diff options
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/config/nsswitch.nix | 8 | ||||
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/security/pam.nix | 21 | ||||
-rw-r--r-- | nixos/modules/services/misc/nscd-sssd.conf | 36 | ||||
-rw-r--r-- | nixos/modules/services/misc/sssd.nix | 97 | ||||
-rw-r--r-- | nixos/modules/services/system/nscd.nix | 13 |
6 files changed, 169 insertions, 7 deletions
diff --git a/nixos/modules/config/nsswitch.nix b/nixos/modules/config/nsswitch.nix index 3f96cea22706..4e5de421d8ac 100644 --- a/nixos/modules/config/nsswitch.nix +++ b/nixos/modules/config/nsswitch.nix @@ -9,6 +9,7 @@ let inherit (config.services.avahi) nssmdns; inherit (config.services.samba) nsswins; ldap = (config.users.ldap.enable && config.users.ldap.nsswitch); + sssd = config.services.sssd.enable; hostArray = [ "files" "mymachines" ] ++ optionals nssmdns [ "mdns_minimal [!UNAVAIL=return]" ] @@ -18,12 +19,17 @@ let ++ ["myhostname" ]; passwdArray = [ "files" ] + ++ optional sssd "sss" ++ optionals ldap [ "ldap" ] ++ [ "mymachines" ]; shadowArray = [ "files" ] + ++ optional sssd "sss" ++ optionals ldap [ "ldap" ]; + servicesArray = [ "files" ] + ++ optional sssd "sss"; + in { options = { @@ -60,7 +66,7 @@ in { networks: files ethers: files - services: files + services: ${concatStringsSep " " servicesArray} protocols: files rpc: files ''; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index be09fb80e0ac..2171809e51be 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -285,6 +285,7 @@ ./services/misc/siproxd.nix ./services/misc/sonarr.nix ./services/misc/spice-vdagentd.nix + ./services/misc/sssd.nix ./services/misc/subsonic.nix ./services/misc/sundtek.nix ./services/misc/svnserve.nix diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index f9aa4136c8d6..96e7c45d4963 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -233,6 +233,8 @@ let account sufficient pam_unix.so ${optionalString use_ldap "account sufficient ${pam_ldap}/lib/security/pam_ldap.so"} + ${optionalString config.services.sssd.enable + "account sufficient ${pkgs.sssd}/lib/security/pam_sss.so"} ${optionalString config.krb5.enable "account sufficient ${pam_krb5}/lib/security/pam_krb5.so"} @@ -273,6 +275,8 @@ let "auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"} ${optionalString use_ldap "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"} + ${optionalString config.services.sssd.enable + "auth sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_first_pass"} ${optionalString config.krb5.enable '' auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass @@ -288,6 +292,8 @@ let "password optional ${pkgs.pam_mount}/lib/security/pam_mount.so"} ${optionalString use_ldap "password sufficient ${pam_ldap}/lib/security/pam_ldap.so"} + ${optionalString config.services.sssd.enable + "password sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_authtok"} ${optionalString config.krb5.enable "password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass"} ${optionalString config.services.samba.syncPasswordsByPam @@ -303,13 +309,15 @@ let if config.boot.isContainer then "optional" else "required" } pam_loginuid.so"} ${optionalString cfg.makeHomeDir - "session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=/etc/skel umask=0022"} + "session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=0022"} ${optionalString cfg.updateWtmp "session required ${pkgs.pam}/lib/security/pam_lastlog.so silent"} ${optionalString config.security.pam.enableEcryptfs "session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} ${optionalString use_ldap "session optional ${pam_ldap}/lib/security/pam_ldap.so"} + ${optionalString config.services.sssd.enable + "session optional ${pkgs.sssd}/lib/security/pam_sss.so"} ${optionalString config.krb5.enable "session optional ${pam_krb5}/lib/security/pam_krb5.so"} ${optionalString cfg.otpwAuth @@ -397,6 +405,16 @@ in ''; }; + security.pam.makeHomeDir.skelDirectory = mkOption { + type = types.str; + default = "/var/empty"; + example = "/etc/skel"; + description = '' + Path to skeleton directory whose contents are copied to home + directories newly created by <literal>pam_mkhomedir</literal>. + ''; + }; + security.pam.enableSSHAgentAuth = mkOption { default = false; description = @@ -447,6 +465,7 @@ in # Include the PAM modules in the system path mostly for the manpages. [ pkgs.pam ] ++ optional config.users.ldap.enable pam_ldap + ++ optional config.services.sssd.enable pkgs.sssd ++ optionals config.krb5.enable [pam_krb5 pam_ccreds] ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ] ++ optionals config.security.pam.oath.enable [ pkgs.oathToolkit ] diff --git a/nixos/modules/services/misc/nscd-sssd.conf b/nixos/modules/services/misc/nscd-sssd.conf new file mode 100644 index 000000000000..92380f3e4ba4 --- /dev/null +++ b/nixos/modules/services/misc/nscd-sssd.conf @@ -0,0 +1,36 @@ +server-user nscd +threads 1 +paranoia no +debug-level 0 + +enable-cache passwd yes +positive-time-to-live passwd 0 +negative-time-to-live passwd 0 +suggested-size passwd 211 +check-files passwd yes +persistent passwd no +shared passwd yes + +enable-cache group yes +positive-time-to-live group 0 +negative-time-to-live group 0 +suggested-size group 211 +check-files group yes +persistent group no +shared group yes + +enable-cache hosts yes +positive-time-to-live hosts 600 +negative-time-to-live hosts 5 +suggested-size hosts 211 +check-files hosts yes +persistent hosts no +shared hosts yes + +enable-cache services yes +positive-time-to-live services 0 +negative-time-to-live services 0 +suggested-size services 211 +check-files services yes +persistent services no +shared services yes diff --git a/nixos/modules/services/misc/sssd.nix b/nixos/modules/services/misc/sssd.nix new file mode 100644 index 000000000000..e818f4a4804d --- /dev/null +++ b/nixos/modules/services/misc/sssd.nix @@ -0,0 +1,97 @@ +{ config, lib, pkgs, ... }: +with lib; +let + cfg = config.services.sssd; + nscd = config.services.nscd; +in { + options = { + services.sssd = { + enable = mkEnableOption "the System Security Services Daemon."; + + config = mkOption { + type = types.lines; + description = "Contents of <filename>sssd.conf</filename>."; + default = '' + [sssd] + config_file_version = 2 + services = nss, pam + domains = shadowutils + + [nss] + + [pam] + + [domain/shadowutils] + id_provider = proxy + proxy_lib_name = files + auth_provider = proxy + proxy_pam_target = sssd-shadowutils + proxy_fast_alias = True + ''; + }; + + sshAuthorizedKeysIntegration = mkOption { + type = types.bool; + default = false; + description = '' + Whether to make sshd look up authorized keys from SSS. + For this to work, the <literal>ssh</literal> SSS service must be enabled in the sssd configuration. + ''; + }; + }; + }; + config = mkMerge [ + (mkIf cfg.enable { + assertions = singleton { + assertion = nscd.enable; + message = "nscd must be enabled through `services.nscd.enable` for SSSD to work."; + }; + + systemd.services.sssd = { + description = "System Security Services Daemon"; + wantedBy = [ "multi-user.target" ]; + before = [ "systemd-user-sessions.service" "nss-user-lookup.target" ]; + after = [ "network-online.target" "nscd.service" ]; + requires = [ "network-online.target" "nscd.service" ]; + wants = [ "nss-user-lookup.target" ]; + restartTriggers = [ + config.environment.etc."nscd.conf".source + config.environment.etc."sssd/sssd.conf".source + ]; + script = '' + export LDB_MODULES_PATH+="''${LDB_MODULES_PATH+:}${pkgs.ldb}/modules/ldb:${pkgs.sssd}/modules/ldb" + mkdir -p /var/lib/sss/{pubconf,db,mc,pipes,gpo_cache,secrets} /var/lib/sss/pipes/private /var/lib/sss/pubconf/krb5.include.d + ${pkgs.sssd}/bin/sssd -D + ''; + serviceConfig = { + Type = "forking"; + PIDFile = "/run/sssd.pid"; + }; + }; + + environment.etc."sssd/sssd.conf" = { + text = cfg.config; + mode = "0400"; + }; + + system.nssModules = optional cfg.enable pkgs.sssd; + services.nscd.config = builtins.readFile ./nscd-sssd.conf; + services.dbus.packages = [ pkgs.sssd ]; + }) + + (mkIf cfg.sshAuthorizedKeysIntegration { + # Ugly: sshd refuses to start if a store path is given because /nix/store is group-writable. + # So indirect by a symlink. + environment.etc."ssh/authorized_keys_command" = { + mode = "0755"; + text = '' + #!/bin/sh + exec ${pkgs.sssd}/bin/sss_ssh_authorizedkeys "$@" + ''; + }; + services.openssh.extraConfig = '' + AuthorizedKeysCommand /etc/ssh/authorized_keys_command + AuthorizedKeysCommandUser nobody + ''; + })]; +} diff --git a/nixos/modules/services/system/nscd.nix b/nixos/modules/services/system/nscd.nix index d98ef8a306d5..eb4b5281c7c6 100644 --- a/nixos/modules/services/system/nscd.nix +++ b/nixos/modules/services/system/nscd.nix @@ -9,8 +9,6 @@ let inherit (lib) singleton; - cfgFile = pkgs.writeText "nscd.conf" cfg.config; - in { @@ -41,6 +39,7 @@ in ###### implementation config = mkIf cfg.enable { + environment.etc."nscd.conf".text = cfg.config; users.extraUsers.nscd = { isSystemUser = true; @@ -61,10 +60,14 @@ in mkdir -m 0755 -p /var/db/nscd ''; - restartTriggers = [ config.environment.etc.hosts.source config.environment.etc."nsswitch.conf".source ]; + restartTriggers = [ + config.environment.etc.hosts.source + config.environment.etc."nsswitch.conf".source + config.environment.etc."nscd.conf".source + ]; serviceConfig = - { ExecStart = "@${pkgs.glibc.bin}/sbin/nscd nscd -f ${cfgFile}"; + { ExecStart = "@${pkgs.glibc.bin}/sbin/nscd nscd"; Type = "forking"; PIDFile = "/run/nscd/nscd.pid"; Restart = "always"; @@ -79,7 +82,7 @@ in # its pid. So wait until it's ready. postStart = '' - while ! ${pkgs.glibc.bin}/sbin/nscd -g -f ${cfgFile} > /dev/null; do + while ! ${pkgs.glibc.bin}/sbin/nscd -g > /dev/null; do sleep 0.2 done ''; |