diff --git a/paris-container.nix b/paris-container.nix index 854a96b..f7c3a51 100644 --- a/paris-container.nix +++ b/paris-container.nix @@ -25,6 +25,12 @@ in { default = [ ]; }; + ssh-keys = mkOption { + type = listOf str; + description = "List of SSH keys to use."; + default = [ ]; + }; + ldap = { image = mkOption { type = str; @@ -126,7 +132,7 @@ in { }; }; - config = { + config = mkIf cfg.enable { systemd.tmpfiles.rules = [ "d ${cfg.state-directory}/home 0700 root root - -" ]; @@ -168,48 +174,61 @@ in { environment.systemPackages = packages; - services.sssd = { - enable = true; - kcm = true; - environmentFile = hostSecrets.parisSssdEnv.target-file; - config = lib.generators.toINI { } { - sssd = { - config_file_version = 2; - reconnection_retries = 3; - sbus_timeout = 30; - services = concatStringsSep " " [ "nss" "pam" "ssh" ]; - domains = concatStringsSep " " [ cfg.ldap.domain ]; + services = { + opensssh = { + enable = true; + startWhenNeeded = true; + hostKeys = FIXME; + settings = { + UseDns = true; + PermitRootLogin = "no"; }; + }; - pam = { reconnection_retries = 3; }; + sssd = { + enable = true; + kcm = true; + environmentFile = hostSecrets.parisSssdEnv.target-file; + config = lib.generators.toINI { } { + sssd = { + config_file_version = 2; + reconnection_retries = 3; + sbus_timeout = 30; + services = concatStringsSep " " [ "nss" "pam" "ssh" ]; + domains = concatStringsSep " " [ cfg.ldap.domain ]; + }; - nss = { - filter_groups = "root"; - filter_users = "root"; - reconnection_retries = 3; - }; + pam = { reconnection_retries = 3; }; - "domain/${cfg.ldap.domain}" = { - cache_credentials = true; - id_provider = "ldap"; - chpass_provider = "ldap"; - auth_provider = "ldap"; - access_provider = "ldap"; + nss = { + filter_groups = "root"; + filter_users = "root"; + reconnection_retries = 3; + }; - ldap_uri = "ldap://localhost:${toString cfg.ldap.port}"; - ldap_schema = "rfc2307bis"; + "domain/${cfg.ldap.domain}" = { + cache_credentials = true; + id_provider = "ldap"; + chpass_provider = "ldap"; + auth_provider = "ldap"; + access_provider = "ldap"; - ldap_search_base = cfg.ldap.base; - ldap_user_search_base = "${cfg.ldap.user-ou},${cfg.ldap.base}"; - ldap_group_search_base = "${cfg.ldap.group-ou},${cfg.ldap.base}"; + ldap_uri = "ldap://localhost:${toString cfg.ldap.port}"; + ldap_schema = "rfc2307bis"; - ladp_user_object_class = "user"; - ldap_user_cn = "cn"; - ldap_group_object_class = "group"; - ldap_group_name = "cn"; + ldap_search_base = cfg.ldap.base; + ldap_user_search_base = "${cfg.ldap.user-ou},${cfg.ldap.base}"; + ldap_group_search_base = + "${cfg.ldap.group-ou},${cfg.ldap.base}"; - ldap_default_bind_dn = cfg.ldap.bind-dn; - ldap_default_authtok = "$LDAP_DEFAULT_AUTHTOKEN"; + ladp_user_object_class = "user"; + ldap_user_cn = "cn"; + ldap_group_object_class = "group"; + ldap_group_name = "cn"; + + ldap_default_bind_dn = cfg.ldap.bind-dn; + ldap_default_authtok = "$LDAP_DEFAULT_AUTHTOKEN"; + }; }; }; };