diff --git a/flake.nix b/flake.nix index 4f6d469..99931d8 100755 --- a/flake.nix +++ b/flake.nix @@ -81,9 +81,10 @@ ./modules/base.nix ./modules/zsh.nix ./modules/fail2ban.nix - # { - # sops.defaultSopsFile = ./secrets/tomate.yaml; - # } + ./modules/sssd.nix + { + sops.defaultSopsFile = ./secrets/tomate.yaml; + } ]; }; }; diff --git a/hosts/tomate/configuration.nix b/hosts/tomate/configuration.nix index d66d266..f3ca92f 100644 --- a/hosts/tomate/configuration.nix +++ b/hosts/tomate/configuration.nix @@ -101,18 +101,6 @@ # Enable touchpad support (enabled default in most desktopManager). # services.xserver.libinput.enable = true; - # Define a user account. Don't forget to set a password with ‘passwd’. - users.users.fsr = { - isNormalUser = true; - description = "FSR Informatik"; - extraGroups = [ "networkmanager" ]; - packages = with pkgs; [ - firefox - kate - # thunderbird - ]; - }; - # Allow unfree packages nixpkgs.config.allowUnfree = true; diff --git a/modules/sssd.nix b/modules/sssd.nix new file mode 100644 index 0000000..a23a0bb --- /dev/null +++ b/modules/sssd.nix @@ -0,0 +1,41 @@ +{ config, ... }: +{ + sops.secrets = { + "sssd/env" = { }; + + }; + services.sssd = { + enable = true; + environmentFile = config.sops.secrets."sssd/env".path; + sshAuthorizedKeysIntegration = true; + config = '' + [sssd] + config_file_version = 2 + services = nss, pam, ssh + domains = ldap + + [ssh] + + [nss] + + [pam] + + [domain/ldap] + auth_provider = ldap + ldap_uri = ldaps://auth.ifsr.de + ldap_default_authtok_type = password + ldap_default_authtok = $SSSD_LDAP_DEFAULT_AUTHTOK + ldap_search_base = dc=ifsr,dc=de + id_provider = ldap + ldap_default_bind_dn = uid=search,ou=users,dc=ifsr,dc=de + cache_credentials = True + ldap_tls_cacert = /etc/ssl/certs/ca-bundle.crt + ldap_tls_reqcert = hard + ''; + + }; + security.pam.services = { + sshd.makeHomeDir = true; + login.makeHomeDir = true; + }; +}