nixos/modules/services/misc/sssd.nix at 18.03-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / misc / sssd.nix
at 18.03-beta 3.0 kB view raw
 1{ config, lib, pkgs, ... }:
 2with lib;
 3let
 4  cfg = config.services.sssd;
 5  nscd = config.services.nscd;
 6in {
 7  options = {
 8    services.sssd = {
 9      enable = mkEnableOption "the System Security Services Daemon.";
10
11      config = mkOption {
12        type = types.lines;
13        description = "Contents of <filename>sssd.conf</filename>.";
14        default = ''
15          [sssd]
16          config_file_version = 2
17          services = nss, pam
18          domains = shadowutils
19
20          [nss]
21
22          [pam]
23
24          [domain/shadowutils]
25          id_provider = proxy
26          proxy_lib_name = files
27          auth_provider = proxy
28          proxy_pam_target = sssd-shadowutils
29          proxy_fast_alias = True
30        '';
31      };
32
33      sshAuthorizedKeysIntegration = mkOption {
34        type = types.bool;
35        default = false;
36        description = ''
37          Whether to make sshd look up authorized keys from SSS.
38          For this to work, the <literal>ssh</literal> SSS service must be enabled in the sssd configuration.
39        '';
40      };
41    };
42  };
43  config = mkMerge [
44    (mkIf cfg.enable {
45      assertions = singleton {
46        assertion = nscd.enable;
47        message = "nscd must be enabled through `services.nscd.enable` for SSSD to work.";
48      };
49
50      systemd.services.sssd = {
51        description = "System Security Services Daemon";
52        wantedBy    = [ "multi-user.target" ];
53        before = [ "systemd-user-sessions.service" "nss-user-lookup.target" ];
54        after = [ "network-online.target" "nscd.service" ];
55        requires = [ "network-online.target" "nscd.service" ];
56        wants = [ "nss-user-lookup.target" ];
57        restartTriggers = [
58          config.environment.etc."nscd.conf".source
59          config.environment.etc."sssd/sssd.conf".source
60        ];
61        script = ''
62          export LDB_MODULES_PATH+="''${LDB_MODULES_PATH+:}${pkgs.ldb}/modules/ldb:${pkgs.sssd}/modules/ldb"
63          mkdir -p /var/lib/sss/{pubconf,db,mc,pipes,gpo_cache,secrets} /var/lib/sss/pipes/private /var/lib/sss/pubconf/krb5.include.d
64          ${pkgs.sssd}/bin/sssd -D
65        '';
66        serviceConfig = {
67          Type = "forking";
68          PIDFile = "/run/sssd.pid";
69        };
70      };
71
72      environment.etc."sssd/sssd.conf" = {
73        text = cfg.config;
74        mode = "0400";
75      };
76
77      system.nssModules = optional cfg.enable pkgs.sssd;
78      services.nscd.config = builtins.readFile ./nscd-sssd.conf;
79      services.dbus.packages = [ pkgs.sssd ];
80    })
81
82    (mkIf cfg.sshAuthorizedKeysIntegration {
83    # Ugly: sshd refuses to start if a store path is given because /nix/store is group-writable.
84    # So indirect by a symlink.
85    environment.etc."ssh/authorized_keys_command" = {
86      mode = "0755";
87      text = ''
88        #!/bin/sh
89        exec ${pkgs.sssd}/bin/sss_ssh_authorizedkeys "$@"
90      '';
91    };
92    services.openssh.extraConfig = ''
93      AuthorizedKeysCommand /etc/ssh/authorized_keys_command
94      AuthorizedKeysCommandUser nobody
95    '';
96  })];
97}