nixos/modules/services/misc/sssd.nix at 23.05-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / misc / sssd.nix
at 23.05-pre 5.4 kB view raw
  1{ config, lib, pkgs, ... }:
  2with lib;
  3let
  4  cfg = config.services.sssd;
  5  nscd = config.services.nscd;
  6
  7  dataDir = "/var/lib/sssd";
  8  settingsFile = "${dataDir}/sssd.conf";
  9  settingsFileUnsubstituted = pkgs.writeText "${dataDir}/sssd-unsubstituted.conf" cfg.config;
 10in {
 11  options = {
 12    services.sssd = {
 13      enable = mkEnableOption (lib.mdDoc "the System Security Services Daemon");
 14
 15      config = mkOption {
 16        type = types.lines;
 17        description = lib.mdDoc "Contents of {file}`sssd.conf`.";
 18        default = ''
 19          [sssd]
 20          config_file_version = 2
 21          services = nss, pam
 22          domains = shadowutils
 23
 24          [nss]
 25
 26          [pam]
 27
 28          [domain/shadowutils]
 29          id_provider = proxy
 30          proxy_lib_name = files
 31          auth_provider = proxy
 32          proxy_pam_target = sssd-shadowutils
 33          proxy_fast_alias = True
 34        '';
 35      };
 36
 37      sshAuthorizedKeysIntegration = mkOption {
 38        type = types.bool;
 39        default = false;
 40        description = lib.mdDoc ''
 41          Whether to make sshd look up authorized keys from SSS.
 42          For this to work, the `ssh` SSS service must be enabled in the sssd configuration.
 43        '';
 44      };
 45
 46      kcm = mkOption {
 47        type = types.bool;
 48        default = false;
 49        description = lib.mdDoc ''
 50          Whether to use SSS as a Kerberos Cache Manager (KCM).
 51          Kerberos will be configured to cache credentials in SSS.
 52        '';
 53      };
 54      environmentFile = mkOption {
 55        type = types.nullOr types.path;
 56        default = null;
 57        description = lib.mdDoc ''
 58          Environment file as defined in {manpage}`systemd.exec(5)`.
 59
 60          Secrets may be passed to the service without adding them to the world-readable
 61          Nix store, by specifying placeholder variables as the option value in Nix and
 62          setting these variables accordingly in the environment file.
 63
 64          ```
 65            # snippet of sssd-related config
 66            [domain/LDAP]
 67            ldap_default_authtok = $SSSD_LDAP_DEFAULT_AUTHTOK
 68          ```
 69
 70          ```
 71            # contents of the environment file
 72            SSSD_LDAP_DEFAULT_AUTHTOK=verysecretpassword
 73          ```
 74        '';
 75      };
 76    };
 77  };
 78  config = mkMerge [
 79    (mkIf cfg.enable {
 80      systemd.services.sssd = {
 81        description = "System Security Services Daemon";
 82        wantedBy    = [ "multi-user.target" ];
 83        before = [ "systemd-user-sessions.service" "nss-user-lookup.target" ];
 84        after = [ "network-online.target" "nscd.service" ];
 85        requires = [ "network-online.target" "nscd.service" ];
 86        wants = [ "nss-user-lookup.target" ];
 87        restartTriggers = [
 88          config.environment.etc."nscd.conf".source
 89          settingsFileUnsubstituted
 90        ];
 91        script = ''
 92          export LDB_MODULES_PATH+="''${LDB_MODULES_PATH+:}${pkgs.ldb}/modules/ldb:${pkgs.sssd}/modules/ldb"
 93          mkdir -p /var/lib/sss/{pubconf,db,mc,pipes,gpo_cache,secrets} /var/lib/sss/pipes/private /var/lib/sss/pubconf/krb5.include.d
 94          ${pkgs.sssd}/bin/sssd -D -c ${settingsFile}
 95        '';
 96        serviceConfig = {
 97          Type = "forking";
 98          PIDFile = "/run/sssd.pid";
 99          StateDirectory = baseNameOf dataDir;
100          # We cannot use LoadCredential here because it's not available in ExecStartPre
101          EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile;
102        };
103        preStart = ''
104          [ -f ${settingsFile} ] && rm -f ${settingsFile}
105          old_umask=$(umask)
106          umask 0177
107          ${pkgs.envsubst}/bin/envsubst \
108            -o ${settingsFile} \
109            -i ${settingsFileUnsubstituted}
110          umask $old_umask
111        '';
112      };
113
114      system.nssModules = [ pkgs.sssd ];
115      system.nssDatabases = {
116        group = [ "sss" ];
117        passwd = [ "sss" ];
118        services = [ "sss" ];
119        shadow = [ "sss" ];
120      };
121      services.dbus.packages = [ pkgs.sssd ];
122    })
123
124    (mkIf cfg.kcm {
125      systemd.services.sssd-kcm = {
126        description = "SSSD Kerberos Cache Manager";
127        requires = [ "sssd-kcm.socket" ];
128        serviceConfig = {
129          ExecStartPre = "-${pkgs.sssd}/bin/sssd --genconf-section=kcm";
130          ExecStart = "${pkgs.sssd}/libexec/sssd/sssd_kcm --uid 0 --gid 0";
131        };
132        restartTriggers = [
133          config.environment.etc."sssd/sssd.conf".source
134        ];
135      };
136      systemd.sockets.sssd-kcm = {
137        description = "SSSD Kerberos Cache Manager responder socket";
138        wantedBy = [ "sockets.target" ];
139        # Matches the default in MIT krb5 and Heimdal:
140        # https://github.com/krb5/krb5/blob/krb5-1.19.3-final/src/include/kcm.h#L43
141        listenStreams = [ "/var/run/.heim_org.h5l.kcm-socket" ];
142      };
143      krb5.libdefaults.default_ccache_name = "KCM:";
144    })
145
146    (mkIf cfg.sshAuthorizedKeysIntegration {
147    # Ugly: sshd refuses to start if a store path is given because /nix/store is group-writable.
148    # So indirect by a symlink.
149    environment.etc."ssh/authorized_keys_command" = {
150      mode = "0755";
151      text = ''
152        #!/bin/sh
153        exec ${pkgs.sssd}/bin/sss_ssh_authorizedkeys "$@"
154      '';
155    };
156    services.openssh.authorizedKeysCommand = "/etc/ssh/authorized_keys_command";
157    services.openssh.authorizedKeysCommandUser = "nobody";
158  })];
159
160  meta.maintainers = with maintainers; [ bbigras ];
161}