Torjus Håkestad
97c0b3f7a2
Some checks failed
Run nix flake check / flake-check (push) Has been cancelled
Use home_alias instead of home_attr - this creates a symlink from /home/torjus to the actual home directory, providing a convenient short path without breaking the underlying storage. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
43 lines
1.1 KiB
Nix
43 lines
1.1 KiB
Nix
{ lib, config, pkgs, ... }:
|
|
let
|
|
cfg = config.homelab.kanidm;
|
|
in
|
|
{
|
|
options.homelab.kanidm = {
|
|
enable = lib.mkEnableOption "Kanidm PAM/NSS client for central authentication";
|
|
|
|
server = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "https://auth.home.2rjus.net";
|
|
description = "URI of the Kanidm server";
|
|
};
|
|
|
|
allowedLoginGroups = lib.mkOption {
|
|
type = lib.types.listOf lib.types.str;
|
|
default = [ "ssh-users" ];
|
|
description = "Groups allowed to log in via PAM";
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
services.kanidm = {
|
|
package = pkgs.kanidm_1_8;
|
|
enablePam = true;
|
|
|
|
clientSettings = {
|
|
uri = cfg.server;
|
|
};
|
|
|
|
unixSettings = {
|
|
pam_allowed_login_groups = cfg.allowedLoginGroups;
|
|
# Use short names (torjus) instead of SPN format (torjus@home.2rjus.net)
|
|
# This prevents "PAM user mismatch" errors with SSH
|
|
uid_attr_map = "name";
|
|
gid_attr_map = "name";
|
|
# Create symlink /home/torjus -> /home/torjus@home.2rjus.net
|
|
home_alias = "name";
|
|
};
|
|
};
|
|
};
|
|
}
|