT3BTRGVh
NWxtdlJocy8wSnIvMUdoOVZYM0owMW9TWGxnCmZLcStDdzVvNlh3dzVQN0NvVUJw
S1l5aG9ocVp3RWNJbWl5bjVxT3U3WjQKLS0tIEZkdHk4dGM4YnloR2FZSkNWOWxo
cXg2OTd4OTRzN1MxWmtIczRleXdBU0UKID449Ln3KBshJVgn2RyZS5M73WGDWMs8
HxrSlpf8HajxtU/iPpgkIRHLNIVa0C/1NlQOTvxPyDhEvuV31xm/JQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-05-29T12:51:30Z"
mac: ENC[AES256_GCM,data:02jKHbEZGs3QiNzXEQxcB8v/i5UVB/pCciz4hSI220+GEYPgQK6qR1cZJaMAyrHKjzJLhNZq3Gfgsj4zfA+FMg/d12vp2QNTMRrVD/hSh67NgloZ/iTmJC//S8OJfiHEPdGKkq7zXCVajnkGMT/0yLNWAKISAwL451ohgMzMQYw=,iv:8hqKXUolNA7WatnnYwwUN2EgOyZjTISG2bfToENYc7c=,tag:5y43RQJgZbPK8g3Cw8CBzQ==,type:str]
- recipient: age1q3tqh4w7yeae4xs0cxevtp5tn4gm8xthc39fsht2kv9rq7xm4q3qxqt9sh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkM0ErekJGUlVRZDFQMFpN
UlBOdUpIMENSbEVMZnhKcFRLelBFZUlFdjFjCk9ucFExMmFGSjVnT0Mxdml0MVRI
NWNzeHM3cVpSMzE1STlHQkdKUW9NTm8KLS0tIDFSS2VWbHN4ckpCc3p0YXV3Mitp
T2h5bStSVFQ1YXM2TXgyQnk2amdQKzgKzncSU2ryAYQHlsSeFejE2NfHxoR9WJDm
jy2ALBMAInl7e5TP89QAEvthUrfyos3f8jV4GOQm7TIerYTr/5kctA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-06-01T13:46:17Z"
mac: ENC[AES256_GCM,data:Uei7c4/hHSqtv0bN2dLrF3mh6MYrx85N0KXO2R/Eu+78MTlwKPmCeD1H4tfyMTS4hJdjGYmk6H8Hj5K5B7irmb39BKnGWq86eFj9AxhODr4/nS0n1f+F4lX5R/3v5JJ4J54y0IymfQj/iN5QZsOGmVw9z8cFs5a9tUD118yYq3E=,iv:OXt5e854thU/SWFhoiy/YzDBqzF3M3GRXXIFaAX+Vrs=,tag:KuuxsINhybfd274v3z63qA==,type:str]
pgp:
- created_at: "2023-05-30T15:22:50Z"
- created_at: "2023-06-01T13:41:20Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQEMA5ntoryXZPD4AQf/csXiLfUOCPX0jNdz6V2YzStTD1tiYM8+SyqS433ZC8ii
CR1vD5UlrXHEzfXX5Wt1iHO6Y5BCtvv4nVOaYPldV0n17FisXhAbKciTj5Om43uu
rbfY2xgHdZaFU3nMC147xDh5cOVa297mOY6jaCDX2bpfxp35NYz2vUNyfevG61Tl
sT6y0ISi2eN+x4xmlbDBs7/8LLiwjXvJu3UBXcEYNK18lYzALVPZWeCQvM5ALGS7
IC/vw6lhudNGXCSiT4SyPuQgIvFEyQvmIx4a/N35EARp6bXHH6gHalgJBTmulKaT
DGwewIjEw6FdmdLO4r3bpC7FvS0Pllo6HFTxh7OkVtJeASYywgWX1n/O6xT4pisQ
5dHHYoPtEe3wnuF/xb+mRsidGdKG3Tiu6rA3SoFbK6m7QSHOaDgsC8hDVDLw1XBs
FIJWhBoHIodOj+aaScZmFGZnJAbwhYiYrmZs8qJdtg==
=Vjvo
hQEMA5ntoryXZPD4AQf/X1yiMrb68+TJkcOH010pRLVUu6Wlsr51nFsuObSx+8Vs
