From 220136af25cfa74f26a6f29f59aa5c46540c0dfd Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Tue, 12 Dec 2023 12:57:47 +0100
Subject: [PATCH 1/3] tomate: init sssd

---
 flake.nix                      |  7 ++++---
 hosts/tomate/configuration.nix | 12 -----------
 modules/sssd.nix               | 38 ++++++++++++++++++++++++++++++++++
 3 files changed, 42 insertions(+), 15 deletions(-)
 create mode 100644 modules/sssd.nix

diff --git a/flake.nix b/flake.nix
index 4f6d469..99931d8 100755
--- a/flake.nix
+++ b/flake.nix
@@ -81,9 +81,10 @@
             ./modules/base.nix
             ./modules/zsh.nix
             ./modules/fail2ban.nix
-            # {
-            #   sops.defaultSopsFile = ./secrets/tomate.yaml;
-            # }
+            ./modules/sssd.nix
+            {
+              sops.defaultSopsFile = ./secrets/tomate.yaml;
+            }
           ];
         };
       };
diff --git a/hosts/tomate/configuration.nix b/hosts/tomate/configuration.nix
index d66d266..f3ca92f 100644
--- a/hosts/tomate/configuration.nix
+++ b/hosts/tomate/configuration.nix
@@ -101,18 +101,6 @@
   # Enable touchpad support (enabled default in most desktopManager).
   # services.xserver.libinput.enable = true;
 
-  # Define a user account. Don't forget to set a password with ‘passwd’.
-  users.users.fsr = {
-    isNormalUser = true;
-    description = "FSR Informatik";
-    extraGroups = [ "networkmanager" ];
-    packages = with pkgs; [
-      firefox
-      kate
-      #  thunderbird
-    ];
-  };
-
   # Allow unfree packages
   nixpkgs.config.allowUnfree = true;
 
diff --git a/modules/sssd.nix b/modules/sssd.nix
new file mode 100644
index 0000000..4102777
--- /dev/null
+++ b/modules/sssd.nix
@@ -0,0 +1,38 @@
+{ config, ...}:
+{
+  sops.secrets = {
+    "sssd/env"= {};
+
+  };
+  services.sssd = {
+    enable = true;
+    environmentFile = config.sops.secrets."sssd/env".path;
+    sshAuthorizedKeysIntegration = true;
+    config = ''
+      [sssd]
+      config_file_version = 2
+      services = nss, pam, ssh
+      domains = ldap
+
+      [ssh]
+
+      [nss]
+
+      [pam]
+
+      [domain/ldap]
+      auth_provider = ldap
+      ldap_uri = ldaps://auth.ifsr.de
+      ldap_default_authtok_type = password
+      ldap_default_authtok = $SSSD_LDAP_DEFAULT_AUTHTOK
+      ldap_search_base = dc=ifsr,dc=de
+      id_provider = ldap
+      ldap_default_bind_dn = uid=search,ou=users,dc=ifsr,dc=de
+      cache_credentials = True
+      ldap_tls_cacert = /etc/ssl/certs/ca-bundle.crt
+      ldap_tls_reqcert = hard
+    '';
+    
+  };
+  security.pam.services.sshd.makeHomeDir = true;
+}
\ No newline at end of file
-- 
2.44.2


From 1789ac741d76201933a5f0465067458c50484cb7 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Tue, 12 Dec 2023 13:01:08 +0100
Subject: [PATCH 2/3] formatting

---
 modules/sssd.nix | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/modules/sssd.nix b/modules/sssd.nix
index 4102777..77563b8 100644
--- a/modules/sssd.nix
+++ b/modules/sssd.nix
@@ -1,7 +1,7 @@
-{ config, ...}:
+{ config, ... }:
 {
   sops.secrets = {
-    "sssd/env"= {};
+    "sssd/env" = { };
 
   };
   services.sssd = {
@@ -32,7 +32,7 @@
       ldap_tls_cacert = /etc/ssl/certs/ca-bundle.crt
       ldap_tls_reqcert = hard
     '';
-    
+
   };
   security.pam.services.sshd.makeHomeDir = true;
-}
\ No newline at end of file
+}
-- 
2.44.2


From 2eb832c8a928f062706469022791ce879231833e Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Tue, 12 Dec 2023 13:04:03 +0100
Subject: [PATCH 3/3] better homedir creation

---
 modules/sssd.nix | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/modules/sssd.nix b/modules/sssd.nix
index 77563b8..a23a0bb 100644
--- a/modules/sssd.nix
+++ b/modules/sssd.nix
@@ -34,5 +34,8 @@
     '';
 
   };
-  security.pam.services.sshd.makeHomeDir = true;
+  security.pam.services = {
+    sshd.makeHomeDir = true;
+    login.makeHomeDir = true;
+  };
 }
-- 
2.44.2