diff --git a/hive.nix b/hive.nix index bf946e9..009775e 100644 --- a/hive.nix +++ b/hive.nix @@ -16,6 +16,7 @@ in ./profiles/sysadmin.nix ./profiles/glucagon.nix ./profiles/child-netdata.nix + ./profiles/ldap.nix "${src.agenix}/modules/age.nix" (disko.config diskConfig) ]; diff --git a/profiles/ldap.nix b/profiles/ldap.nix new file mode 100644 index 0000000..23e5c1c --- /dev/null +++ b/profiles/ldap.nix @@ -0,0 +1,51 @@ +{ config, ... }: { + age.secrets.ldap-bind-password = { + file = ../secrets/ldap-bind-password.age; + owner = "nslcd"; + group = "nslcd"; + }; + + services.openssh.settings.AllowGroups = [ "root" "ssh" "federezadmin" ]; + security.sudo.extraRules = [ + { groups = [ "sudoldap" ]; commands = [ "ALL" ]; } + ]; + + security.pam.services.login.makeHomeDir = true; + security.pam.services.passwd.makeHomeDir = true; + security.pam.services.sshd.makeHomeDir = true; + security.pam.makeHomeDir = { + umask = "0022"; + }; + + systemd.services.nslcd.serviceConfig.LogsDirectory = "nslcd"; + users.ldap = { + enable = true; + nsswitch = true; + # nslcd daemon + daemon.enable = true; + base = "dc=federez,dc=net"; + bind = { + distinguishedName = "cn=nssauth,ou=service-users,dc=federez,dc=net"; + passwordFile = config.age.secrets.ldap-bind-password.path; + }; + # ldaps://ldap.federez.net ldaps://ldap-ro.federez.net + server = "ldaps://ldap.federez.net"; + daemon.extraConfig = '' + log /var/log/nslcd/debug.log debug + + uri ldaps://ldap-ro.federez.net + + base passwd cn=Utilisateurs,dc=federez,dc=net + base shadow cn=Utilisateurs,dc=federez,dc=net + base group ou=posix,ou=groups,dc=federez,dc=net + + map passwd loginShell /run/current-system/sw/bin/bash + + ldap_version 3 + + ssl on + tls_cacertfile /etc/ssl/certs/ca-certificates.crt + tls_reqcert demand + ''; + }; +} diff --git a/profiles/sysadmin.nix b/profiles/sysadmin.nix index d02b24f..aa3a3d9 100644 --- a/profiles/sysadmin.nix +++ b/profiles/sysadmin.nix @@ -8,27 +8,4 @@ pkgs.htop pkgs.kitty.terminfo ]; - - users.ldap.daemon = { - enable = false; - extraConfig = '' - # The location at which the LDAP server(s) should be reachable. - uri ldaps://ldap.federez.net - uri ldaps://ldap-ro.federez.net - - # The search base that will be used for all queries. - base dc=federez,dc=net - - base passwd cn=Utilisateurs,dc=federez,dc=net - base shadow cn=Utilisateurs,dc=federez,dc=net - base group ou=posix,ou=groups,dc=federez,dc=net - - # The LDAP protocol version to use. - ldap_version 3 - - # The DN to bind with for normal lookups. - binddn cn=nssauth,ou=service-users,dc=federez,dc=net - bindpw ********TOP-SECRET-PASSWORD-THAT-MUST-BE-CHANGED-FOR-A-VALID-ONE******** - ''; - }; } diff --git a/secrets/ldap-bind-password.age b/secrets/ldap-bind-password.age new file mode 100644 index 0000000..6bcb93b --- /dev/null +++ b/secrets/ldap-bind-password.age @@ -0,0 +1,34 @@ +age-encryption.org/v1 +-> ssh-ed25519 GxF6ZA OjQmqOJccj+MF5atvDBSFQ1JMKLBYWhKr0Shr2Z8Bws +wdwMQsgMsIOCMayUrBqepQEphbJKK1WThpg69adSkOU +-> ssh-ed25519 Kw53Kw