pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / misc / sssd.nix
at 23.11-pre 5.6 kB view raw
1{ config, lib, pkgs, ... }: 2with lib; 3let 4 cfg = config.services.sssd; 5 nscd = config.services.nscd; 6 7 dataDir = "/var/lib/sssd"; 8 settingsFile = "${dataDir}/sssd.conf"; 9 settingsFileUnsubstituted = pkgs.writeText "${dataDir}/sssd-unsubstituted.conf" cfg.config; 10in { 11 options = { 12 services.sssd = { 13 enable = mkEnableOption (lib.mdDoc "the System Security Services Daemon"); 14 15 config = mkOption { 16 type = types.lines; 17 description = lib.mdDoc "Contents of {file}`sssd.conf`."; 18 default = '' 19 [sssd] 20 config_file_version = 2 21 services = nss, pam 22 domains = shadowutils 23 24 [nss] 25 26 [pam] 27 28 [domain/shadowutils] 29 id_provider = proxy 30 proxy_lib_name = files 31 auth_provider = proxy 32 proxy_pam_target = sssd-shadowutils 33 proxy_fast_alias = True 34 ''; 35 }; 36 37 sshAuthorizedKeysIntegration = mkOption { 38 type = types.bool; 39 default = false; 40 description = lib.mdDoc '' 41 Whether to make sshd look up authorized keys from SSS. 42 For this to work, the `ssh` SSS service must be enabled in the sssd configuration. 43 ''; 44 }; 45 46 kcm = mkOption { 47 type = types.bool; 48 default = false; 49 description = lib.mdDoc '' 50 Whether to use SSS as a Kerberos Cache Manager (KCM). 51 Kerberos will be configured to cache credentials in SSS. 52 ''; 53 }; 54 environmentFile = mkOption { 55 type = types.nullOr types.path; 56 default = null; 57 description = lib.mdDoc '' 58 Environment file as defined in {manpage}`systemd.exec(5)`. 59 60 Secrets may be passed to the service without adding them to the world-readable 61 Nix store, by specifying placeholder variables as the option value in Nix and 62 setting these variables accordingly in the environment file. 63 64 ``` 65 # snippet of sssd-related config 66 [domain/LDAP] 67 ldap_default_authtok = $SSSD_LDAP_DEFAULT_AUTHTOK 68 ``` 69 70 ``` 71 # contents of the environment file 72 SSSD_LDAP_DEFAULT_AUTHTOK=verysecretpassword 73 ``` 74 ''; 75 }; 76 }; 77 }; 78 config = mkMerge [ 79 (mkIf cfg.enable { 80 # For `sssctl` to work. 81 environment.etc."sssd/sssd.conf".source = settingsFile; 82 environment.etc."sssd/conf.d".source = "${dataDir}/conf.d"; 83 84 systemd.services.sssd = { 85 description = "System Security Services Daemon"; 86 wantedBy = [ "multi-user.target" ]; 87 before = [ "systemd-user-sessions.service" "nss-user-lookup.target" ]; 88 after = [ "network-online.target" "nscd.service" ]; 89 requires = [ "network-online.target" "nscd.service" ]; 90 wants = [ "nss-user-lookup.target" ]; 91 restartTriggers = [ 92 config.environment.etc."nscd.conf".source 93 settingsFileUnsubstituted 94 ]; 95 script = '' 96 export LDB_MODULES_PATH+="''${LDB_MODULES_PATH+:}${pkgs.ldb}/modules/ldb:${pkgs.sssd}/modules/ldb" 97 mkdir -p /var/lib/sss/{pubconf,db,mc,pipes,gpo_cache,secrets} /var/lib/sss/pipes/private /var/lib/sss/pubconf/krb5.include.d 98 ${pkgs.sssd}/bin/sssd -D -c ${settingsFile} 99 ''; 100 serviceConfig = { 101 Type = "forking"; 102 PIDFile = "/run/sssd.pid"; 103 StateDirectory = baseNameOf dataDir; 104 # We cannot use LoadCredential here because it's not available in ExecStartPre 105 EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile; 106 }; 107 preStart = '' 108 mkdir -p "${dataDir}/conf.d" 109 [ -f ${settingsFile} ] && rm -f ${settingsFile} 110 old_umask=$(umask) 111 umask 0177 112 ${pkgs.envsubst}/bin/envsubst \ 113 -o ${settingsFile} \ 114 -i ${settingsFileUnsubstituted} 115 umask $old_umask 116 ''; 117 }; 118 119 system.nssModules = [ pkgs.sssd ]; 120 system.nssDatabases = { 121 group = [ "sss" ]; 122 passwd = [ "sss" ]; 123 services = [ "sss" ]; 124 shadow = [ "sss" ]; 125 }; 126 services.dbus.packages = [ pkgs.sssd ]; 127 }) 128 129 (mkIf cfg.kcm { 130 systemd.services.sssd-kcm = { 131 description = "SSSD Kerberos Cache Manager"; 132 requires = [ "sssd-kcm.socket" ]; 133 serviceConfig = { 134 ExecStartPre = "-${pkgs.sssd}/bin/sssd --genconf-section=kcm"; 135 ExecStart = "${pkgs.sssd}/libexec/sssd/sssd_kcm --uid 0 --gid 0"; 136 }; 137 restartTriggers = [ 138 config.environment.etc."sssd/sssd.conf".source 139 ]; 140 }; 141 systemd.sockets.sssd-kcm = { 142 description = "SSSD Kerberos Cache Manager responder socket"; 143 wantedBy = [ "sockets.target" ]; 144 # Matches the default in MIT krb5 and Heimdal: 145 # https://github.com/krb5/krb5/blob/krb5-1.19.3-final/src/include/kcm.h#L43 146 listenStreams = [ "/var/run/.heim_org.h5l.kcm-socket" ]; 147 }; 148 krb5.libdefaults.default_ccache_name = "KCM:"; 149 }) 150 151 (mkIf cfg.sshAuthorizedKeysIntegration { 152 # Ugly: sshd refuses to start if a store path is given because /nix/store is group-writable. 153 # So indirect by a symlink. 154 environment.etc."ssh/authorized_keys_command" = { 155 mode = "0755"; 156 text = '' 157 #!/bin/sh 158 exec ${pkgs.sssd}/bin/sss_ssh_authorizedkeys "$@" 159 ''; 160 }; 161 services.openssh.authorizedKeysCommand = "/etc/ssh/authorized_keys_command"; 162 services.openssh.authorizedKeysCommandUser = "nobody"; 163 })]; 164 165 meta.maintainers = with maintainers; [ bbigras ]; 166}