hpc
/
nixcfg
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
NixOS configuration for HPC cluster https://docs.hpc.informatik.hs-fulda.de/
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
63 Commits
1 Branch
0 Tags
379 KiB
 
 
 
Tree: 67c160bed4
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '67c160bed4'
${ noResults }
nixcfg/shared/users.nix

127 lines
2.6 KiB
Raw Blame History

{ lib, config, ... }:
with lib;
let
baseDN = concatMapStringsSep ","
(part: "dc=${part}")
(splitString "." config.networking.domain);
in
{
users.mutableUsers = false;
users.users."root" = {
hashedPassword = "$y$j9T$tz8ojZ2gVOQ5AUp6GMhoj.$mAeE0eTGGsKNGddC7ebk/zFr5IMDyIpOpMP/6o.GI6D";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2nkarN0+uSuP5sGwDCb9KRu+FCjO/+da4VypGanPUZ fooker@k-2so"
];
};
security.pam.services = {
sshd = {
makeHomeDir = true;
sssdStrictAccess = true;
unixAuth = lib.mkForce true;
};
login = {
makeHomeDir = true;
sssdStrictAccess = true;
unixAuth = lib.mkForce true;
};
lightdm = {
makeHomeDir = true;
sssdStrictAccess = true;
unixAuth = lib.mkForce true;
};
systemd-user = {
makeHomeDir = true;
sssdStrictAccess = true;
unixAuth = lib.mkForce true;
};
};
security.pam.loginLimits = [
{
domain = "@cluster";
item = "memlock";
type = "-";
value = "unlimited";
}
];
services.sssd = {
enable = true;
environmentFile = config.sops.secrets."ldap/login/environment".path;
config = ''
[sssd]
config_file_version = 2
services = nss, pam, ssh, ifp
domains = hsfd
debug_level = 8
[nss]
override_homedir = /home/%u
override_shell = /run/current-system/sw/bin/bash
filter_users = root
filter_groups = root
reconnection_retries = 3
[pam]
[domain/hsfd]
id_provider = ldap
access_provider = ldap
auth_provider = ldap
cache_credentials = true
ldap_uri = ldaps://ldap.${config.networking.domain}/
ldap_search_base = ou=users,${baseDN}
ldap_tls_reqcert = demand
ldap_id_use_start_tls = true
ldap_default_bind_dn = cn=login,${baseDN}
ldap_default_authtok_type = password
ldap_default_authtok = $SSSD_LDAP_DEFAULT_AUTHTOK
ldap_access_order = filter
ldap_access_filter = (objectClass=*)
ldap_user_object_class = posixAccount
ldap_user_name = cn
ldap_search_timeout = 10
ldap_network_timeout = 10
ldap_deref_threshold = 0
ignore_group_members = true
subdomain_inherit = ignore_group_members
entry_negative_timeout = 3
override_gid = ${toString config.users.groups."cluster".gid}
cache_credentials = true
min_id = 1000
enumerate = true
'';
};
users.groups."cluster" = {
gid = 1000; # Fixed, becaused it is used for LDAP users
};
sops.secrets."ldap/login/environment" = {
sopsFile = ./secrets.yaml;
};
}