Torjus Håkestad
64dc10c6cd
All checks were successful
Run nix flake check / flake-check (push) Successful in 2m1s
Kanidm 1.8 requires: - version = "2" at top level - pam_allowed_login_groups inside [kanidm] section The NixOS module also requires pam_allowed_login_groups at top level, so we provide it at both places. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
46 lines
1.2 KiB
Nix
46 lines
1.2 KiB
Nix
{ lib, config, pkgs, ... }:
|
|
let
|
|
cfg = config.homelab.kanidm;
|
|
in
|
|
{
|
|
options.homelab.kanidm = {
|
|
enable = lib.mkEnableOption "Kanidm PAM/NSS client for central authentication";
|
|
|
|
server = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "https://auth.home.2rjus.net";
|
|
description = "URI of the Kanidm server";
|
|
};
|
|
|
|
allowedLoginGroups = lib.mkOption {
|
|
type = lib.types.listOf lib.types.str;
|
|
default = [ "ssh-users" ];
|
|
description = "Groups allowed to log in via PAM";
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
services.kanidm = {
|
|
package = pkgs.kanidm_1_8;
|
|
enablePam = true;
|
|
|
|
clientSettings = {
|
|
uri = cfg.server;
|
|
};
|
|
|
|
unixSettings = {
|
|
version = "2";
|
|
# Use short names (e.g., "torjus") instead of SPN (e.g., "torjus@home.2rjus.net")
|
|
uid_attr_map = "name";
|
|
gid_attr_map = "name";
|
|
# Required by NixOS module (will be in TOML but kanidm section is what matters)
|
|
pam_allowed_login_groups = cfg.allowedLoginGroups;
|
|
# Kanidm provider section (this is what unixd actually reads)
|
|
kanidm = {
|
|
pam_allowed_login_groups = cfg.allowedLoginGroups;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|