From 1d7eec7ad3b43586e8ca0acd5f6bde51cd544732 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= <torjus@usit.uio.no>
Date: Sun, 8 Feb 2026 13:43:41 +0100
Subject: [PATCH] system: add kanidm PAM/NSS client module

Add homelab.kanidm.enable option for central authentication via Kanidm.
The module configures:
- PAM/NSS integration with kanidm-unixd
- Client connection to auth.home.2rjus.net
- Login authorization for ssh-users group

Enable on testvm01-03 for testing.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 hosts/testvm01/configuration.nix |  3 +++
 hosts/testvm02/configuration.nix |  3 +++
 hosts/testvm03/configuration.nix |  3 +++
 system/default.nix               |  1 +
 system/kanidm-client.nix         | 36 ++++++++++++++++++++++++++++++++
 5 files changed, 46 insertions(+)
 create mode 100644 system/kanidm-client.nix

diff --git a/hosts/testvm01/configuration.nix b/hosts/testvm01/configuration.nix
index ee93d4a..0fe1fa5 100644
--- a/hosts/testvm01/configuration.nix
+++ b/hosts/testvm01/configuration.nix
@@ -25,6 +25,9 @@
   # Enable remote deployment via NATS
   homelab.deploy.enable = true;
 
+  # Enable Kanidm PAM/NSS for central authentication
+  homelab.kanidm.enable = true;
+
   nixpkgs.config.allowUnfree = true;
   boot.loader.grub.enable = true;
   boot.loader.grub.device = "/dev/vda";
diff --git a/hosts/testvm02/configuration.nix b/hosts/testvm02/configuration.nix
index 5e6f11b..d63e5b5 100644
--- a/hosts/testvm02/configuration.nix
+++ b/hosts/testvm02/configuration.nix
@@ -25,6 +25,9 @@
   # Enable remote deployment via NATS
   homelab.deploy.enable = true;
 
+  # Enable Kanidm PAM/NSS for central authentication
+  homelab.kanidm.enable = true;
+
   nixpkgs.config.allowUnfree = true;
   boot.loader.grub.enable = true;
   boot.loader.grub.device = "/dev/vda";
diff --git a/hosts/testvm03/configuration.nix b/hosts/testvm03/configuration.nix
index 6fd9b48..cd0789d 100644
--- a/hosts/testvm03/configuration.nix
+++ b/hosts/testvm03/configuration.nix
@@ -25,6 +25,9 @@
   # Enable remote deployment via NATS
   homelab.deploy.enable = true;
 
+  # Enable Kanidm PAM/NSS for central authentication
+  homelab.kanidm.enable = true;
+
   nixpkgs.config.allowUnfree = true;
   boot.loader.grub.enable = true;
   boot.loader.grub.device = "/dev/vda";
diff --git a/system/default.nix b/system/default.nix
index 9ba5d06..4ab14ac 100644
--- a/system/default.nix
+++ b/system/default.nix
@@ -4,6 +4,7 @@
     ./acme.nix
     ./autoupgrade.nix
     ./homelab-deploy.nix
+    ./kanidm-client.nix
     ./monitoring
     ./motd.nix
     ./packages.nix
diff --git a/system/kanidm-client.nix b/system/kanidm-client.nix
new file mode 100644
index 0000000..bae7956
--- /dev/null
+++ b/system/kanidm-client.nix
@@ -0,0 +1,36 @@
+{ lib, config, pkgs, ... }:
+let
+  cfg = config.homelab.kanidm;
+in
+{
+  options.homelab.kanidm = {
+    enable = lib.mkEnableOption "Kanidm PAM/NSS client for central authentication";
+
+    server = lib.mkOption {
+      type = lib.types.str;
+      default = "https://auth.home.2rjus.net";
+      description = "URI of the Kanidm server";
+    };
+
+    allowedLoginGroups = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ "ssh-users" ];
+      description = "Groups allowed to log in via PAM";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.kanidm = {
+      package = pkgs.kanidm_1_8;
+      enablePam = true;
+
+      clientSettings = {
+        uri = cfg.server;
+      };
+
+      unixSettings = {
+        pam_allowed_login_groups = cfg.allowedLoginGroups;
+      };
+    };
+  };
+}