Torjus Håkestad
b845a8bb8b
Add homelab.kanidm.enable option for central authentication via Kanidm. The module configures: - PAM/NSS integration with kanidm-unixd - Client connection to auth.home.2rjus.net - Login authorization for ssh-users group Enable on testvm01-03 for testing. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
43 lines
1.1 KiB
Nix
43 lines
1.1 KiB
Nix
{ lib, config, pkgs, ... }:
|
|
let
|
|
cfg = config.homelab.kanidm;
|
|
in
|
|
{
|
|
options.homelab.kanidm = {
|
|
enable = lib.mkEnableOption "Kanidm PAM/NSS client for central authentication";
|
|
|
|
server = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "https://auth.home.2rjus.net";
|
|
description = "URI of the Kanidm server";
|
|
};
|
|
|
|
allowedLoginGroups = lib.mkOption {
|
|
type = lib.types.listOf lib.types.str;
|
|
default = [ "ssh-users" ];
|
|
description = "Groups allowed to log in via PAM";
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
services.kanidm = {
|
|
package = pkgs.kanidm_1_8;
|
|
enablePam = true;
|
|
|
|
clientSettings = {
|
|
uri = cfg.server;
|
|
};
|
|
|
|
unixSettings = {
|
|
pam_allowed_login_groups = cfg.allowedLoginGroups;
|
|
# Use short names (torjus) instead of SPN format (torjus@home.2rjus.net)
|
|
# This prevents "PAM user mismatch" errors with SSH
|
|
uid_attr_map = "name";
|
|
gid_attr_map = "name";
|
|
# Create symlink /home/torjus -> /home/torjus@home.2rjus.net
|
|
home_alias = "name";
|
|
};
|
|
};
|
|
};
|
|
}
|