torjus/nixos-servers
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

docs: add NAS integration notes to auth plan
All checks were successful
Run nix flake check / flake-check (push) Successful in 2m4s
Details

Browse Source 
Document TrueNAS CORE LDAP integration approach (NFS-only) and
future NixOS NAS migration path with native Kanidm PAM/NSS.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Torjus Håkestad
2026-02-05 23:24:37 +01:00
parent f0963624bc
commit 3dc4422ba0
1 changed files with 29 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
docs/plans/auth-system-replacement.md
View File

@@ -119,6 +119,33 @@ services.kanidm.enablePam = true;
services.kanidm.clientSettings.uri = "https://auth.home.2rjus.net"; services.kanidm.clientSettings.uri = "https://auth.home.2rjus.net";
``` ```
## NAS Integration
### Current: TrueNAS CORE (FreeBSD)
TrueNAS CORE has a built-in LDAP client. Kanidm's read-only LDAP interface will work for NFS share permissions:
- **NFS shares**: Only need consistent UID/GID mapping - Kanidm's LDAP provides this
- **No SMB requirement**: SMB would need Samba schema attributes (deprecated in TrueNAS 13.0+), but we're NFS-only
Configuration approach:
1. Enable Kanidm's LDAP interface (`ldapbindaddress = "0.0.0.0:636"`)
2. Import internal CA certificate into TrueNAS
3. Configure TrueNAS LDAP client with Kanidm's Base DN and bind credentials
4. Users/groups appear in TrueNAS permission dropdowns
Note: Kanidm's LDAP is read-only and uses LDAPS only (no StartTLS). This is fine for our use case.
### Future: NixOS NAS
When the NAS is migrated to NixOS, it becomes a first-class citizen:
- Native Kanidm PAM/NSS integration (same as other hosts)
- No LDAP compatibility layer needed
- Full integration with the rest of the homelab
This future migration path is a strong argument for Kanidm over LDAP-only solutions.
## Implementation Steps ## Implementation Steps
1. **Create Kanidm service module** in `services/kanidm/` 1. **Create Kanidm service module** in `services/kanidm/`
@@ -139,7 +166,8 @@ services.kanidm.clientSettings.uri = "https://auth.home.2rjus.net";
- Configure trusted CA - Configure trusted CA
5. **Test NAS integration** 5. **Test NAS integration**
- Verify UID/GID mapping works with NFS/SMB shares - Configure TrueNAS LDAP client to connect to Kanidm
- Verify UID/GID mapping works with NFS shares
6. **Migrate auth01** 6. **Migrate auth01**
- Remove LLDAP and Authelia services - Remove LLDAP and Authelia services
@@ -156,7 +184,6 @@ services.kanidm.clientSettings.uri = "https://auth.home.2rjus.net";
- What UID/GID range should be reserved for Kanidm-managed users? - What UID/GID range should be reserved for Kanidm-managed users?
- Which hosts should have PAM/NSS enabled initially? - Which hosts should have PAM/NSS enabled initially?
- What OAuth2 clients are needed at launch? - What OAuth2 clients are needed at launch?
- Should LDAP interface be enabled for any legacy services?
## References ## References