ITayxp4Bba3lr4UYKz0QOIdzJX3ZZ9ufODjHaXL+SzM +Wp7ZQrxHPN1/K3DRV3RiHcgpBpM4Qxjmp2cv6NvfBQE +-> ssh-ed25519 FCRFOQ 9ex8FuTdbUuhZvk8TvBD6BBwymPeJ5Efkt3ioc3M32Y +uGOuUeGXn7cD8xWhjpz9qb7lHzsjW2h7QBdv8a5RyoU +-> ssh-ed25519 B36KCg EGp4RxQca6dtSgwQYGNLdQ9BNSJ+fHWmr/Q4mka+6h8 +V2djTR4or1M+mbh8d4R643CvP8dQU2jbwlsoMKdoj+w +-> ssh-rsa krWCLQ +bWGdQA+nWtvvzNRiyvzHfZArfT1LVDT3NnttMiUJC1Jo6eMKje3wS0fxDbuDZ4vo +odtFhxK2hH6hR0DxIK97mzr4rfr521TWn50KCcxqIlZ8q6+i2Y51RpDMDB7tTHJv +MBlRMEDkt03atFyaCcBYqxCbosb8hQI0Osr4j1MDyj0PrUZJNmpr0o7immWkSCE1 +0VV9JiTDwkdR/lbJ/qkwhA/0+wWABeYEXZYvEmsQ3I7Mx0oX3W41DClhrfNkixTQ +VLc4o6Z1d7HqCdeOadqmEx4rtWuFZ7jMTaRV0hqEDr6MWe4KXNxR/7pF1O4a+Mzs +nhwG+n+4ta603MPWpkWnoQ +-> ssh-ed25519 /vwQcQ ynKyWE8qqquPN6WX7PsLuwUwtlNS/VBluDHTpXrIOE0 +VivMdBXUYl6ZHlgPx4+WJKPmiobgVXsftQdvClmIOLM +-> ssh-ed25519 0R97PA 5pzkJFYkvjVQYOgjIZPgdhEH8GFaHBrE7PHEg//lQVE +/Bfvwlo4CbUjv5uHjSAtfPxTBVfLoA6sIF2poDI4S68 +-> ssh-rsa jL+Elw +gyeeOmvoxeIvxQ0OGsRaFVeF/fkE6TxpYGHsJdA4w3yJSlLCtk+WYv228hx9if3+ +bXvBZL5uRF4psP36i0gQto4NjHEUP5hfdjaRzSIai/xdb78UD/UtvyOOhhpO1NRE +fmNYn5uAI2zCOzqpncgYTWaoI+Bl2LrBoNFrYHARgRg2dmx8kNIA/1cFTIzM+EC8 +GSRAHe/UI9FrjIPw32zYD81Y9SuTLDgnnyZQ+LJ9BEsA6xkmx6PwGt841Hwjn22s +HjI3EWHoTwzrjFA+CGN1TmR50jl5h90F19fu6TGbDPYnmQdm+9+xhTEGxIwZBblN +MAt2xbQbNSVruooRaB+0eKXCyQiHgn+2aSM0m4lq6i27W5KK9fFJoZpFRyYNVicS +z/3bbn5G37LNRQ7S2uaQpO5E093Q/TO/cAiDdpexxjWPY74BZQXpuCrd0kwQA5OA +YZqRrwnsbyU/1PIik+CfkoSzVieru8cYnZp9gltdLu998LoKh5tW3DTmTe5/RqiF +2fyZk+M/6QKQMrIX1HnOtZWfAdN+vh7E5VB2W7Ysq8SYHYHAG/a9rH8OJgkDIbpW +58g5Weidb9SKK3Ubunl1Ok7mzOmK5fLu5u+lM3UVqdVMhaxX1uwL9pgeei5aqIUo ++KCsjx+0Wb554MitUvSaw00yS0A+z0H78nKv3waZL8k +--- NNyRDQ7VL64kPyPUtiUkjKts16ia4Oz4KYJdOsykT9Q +àÒÁIDÌžKe*µ]¤Ö4ªuòýüPhĈÜà9ÔFȤcz°7–‰†zš&ž<EÜZ(^Ñ$™#]¼ \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 6303af9..6294d85 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -3,6 +3,7 @@ let estragon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBS1xp/2n5q4u4kDerkXQClnD1xeS6qrj0regbJwjktB root@estragon"; wagon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJqBgXGbnPPmDHrn05Fr3X66cmgP6zvnMtPL21d4ebfh root@wagon"; lagon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN8fiqJw9RvVVQghG0OVKsXAkBcWox4JsozfxToLAiIK root@lagon"; + klingon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/P58bPqi8yTl12jpP8oFcYG7S8j1WpfgqwZz+EuQqy root@kligon"; # Add yourself. raito = readKeyFile ../pubkeys/raito.keys; bensmrs = readKeyFile ../pubkeys/bensmrs.keys; @@ -10,10 +11,13 @@ let matrix-admins = raito ++ bensmrs; vaultwarden-admins = raito ++ bensmrs; keycloak-admins = raito ++ bensmrs; + ldap-bind-admins = raito ++ bensmrs; + servers = [ estragon wagon lagon klingon ]; in { "matrix-shared-secret.age".publicKeys = [ estragon ] ++ matrix-admins; "mautrix-telegram.age".publicKeys = [ estragon ] ++ matrix-admins; "vaultwarden-secrets.age".publicKeys = [ wagon ] ++ vaultwarden-admins; "keycloak-password-file.age".publicKeys = [ lagon ] ++ keycloak-admins; + "ldap-bind-password.age".publicKeys = servers ++ ldap-bind-admins; }