diff --git a/docs/plans/auth-system-replacement.md b/docs/plans/auth-system-replacement.md new file mode 100644 index 0000000..0f4ffc3 --- /dev/null +++ b/docs/plans/auth-system-replacement.md @@ -0,0 +1,165 @@ +# Authentication System Replacement Plan + +## Overview + +Replace the current auth01 setup (LLDAP + Authelia) with a modern, unified authentication solution. The current setup is not in active use, making this a good time to evaluate alternatives. + +## Goals + +1. **Central user database** - Manage users across all homelab hosts from a single source +2. **Linux PAM/NSS integration** - Users can SSH into hosts using central credentials +3. **UID/GID consistency** - Proper POSIX attributes for NAS share permissions +4. **OIDC provider** - Single sign-on for homelab web services (Grafana, etc.) + +## Options Evaluated + +### OpenLDAP (raw) + +- **NixOS Support:** Good (`services.openldap` with `declarativeContents`) +- **Pros:** Most widely supported, very flexible +- **Cons:** LDIF format is painful, schema management is complex, no built-in OIDC, requires SSSD on each client +- **Verdict:** Doesn't address LDAP complexity concerns + +### LLDAP + Authelia (current) + +- **NixOS Support:** Both have good modules +- **Pros:** Already configured, lightweight, nice web UIs +- **Cons:** Two services to manage, limited POSIX attribute support in LLDAP, requires SSSD on every client host +- **Verdict:** Workable but has friction for NAS/UID goals + +### FreeIPA + +- **NixOS Support:** None +- **Pros:** Full enterprise solution (LDAP + Kerberos + DNS + CA) +- **Cons:** Extremely heavy, wants to own DNS, designed for Red Hat ecosystems, massive overkill for homelab +- **Verdict:** Overkill, no NixOS support + +### Keycloak + +- **NixOS Support:** None +- **Pros:** Good OIDC/SAML, nice UI +- **Cons:** Primarily an identity broker not a user directory, poor POSIX support, heavy (Java) +- **Verdict:** Wrong tool for Linux user management + +### Authentik + +- **NixOS Support:** None (would need Docker) +- **Pros:** All-in-one with LDAP outpost and OIDC, modern UI +- **Cons:** Heavy stack (Python + PostgreSQL + Redis), LDAP is a separate component +- **Verdict:** Would work but requires Docker and is heavy + +### Kanidm + +- **NixOS Support:** Excellent - first-class module with PAM/NSS integration +- **Pros:** + - Native PAM/NSS module (no SSSD needed) + - Built-in OIDC provider + - Optional LDAP interface for legacy services + - Declarative provisioning via NixOS (users, groups, OAuth2 clients) + - Modern, written in Rust + - Single service handles everything +- **Cons:** Newer project, smaller community than LDAP +- **Verdict:** Best fit for requirements + +### Pocket-ID + +- **NixOS Support:** Unknown +- **Pros:** Very lightweight, passkey-first +- **Cons:** No LDAP, no PAM/NSS integration - purely OIDC for web apps +- **Verdict:** Doesn't solve Linux user management goal + +## Recommendation: Kanidm + +Kanidm is the recommended solution for the following reasons: + +| Requirement | Kanidm Support | +|-------------|----------------| +| Central user database | Native | +| Linux PAM/NSS (host login) | Native NixOS module | +| UID/GID for NAS | POSIX attributes supported | +| OIDC for services | Built-in | +| Declarative config | Excellent NixOS provisioning | +| Simplicity | Modern API, LDAP optional | +| NixOS integration | First-class | + +### Key NixOS Features + +**Server configuration:** +```nix +services.kanidm.enableServer = true; +services.kanidm.serverSettings = { + domain = "home.2rjus.net"; + origin = "https://auth.home.2rjus.net"; + ldapbindaddress = "0.0.0.0:636"; # Optional LDAP interface +}; +``` + +**Declarative user provisioning:** +```nix +services.kanidm.provision.enable = true; +services.kanidm.provision.persons.torjus = { + displayName = "Torjus"; + groups = [ "admins" "nas-users" ]; +}; +``` + +**Declarative OAuth2 clients:** +```nix +services.kanidm.provision.systems.oauth2.grafana = { + displayName = "Grafana"; + originUrl = "https://grafana.home.2rjus.net/login/generic_oauth"; + originLanding = "https://grafana.home.2rjus.net"; +}; +``` + +**Client host configuration (add to system/):** +```nix +services.kanidm.enableClient = true; +services.kanidm.enablePam = true; +services.kanidm.clientSettings.uri = "https://auth.home.2rjus.net"; +``` + +## Implementation Steps + +1. **Create Kanidm service module** in `services/kanidm/` + - Server configuration + - TLS via internal ACME + - Vault secrets for admin passwords + +2. **Configure declarative provisioning** + - Define initial users and groups + - Set up POSIX attributes (UID/GID ranges) + +3. **Add OIDC clients** for homelab services + - Grafana + - Other services as needed + +4. **Create client module** in `system/` for PAM/NSS + - Enable on all hosts that need central auth + - Configure trusted CA + +5. **Test NAS integration** + - Verify UID/GID mapping works with NFS/SMB shares + +6. **Migrate auth01** + - Remove LLDAP and Authelia services + - Deploy Kanidm + - Update DNS CNAMEs if needed + +7. **Documentation** + - User management procedures + - Adding new OAuth2 clients + - Troubleshooting PAM/NSS issues + +## Open Questions + +- What UID/GID range should be reserved for Kanidm-managed users? +- Which hosts should have PAM/NSS enabled initially? +- What OAuth2 clients are needed at launch? +- Should LDAP interface be enabled for any legacy services? + +## References + +- [Kanidm Documentation](https://kanidm.github.io/kanidm/stable/) +- [NixOS Kanidm Module](https://search.nixos.org/options?query=services.kanidm) +- [Kanidm PAM/NSS Integration](https://kanidm.github.io/kanidm/stable/pam_and_nsswitch.html)