profiles/ldap: init

Phew, this is working? Signed-off-by: Ryan Lahfa <federez-infra@lahfa.xyz>
2024-02-14 20:40:20 +01:00 · 2024-02-14 20:40:20 +01:00 · 0a637e5079
commit 0a637e5079
parent 4a043d6fb5
5 changed files with 90 additions and 23 deletions
--- a/profiles/ldap.nix
+++ b/profiles/ldap.nix
@ -0,0 +1,51 @@
+{ config, ... }: {
+  age.secrets.ldap-bind-password = {
+    file = ../secrets/ldap-bind-password.age;
+    owner = "nslcd";
+    group = "nslcd";
+  };
+
+  services.openssh.settings.AllowGroups = [ "root" "ssh" "federezadmin" ];
+  security.sudo.extraRules = [
+    { groups = [ "sudoldap" ]; commands = [ "ALL" ]; }
+  ];
+
+  security.pam.services.login.makeHomeDir = true;
+  security.pam.services.passwd.makeHomeDir = true;
+  security.pam.services.sshd.makeHomeDir = true;
+  security.pam.makeHomeDir = {
+    umask = "0022";
+  };
+
+  systemd.services.nslcd.serviceConfig.LogsDirectory = "nslcd";
+  users.ldap = {
+    enable = true;
+    nsswitch = true;
+    # nslcd daemon
+    daemon.enable = true;
+    base = "dc=federez,dc=net";
+    bind = {
+      distinguishedName = "cn=nssauth,ou=service-users,dc=federez,dc=net";
+      passwordFile = config.age.secrets.ldap-bind-password.path;
+    };
+    # ldaps://ldap.federez.net ldaps://ldap-ro.federez.net
+    server = "ldaps://ldap.federez.net";
+    daemon.extraConfig = ''
+      log /var/log/nslcd/debug.log debug
+
+      uri ldaps://ldap-ro.federez.net
+
+      base passwd cn=Utilisateurs,dc=federez,dc=net
+      base shadow cn=Utilisateurs,dc=federez,dc=net
+      base group ou=posix,ou=groups,dc=federez,dc=net
+
+      map passwd loginShell /run/current-system/sw/bin/bash
+
+      ldap_version 3
+
+      ssl on
+      tls_cacertfile /etc/ssl/certs/ca-certificates.crt
+      tls_reqcert demand
+    '';
+  };
+}
--- a/profiles/sysadmin.nix
+++ b/profiles/sysadmin.nix
@ -8,27 +8,4 @@
    pkgs.htop
    pkgs.kitty.terminfo
  ];
-
-  users.ldap.daemon = {
-    enable = false;
-    extraConfig = ''
-      # The location at which the LDAP server(s) should be reachable.
-      uri ldaps://ldap.federez.net
-      uri ldaps://ldap-ro.federez.net
-       
-      # The search base that will be used for all queries.
-      base dc=federez,dc=net
-       
-      base passwd cn=Utilisateurs,dc=federez,dc=net
-      base shadow cn=Utilisateurs,dc=federez,dc=net
-      base group ou=posix,ou=groups,dc=federez,dc=net
-       
-      # The LDAP protocol version to use.
-      ldap_version 3
-       
-      # The DN to bind with for normal lookups.
-      binddn cn=nssauth,ou=service-users,dc=federez,dc=net
-      bindpw ********TOP-SECRET-PASSWORD-THAT-MUST-BE-CHANGED-FOR-A-VALID-ONE********
-    '';
-  };
 }