profiles/ldap: init

Phew, this is working?

Signed-off-by: Ryan Lahfa <federez-infra@lahfa.xyz>

hive.nix

@@ -16,6 +16,7 @@ in
       ./profiles/sysadmin.nix
       ./profiles/glucagon.nix
       ./profiles/child-netdata.nix
+      ./profiles/ldap.nix
       "${src.agenix}/modules/age.nix"
       (disko.config diskConfig)
     ];

profiles/ldap.nix

@@ -0,0 +1,51 @@
+{ config, ... }: {
+  age.secrets.ldap-bind-password = {
+    file = ../secrets/ldap-bind-password.age;
+    owner = "nslcd";
+    group = "nslcd";
+  };
+
+  services.openssh.settings.AllowGroups = [ "root" "ssh" "federezadmin" ];
+  security.sudo.extraRules = [
+    { groups = [ "sudoldap" ]; commands = [ "ALL" ]; }
+  ];
+
+  security.pam.services.login.makeHomeDir = true;
+  security.pam.services.passwd.makeHomeDir = true;
+  security.pam.services.sshd.makeHomeDir = true;
+  security.pam.makeHomeDir = {
+    umask = "0022";
+  };
+
+  systemd.services.nslcd.serviceConfig.LogsDirectory = "nslcd";
+  users.ldap = {
+    enable = true;
+    nsswitch = true;
+    # nslcd daemon
+    daemon.enable = true;
+    base = "dc=federez,dc=net";
+    bind = {
+      distinguishedName = "cn=nssauth,ou=service-users,dc=federez,dc=net";
+      passwordFile = config.age.secrets.ldap-bind-password.path;
+    };
+    # ldaps://ldap.federez.net ldaps://ldap-ro.federez.net
+    server = "ldaps://ldap.federez.net";
+    daemon.extraConfig = ''
+      log /var/log/nslcd/debug.log debug
+
+      uri ldaps://ldap-ro.federez.net
+
+      base passwd cn=Utilisateurs,dc=federez,dc=net
+      base shadow cn=Utilisateurs,dc=federez,dc=net
+      base group ou=posix,ou=groups,dc=federez,dc=net
+
+      map passwd loginShell /run/current-system/sw/bin/bash
+
+      ldap_version 3
+
+      ssl on
+      tls_cacertfile /etc/ssl/certs/ca-certificates.crt
+      tls_reqcert demand
+    '';
+  };
+}

profiles/sysadmin.nix

@@ -8,27 +8,4 @@
     pkgs.htop
     pkgs.kitty.terminfo
   ];
-
-  users.ldap.daemon = {
-    enable = false;
-    extraConfig = ''
-      # The location at which the LDAP server(s) should be reachable.
-      uri ldaps://ldap.federez.net
-      uri ldaps://ldap-ro.federez.net
-       
-      # The search base that will be used for all queries.
-      base dc=federez,dc=net
-       
-      base passwd cn=Utilisateurs,dc=federez,dc=net
-      base shadow cn=Utilisateurs,dc=federez,dc=net
-      base group ou=posix,ou=groups,dc=federez,dc=net
-       
-      # The LDAP protocol version to use.
-      ldap_version 3
-       
-      # The DN to bind with for normal lookups.
-      binddn cn=nssauth,ou=service-users,dc=federez,dc=net
-      bindpw ********TOP-SECRET-PASSWORD-THAT-MUST-BE-CHANGED-FOR-A-VALID-ONE********
-    '';
-  };
 }