I43EPxiFEHa5fQvi6KMqUgfc50aYfjcS8ZKy67B6Hf4F7h5kB2dGCkOjjmBLYX2W
dc20han6qDfPUFnp+owoNEspMvHjcGAhm1CKKFXS7cr4VgdRZCQPfmQwhHSnMk/B
ii4j1sgCNoOnzXUuEfZ0InN+VVKCxGtidAiFXjBtaoqordlFllje4znxXDjIHM8/
APzRYtP1TcZG6c/WorgkOpwSIX4tz8ZNePmXdkbg9wxvg0lAb+ACX8vRGXBnbZ8d
oQ1dHcGfIaA+GWVF5uTuabShbHqL7cg2D+TJUWh1CdJeAYBQqSl/8mE2N9i8Vojx
shSnO2hCF2cTKU/gzSy8VYmvHiZTPKUcyffDRoTqBj77gmCwLUE0aIF2R7YkQor5
SNe+HeQ6WxIJD2D09wvhDg+TD+jNskxEcjI8EMueZQ==
=l0Nv
-----END PGP MESSAGE-----
fp: 3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE
unencrypted_suffix: _unencrypted

10
secrets/cache-priv-key.pem

@ -8,15 +8,19 @@
"age": [
{
"recipient": "age1ys5pskgkjsgqfy2lr0afcnl2edry8jmryhymkwtked2se74e9g4s23gunn",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1bkJEK1lXZDRpbHd1WXNL\nYkdId3NicUwrK09ScVVuWnhIUjA3QTRXZDA0CkticldtQUUvK1E2emhLckxDaklx\nNDdMT2VxOGVSdEwxS1FZRldYMzRvQmcKLS0tIE5UeUFVVGVrdEkxNUltYUs5RUNV\nSEIwNzFXUk4xZStiYm5JRWRZUDBPblEKjM4GZg+YPgoQl9pXp7SM1SOBO1vH1rfb\nEWIHIZc5kx2VPnD+jSUqqFApZuPSpDtdyWXJWJQLIWBOXeUmx/KJKA==\n-----END AGE ENCRYPTED FILE-----\n"
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwcnAzWkhKbGdjQ1g4WjVw\na3YrRjkzczVuNjYrQjJ5Yk9qeFFOS0dEdlVVCncwdU9JdVB2ekJSdXhNQmtJd0dH\neEIyK25pdVhpTzIzTUdvYlJGaDBvQVEKLS0tIDNsQ2J0ampueWZuQkNnQ2tFWEwv\nOVdyYzI2emh5SktqQUljbUhuajR3NTQKfG5O3ToSgBzR+/LHLyq7IUkLNRFeI6zh\n9u2pkCMncrUHAqpHJUfhnd39pke4Hg8op2DPLq9y7vj0s3DJ2HyJWQ==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1q3tqh4w7yeae4xs0cxevtp5tn4gm8xthc39fsht2kv9rq7xm4q3qxqt9sh",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCZE1ndVZUenBCa2dva3dh\nT1hLMEFJSVNzejVtdXZnSStrWGtRd3IxZHlzClkxMmN5Q3FtL1pUcklkZXB6alZr\nNjJ6RzRwdFBDaFY5K2I0dlI4WWF3SVEKLS0tIE1zMGZkZWNTTjJEcnFNcWxlb0E4\nbmd3ejZ4S0V5alh1ZFZRd2IrckpybUkKY9KS0r71NIye4Bf8Ekqi90e4/7I8hg/V\nOA1bfKGo+sb9nD5HTBKEc+ssTVN21xWd9z6GksVjU9l2M5VoLwTkhQ==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2023-05-26T08:59:34Z",
"mac": "ENC[AES256_GCM,data:8h8NREXye3DDL7DpvT7sVr1lyaAfEgDwOoaDMuCzzRyHFWPSELQHnjLjEjmexoRrrsE/U608/h62PU7m9EDSYuWlJsvuNBZ+HezR/Ve8oFrZ5ZE3HIoEt2aeM2enSEHGP+aYFL4jEZJJDn9xoW3chFu3JLTSez0NOAhuejghjnU=,iv:Dfxlfa/mwKswYL077oPV+rylKk5y67qKPz+6UFCje9c=,tag:lmM0U8H5FlVRMO51mqTZgg==,type:str]",
