From 5da958c996512a82bcb8046faede44c4bc94937f Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 9 Jan 2024 12:27:51 +0800 Subject: [PATCH] modules: add kanidm-client module --- flake.nix | 1 - machines/calcite/configuration.nix | 4 -- machines/dolomite/default.nix | 26 ++++++++++++ machines/massicot/default.nix | 40 ++++++++++--------- machines/massicot/services.nix | 12 +++++- modules/home-manager/vscode.nix | 2 +- modules/nixos/default.nix | 1 + modules/nixos/kanidm-client.nix | 64 ++++++++++++++++++++++++++++++ 8 files changed, 124 insertions(+), 26 deletions(-) create mode 100644 modules/nixos/kanidm-client.nix diff --git a/flake.nix b/flake.nix index f3b3633..e5d7755 100644 --- a/flake.nix +++ b/flake.nix @@ -115,7 +115,6 @@ massicot = { name, nodes, pkgs, ... }: with inputs; { deployment.targetHost = "49.13.13.122"; - deployment.targetUser = "xin"; imports = [ { nixpkgs.system = "aarch64-linux"; } diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index 3309e68..4354bcd 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -119,13 +119,9 @@ services.kanidm = { enableClient = true; - enablePam = true; clientSettings = { uri = "https://auth.xinyang.life"; }; - unixSettings = { - pam_allowed_login_groups = [ "linux_users" "xin@auth.xinyang.life" "test" ]; - }; }; # Enable automatic login for the user. diff --git a/machines/dolomite/default.nix b/machines/dolomite/default.nix index f03d8b4..e10df8b 100644 --- a/machines/dolomite/default.nix +++ b/machines/dolomite/default.nix @@ -46,6 +46,32 @@ }; }; + custom.kanidm-client = { + enable = true; + uri = "https://auth.xinyang.life/"; + asSSHAuth = { + enable = true; + allowedGroups = [ "linux_users" ]; + }; + sudoers = [ "xin@auth.xinyang.life" ]; + }; + + services.openssh = { + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + PermitRootLogin = lib.mkForce "no"; + GSSAPIAuthentication = "no"; + KerberosAuthentication = "no"; + }; + }; + services.fail2ban.enable = true; + + security.sudo = { + execWheelOnly = true; + wheelNeedsPassword = false; + }; + services.sing-box = let singTls = { enabled = true; diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix index 98328f3..283dadb 100644 --- a/machines/massicot/default.nix +++ b/machines/massicot/default.nix @@ -62,31 +62,33 @@ hostName = "massicot"; }; + custom.kanidm-client = { + enable = true; + uri = "https://auth.xinyang.life/"; + asSSHAuth = { + enable = true; + allowedGroups = [ "linux_users" ]; + }; + sudoers = [ "xin@auth.xinyang.life" ]; + }; + + security.sudo = { + execWheelOnly = true; + wheelNeedsPassword = false; + }; + services.openssh = { enable = true; settings = { PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + PermitRootLogin = "no"; + GSSAPIAuthentication = "no"; + KerberosAuthentication = "no"; }; }; + + services.fail2ban.enable = true; systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ]; - - users.users.xin = { - isNormalUser = true; - extraGroups = [ "wheel" "networkmanager" ]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPBcSvUQnmMFtpftFKIsDqeyUyZHzRg5ewgn3VEcLnss" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIInPn+7cMbH7zCEPJArU/Ot6oq8NHo8a2rYaCfTp7zgd" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPeNQ43f/ce4VxVPsAaKPPTp8rokQpmwNIsOX7JBZq4A" - ]; - hashedPassword = "$y$j9T$JOJn97hZndiDamUmmT.iq.$ue7gNZz/b14ur8GhyutOCvFjsv.3rcsHmk7m.WRk6u7"; - }; - - security.sudo.extraRules = [ - { users = [ "xin" ]; - commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; - } - ]; - - } diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index e5ecdcc..9c7504e 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -40,7 +40,7 @@ in value = { device = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}"; fsType = "cifs"; - options = ["uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path}"]; + options = ["uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path},rw,x-systemd.automount"]; }; }) [ "forgejo" "gotosocial" "conduit" "hedgedoc" ] ); @@ -112,6 +112,7 @@ in ROOT_URL = "https://git.xinyang.life/"; START_SSH_SERVER = true; BUILTIN_SSH_SERVER_USER = "git"; + SSH_USER = "git"; SSH_DOMAIN = "ssh.xinyang.life"; SSH_PORT = 2222; LFS_MAX_FILE_SIZE = 10737418240; @@ -138,6 +139,15 @@ in }; }; + users.users.git = { + isSystemUser = true; + useDefaultShell = true; + group = "git"; + extraGroups = [ "forgejo" ]; + }; + users.groups.git = { }; + + services.caddy = { enable = true; virtualHosts."xinyang.life:443".extraConfig = '' diff --git a/modules/home-manager/vscode.nix b/modules/home-manager/vscode.nix index d3b604c..38e70e9 100644 --- a/modules/home-manager/vscode.nix +++ b/modules/home-manager/vscode.nix @@ -67,7 +67,7 @@ in 80 ]; "editor.mouseWheelZoom" = true; - "git.autofetch" = true; + "git.autofetch" = false; "window.zoomLevel" = -1; "nix.enableLanguageServer" = true; diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 81ab1d0..3ba4a9b 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -6,5 +6,6 @@ ./prometheus.nix ./hedgedoc.nix ./sing-box.nix + ./kanidm-client.nix ]; } diff --git a/modules/nixos/kanidm-client.nix b/modules/nixos/kanidm-client.nix new file mode 100644 index 0000000..8821fc1 --- /dev/null +++ b/modules/nixos/kanidm-client.nix @@ -0,0 +1,64 @@ +{ config, pkgs, lib, ... }: +with lib; + +let + cfg = config.custom.kanidm-client; +in +{ + options = { + custom.kanidm-client = { + enable = mkEnableOption "Kanidm client service"; + asSSHAuth = mkOption { + type = types.submodule { + options = { + enable = mkEnableOption "Kanidm as system authentication source"; + allowedGroups = mkOption { + type = types.listOf types.str; + example = [ "linux_users" ]; + }; + }; + }; + }; + sudoers = mkOption { + type = types.listOf types.str; + default = [ ]; + }; + uri = mkOption { + type = types.str; + }; + }; + }; + config = mkIf cfg.enable { + services.kanidm = mkMerge + [ (mkIf cfg.enable { + enableClient = true; + clientSettings = { + uri = cfg.uri; + }; + }) + (mkIf cfg.asSSHAuth.enable { + enablePam = true; + unixSettings = { + pam_allowed_login_groups = cfg.asSSHAuth.allowedGroups; + default_shell = "/bin/sh"; + }; + }) + ]; + services.openssh = mkIf cfg.asSSHAuth.enable { + enable = true; + authorizedKeysCommand = "/etc/ssh/auth %u"; + authorizedKeysCommandUser = "kanidm-ssh-runner"; + }; + environment.etc."ssh/auth" = mkIf cfg.asSSHAuth.enable { + mode = "0555"; + text = '' + #!${pkgs.stdenv.shell} + ${pkgs.kanidm}/bin/kanidm_ssh_authorizedkeys $1 + ''; + }; + users.groups.wheel.members = cfg.sudoers; + users.groups.kanidm-ssh-runner = { }; + users.users.kanidm-ssh-runner = { isSystemUser = true; group = "kanidm-ssh-runner"; }; + }; +} +