secrets/ldap-bind-password.age

@@ -0,0 +1,34 @@
+age-encryption.org/v1
+-> ssh-ed25519 GxF6ZA OjQmqOJccj+MF5atvDBSFQ1JMKLBYWhKr0Shr2Z8Bws
+wdwMQsgMsIOCMayUrBqepQEphbJKK1WThpg69adSkOU
+-> ssh-ed25519 Kw53Kw ITayxp4Bba3lr4UYKz0QOIdzJX3ZZ9ufODjHaXL+SzM
+Wp7ZQrxHPN1/K3DRV3RiHcgpBpM4Qxjmp2cv6NvfBQE
+-> ssh-ed25519 FCRFOQ 9ex8FuTdbUuhZvk8TvBD6BBwymPeJ5Efkt3ioc3M32Y
+uGOuUeGXn7cD8xWhjpz9qb7lHzsjW2h7QBdv8a5RyoU
+-> ssh-ed25519 B36KCg EGp4RxQca6dtSgwQYGNLdQ9BNSJ+fHWmr/Q4mka+6h8
+V2djTR4or1M+mbh8d4R643CvP8dQU2jbwlsoMKdoj+w
+-> ssh-rsa krWCLQ
+bWGdQA+nWtvvzNRiyvzHfZArfT1LVDT3NnttMiUJC1Jo6eMKje3wS0fxDbuDZ4vo
+odtFhxK2hH6hR0DxIK97mzr4rfr521TWn50KCcxqIlZ8q6+i2Y51RpDMDB7tTHJv
+MBlRMEDkt03atFyaCcBYqxCbosb8hQI0Osr4j1MDyj0PrUZJNmpr0o7immWkSCE1
+0VV9JiTDwkdR/lbJ/qkwhA/0+wWABeYEXZYvEmsQ3I7Mx0oX3W41DClhrfNkixTQ
+VLc4o6Z1d7HqCdeOadqmEx4rtWuFZ7jMTaRV0hqEDr6MWe4KXNxR/7pF1O4a+Mzs
+nhwG+n+4ta603MPWpkWnoQ
+-> ssh-ed25519 /vwQcQ ynKyWE8qqquPN6WX7PsLuwUwtlNS/VBluDHTpXrIOE0
+VivMdBXUYl6ZHlgPx4+WJKPmiobgVXsftQdvClmIOLM
+-> ssh-ed25519 0R97PA 5pzkJFYkvjVQYOgjIZPgdhEH8GFaHBrE7PHEg//lQVE
+/Bfvwlo4CbUjv5uHjSAtfPxTBVfLoA6sIF2poDI4S68
+-> ssh-rsa jL+Elw
+gyeeOmvoxeIvxQ0OGsRaFVeF/fkE6TxpYGHsJdA4w3yJSlLCtk+WYv228hx9if3+
+bXvBZL5uRF4psP36i0gQto4NjHEUP5hfdjaRzSIai/xdb78UD/UtvyOOhhpO1NRE
+fmNYn5uAI2zCOzqpncgYTWaoI+Bl2LrBoNFrYHARgRg2dmx8kNIA/1cFTIzM+EC8
+GSRAHe/UI9FrjIPw32zYD81Y9SuTLDgnnyZQ+LJ9BEsA6xkmx6PwGt841Hwjn22s
+HjI3EWHoTwzrjFA+CGN1TmR50jl5h90F19fu6TGbDPYnmQdm+9+xhTEGxIwZBblN
+MAt2xbQbNSVruooRaB+0eKXCyQiHgn+2aSM0m4lq6i27W5KK9fFJoZpFRyYNVicS
+z/3bbn5G37LNRQ7S2uaQpO5E093Q/TO/cAiDdpexxjWPY74BZQXpuCrd0kwQA5OA
+YZqRrwnsbyU/1PIik+CfkoSzVieru8cYnZp9gltdLu998LoKh5tW3DTmTe5/RqiF
+2fyZk+M/6QKQMrIX1HnOtZWfAdN+vh7E5VB2W7Ysq8SYHYHAG/a9rH8OJgkDIbpW
+58g5Weidb9SKK3Ubunl1Ok7mzOmK5fLu5u+lM3UVqdVMhaxX1uwL9pgeei5aqIUo
++KCsjx+0Wb554MitUvSaw00yS0A+z0H78nKv3waZL8k
+--- NNyRDQ7VL64kPyPUtiUkjKts16ia4Oz4KYJdOsykT9Q
+àÒÁIDÌžKe*µ]¤Ö4ªuòýüPhĈÜà9ÔFȤcz°7–‰†zš&ž<EÜZ(^Ñ$™#]¼

secrets/secrets.nix

@@ -3,6 +3,7 @@ let
   estragon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBS1xp/2n5q4u4kDerkXQClnD1xeS6qrj0regbJwjktB root@estragon";
   wagon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJqBgXGbnPPmDHrn05Fr3X66cmgP6zvnMtPL21d4ebfh root@wagon";
   lagon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN8fiqJw9RvVVQghG0OVKsXAkBcWox4JsozfxToLAiIK root@lagon";
+  klingon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/P58bPqi8yTl12jpP8oFcYG7S8j1WpfgqwZz+EuQqy root@kligon";
   # Add yourself.
   raito = readKeyFile ../pubkeys/raito.keys;
   bensmrs = readKeyFile ../pubkeys/bensmrs.keys;
@@ -10,10 +11,13 @@ let
   matrix-admins = raito ++ bensmrs;
   vaultwarden-admins = raito ++ bensmrs;
   keycloak-admins = raito ++ bensmrs;
+  ldap-bind-admins = raito ++ bensmrs;
+  servers = [ estragon wagon lagon klingon ];
 in
   {
     "matrix-shared-secret.age".publicKeys = [ estragon ] ++ matrix-admins;
     "mautrix-telegram.age".publicKeys = [ estragon ] ++ matrix-admins;
     "vaultwarden-secrets.age".publicKeys = [ wagon ] ++ vaultwarden-admins;
     "keycloak-password-file.age".publicKeys = [ lagon ] ++ keycloak-admins;
+    "ldap-bind-password.age".publicKeys = servers ++ ldap-bind-admins;
   }