nixos/modules/security/google_oslogin.nix at 24.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / security / google_oslogin.nix
at 24.11-pre 2.2 kB view raw
 1{ config, lib, pkgs, ... }:
 2
 3with lib;
 4
 5let
 6
 7  cfg = config.security.googleOsLogin;
 8  package = pkgs.google-guest-oslogin;
 9
10in
11
12{
13
14  options = {
15
16    security.googleOsLogin.enable = mkOption {
17      type = types.bool;
18      default = false;
19      description = ''
20        Whether to enable Google OS Login.
21
22        The OS Login package enables the following components:
23        AuthorizedKeysCommand to query valid SSH keys from the user's OS Login
24        profile during ssh authentication phase.
25        NSS Module to provide user and group information
26        PAM Module for the sshd service, providing authorization and
27        authentication support, allowing the system to use data stored in
28        Google Cloud IAM permissions to control both, the ability to log into
29        an instance, and to perform operations as root (sudo).
30      '';
31    };
32
33  };
34
35  config = mkIf cfg.enable {
36    security.pam.services.sshd = {
37      makeHomeDir = true;
38      googleOsLoginAccountVerification = true;
39      googleOsLoginAuthentication = true;
40    };
41
42    security.sudo.extraConfig = ''
43      #includedir /run/google-sudoers.d
44    '';
45    security.sudo-rs.extraConfig = ''
46      #includedir /run/google-sudoers.d
47    '';
48
49    systemd.tmpfiles.rules = [
50      "d /run/google-sudoers.d 750 root root -"
51      "d /var/google-users.d 750 root root -"
52    ];
53
54    systemd.packages = [ package ];
55    systemd.timers.google-oslogin-cache.wantedBy = [ "timers.target" ];
56
57    # enable the nss module, so user lookups etc. work
58    system.nssModules = [ package ];
59    system.nssDatabases.passwd = [ "cache_oslogin" "oslogin" ];
60    system.nssDatabases.group = [ "cache_oslogin" "oslogin" ];
61
62    # Ugly: sshd refuses to start if a store path is given because /nix/store is group-writable.
63    # So indirect by a symlink.
64    environment.etc."ssh/authorized_keys_command_google_oslogin" = {
65      mode = "0755";
66      text = ''
67        #!/bin/sh
68        exec ${package}/bin/google_authorized_keys "$@"
69      '';
70    };
71    services.openssh.authorizedKeysCommand = "/etc/ssh/authorized_keys_command_google_oslogin %u";
72    services.openssh.authorizedKeysCommandUser = "nobody";
73  };
74
75}