commit d54387fcd0ccd62acebb6ed02bdf60e749207f44 · pyrox.dev/nixpkgs

+33 -3
nixos/modules/system/boot/systemd/userdbd.nix
···

       4
       4
        
         cfg = config.services.userdbd;

     

       5
       5
        
       in

     

       6
       6
        
       {

     

       7
       7
       -
         options.services.userdbd.enable = lib.mkEnableOption ''

     

       8
       8
       -
           the systemd JSON user/group record lookup service

     

       9
       9
       -
         '';

     

       7
       7
       +
         options.services.userdbd = {

     

       8
       8
       +
           enable = lib.mkEnableOption ''

     

       9
       9
       +
             the systemd JSON user/group record lookup service

     

       10
       10
       +
           '';

     

       11
       11
       +
       

     

       12
       12
       +
           enableSSHSupport = lib.mkEnableOption ''

     

       13
       13
       +
             exposing OpenSSH public keys defined in userdb. Be aware that this

     

       14
       14
       +
             enables modifying public keys at runtime, either by users managed by

     

       15
       15
       +
             {option}`services.homed`, or globally via drop-in files

     

       16
       16
       +
           '';

     

       17
       17
       +
         };

     

       18
       18
       +
       

     

       10
       19
        
         config = lib.mkIf cfg.enable {

     

       20
       20
       +
           assertions = lib.singleton {

     

       21
       21
       +
             assertion = cfg.enableSSHSupport -> config.security.enableWrappers;

     

       22
       22
       +
             message = "OpenSSH userdb integration requires security wrappers.";

     

       23
       23
       +
           };

     

       24
       24
       +
       

     

       11
       25
        
           systemd.additionalUpstreamSystemUnits = [

     

       12
       26
        
             "systemd-userdbd.socket"

     

       13
       27
        
             "systemd-userdbd.service"

     

       14
       28
        
           ];

     

       15
       29
        
       

     

       16
       30
        
           systemd.sockets.systemd-userdbd.wantedBy = [ "sockets.target" ];

     

       31
       31
       +
       

     

       32
       32
       +
           # OpenSSH requires AuthorizedKeysCommand to be owned only by root.

     

       33
       33
       +
           # Referencing `userdbctl` directly from the Nix store won't work, as

     

       34
       34
       +
           # `/nix/store` is owned by the `nixbld` group.

     

       35
       35
       +
           security.wrappers = lib.mkIf cfg.enableSSHSupport {

     

       36
       36
       +
             userdbctl = {

     

       37
       37
       +
               owner = "root";

     

       38
       38
       +
               group = "root";

     

       39
       39
       +
               source = lib.getExe' config.systemd.package "userdbctl";

     

       40
       40
       +
             };

     

       41
       41
       +
           };

     

       42
       42
       +
       

     

       43
       43
       +
           services.openssh = lib.mkIf cfg.enableSSHSupport {

     

       44
       44
       +
             authorizedKeysCommand = "/run/wrappers/bin/userdbctl ssh-authorized-keys %u";

     

       45
       45
       +
             authorizedKeysCommandUser = "root";

     

       46
       46
       +
           };

     

       17
       47
        
         };

     

       18
       48
        
       }