"pgp": [
{
"created_at": "2023-05-30T15:22:58Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA5ntoryXZPD4AQf+M9eb4mKfNadMmoAZ/OHOpKTl52jUDympCZblXF6yHS+8\ny7uchp+69vtXif+ZPLC+NMEZLtAnwPG3KhBXTK5c+6+dqZN4DI3MvGq1HKy3nEU0\nDqk2vQKPH29EvsVO4QgEZqGoNRVW7MXHzcq8WYKkKWXvNRcGzNPANqp1pCS+Chns\neeFCVynsd7QUTYkvSw1/BZuMY135+Ubd2Vm9At6GI6xI87KTVQh/o+vFKQpdnRHj\nENuPBF2z4TbZHweH4gGYibfdiWsyWzAlu7G9OtNww+AdoydctaMDeH+N4LGCCqBS\nnLfNY7aRYfLxQ/zcuPhzl1jiJeQeLcMiXyssoyNwRtJeASov2wKOpLAYlSVE+frW\n4CY9iw2694Cidw66l2i15hk/Q9IiUSPYpghdiowVvZgNnNaAl8TYhcN08uPFhLvT\nASzWUOwnhgVTu11bhqYEIjt3tY4JrKzynY8tDy+Z3Q==\n=ZSOF\n-----END PGP MESSAGE-----\n",
"created_at": "2023-06-01T13:41:29Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA5ntoryXZPD4AQf/STkH8HafCMan6au+LKbb5DriplyRLLPLzDcCvNn/VD5H\nYQU8rn/iJajpvbKxgBYo8c3bgz9hz+qfM1aSF57ezHkuiDHd0DDlnEHXGDfEsy5b\nnxPxXA432d412sfbjC69cqBba9mGYV88URplVm40RqyqZr+drnF6bsu3r5gY1sJT\nwG5ZYyyhXTO02ePYuAlS5J0yihHzA3rtWR7VEL5zwJVRo3D1fhMA0ZEnjCc9j14E\nT9yrOQZ1fPhiAJcvbWWxGWwDa50DpVGVBRwZ+N8mWbRN+Py4/OsjEe8f8s2h2IEp\nGKGirTIcc6hRhoOBRTNBmNeuTDbI04r+ai8XZBYxNNJeARvh1kh+5lx7gln92R7r\nDcgWchi/PioCHvDr9lfusuhio6rbAfS7LZ5fVREyHqRomQJEfFuq9Vder6cBYT+0\nd2/TG3Qc02Q0Q1yKXT3Fm+O9g8tXTWPyuZNt70npRA==\n=q6EO\n-----END PGP MESSAGE-----\n",
"fp": "3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE"
}
],

20
shared/users.nix

@ -25,11 +25,23 @@ in
base = baseDN;
daemon.enable = true;
bind = {
distinguishedName = "cn=root,${baseDN}";
passwordFile = config.sops.secrets."ldap/login/password".path;
};
};
users.users."fooker" = {
isNormalUser = true;
group = "cluster";
password = "asdasd123";
users.groups."cluster" = {
gid = 1000; # Fixed, becaused it is used for LDAP users
};
security.pam.services."login".makeHomeDir = true;
security.pam.services."sshd".makeHomeDir = true;
security.pam.services."systemd-user".makeHomeDir = true;
sops.secrets."ldap/login/password" = {
owner = "nslcd";
key = "ldap/root/password";
};
}
Loading…
Cancel
Save