Switch to SSL port, accepting any cert.

2024-06-06 10:34:50 -07:00 · 2024-06-06 10:34:50 -07:00 · 2c904663d1
parent 58b406465c
commit 2c904663d1
1 changed files with 15 additions and 3 deletions
--- a/paris-container.nix
+++ b/paris-container.nix
@ -35,6 +35,12 @@ in {
      default = [ ];
    };

+    nixos-modules = mkOption {
+      type = listOf package;
+      default = [ ];
+      description = "NixOS modules to add to Paris.";
+    };
+
    kerberos = mkOption {
      type = nullOr (submodule {
        options = {
@ -62,7 +68,7 @@ in {
      port = mkOption {
        type = port;
        description = "Port on which to listen for LDAP requests.";
-        default = 4389;
+        default = 4636;
      };

      access-group = mkOption {
@ -233,7 +239,7 @@ in {
      image = cfg.ldap.image;
      autoStart = true;
      ports =
-        map (ip: "${ip}:${toString cfg.ldap.port}:3389") cfg.ldap.listen-ips;
+        map (ip: "${ip}:${toString cfg.ldap.port}:6636") cfg.ldap.listen-ips;
      environmentFiles = [ hostSecrets.parisLdapEnv.target-file ];
    };

@ -281,7 +287,10 @@ in {
          '';
        };

-        security.pam.krb5.enable = true;
+        security.pam = {
+          krb5.enable = true;
+          services.sshd.makeHomeDir = true;
+        };

        krb5 = mkIf (!isNull cfg.kerberos) {
          enable = true;
@ -295,6 +304,7 @@ in {
          openssh = {
            enable = true;
            startWhenNeeded = true;
+            permiitRootLogin = "no";
            hostKeys = map (keypair: {
              path = "/run/openssh/keys/${keypairFilename keypair}";
              type = keypair.key-type;
@ -351,6 +361,8 @@ in {

                ldap_default_bind_dn = cfg.ldap.bind-dn;
                ldap_default_authtok = "$LDAP_DEFAULT_AUTHTOKEN";
+
+                ldap_tls_reqcert = "allow";
              };
            };
          };