diff --git a/flake.nix b/flake.nix
index f3b3633..e5d7755 100644
--- a/flake.nix
+++ b/flake.nix
@@ -115,7 +115,6 @@
massicot = { name, nodes, pkgs, ... }: with inputs; {
deployment.targetHost = "49.13.13.122";
- deployment.targetUser = "xin";
imports = [
{ nixpkgs.system = "aarch64-linux"; }
diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix
index 3309e68..4354bcd 100644
--- a/machines/calcite/configuration.nix
+++ b/machines/calcite/configuration.nix
@@ -119,13 +119,9 @@
services.kanidm = {
enableClient = true;
- enablePam = true;
clientSettings = {
uri = "https://auth.xinyang.life";
};
- unixSettings = {
- pam_allowed_login_groups = [ "linux_users" "xin@auth.xinyang.life" "test" ];
- };
};
# Enable automatic login for the user.
diff --git a/machines/dolomite/default.nix b/machines/dolomite/default.nix
index f03d8b4..e10df8b 100644
--- a/machines/dolomite/default.nix
+++ b/machines/dolomite/default.nix
@@ -46,6 +46,32 @@
};
};
+ custom.kanidm-client = {
+ enable = true;
+ uri = "https://auth.xinyang.life/";
+ asSSHAuth = {
+ enable = true;
+ allowedGroups = [ "linux_users" ];
+ };
+ sudoers = [ "xin@auth.xinyang.life" ];
+ };
+
+ services.openssh = {
+ settings = {
+ PasswordAuthentication = false;
+ KbdInteractiveAuthentication = false;
+ PermitRootLogin = lib.mkForce "no";
+ GSSAPIAuthentication = "no";
+ KerberosAuthentication = "no";
+ };
+ };
+ services.fail2ban.enable = true;
+
+ security.sudo = {
+ execWheelOnly = true;
+ wheelNeedsPassword = false;
+ };
+
services.sing-box = let
singTls = {
enabled = true;
diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix
index 98328f3..283dadb 100644
--- a/machines/massicot/default.nix
+++ b/machines/massicot/default.nix
@@ -62,31 +62,33 @@
hostName = "massicot";
};
+ custom.kanidm-client = {
+ enable = true;
+ uri = "https://auth.xinyang.life/";
+ asSSHAuth = {
+ enable = true;
+ allowedGroups = [ "linux_users" ];
+ };
+ sudoers = [ "xin@auth.xinyang.life" ];
+ };
+
+ security.sudo = {
+ execWheelOnly = true;
+ wheelNeedsPassword = false;
+ };
+
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
+ KbdInteractiveAuthentication = false;
+ PermitRootLogin = "no";
+ GSSAPIAuthentication = "no";
+ KerberosAuthentication = "no";
};
};
+
+ services.fail2ban.enable = true;
systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ];
-
- users.users.xin = {
- isNormalUser = true;
- extraGroups = [ "wheel" "networkmanager" ];
- openssh.authorizedKeys.keys = [
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPBcSvUQnmMFtpftFKIsDqeyUyZHzRg5ewgn3VEcLnss"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIInPn+7cMbH7zCEPJArU/Ot6oq8NHo8a2rYaCfTp7zgd"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPeNQ43f/ce4VxVPsAaKPPTp8rokQpmwNIsOX7JBZq4A"
- ];
- hashedPassword = "$y$j9T$JOJn97hZndiDamUmmT.iq.$ue7gNZz/b14ur8GhyutOCvFjsv.3rcsHmk7m.WRk6u7";
- };
-
- security.sudo.extraRules = [
- { users = [ "xin" ];
- commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ];
- }
- ];
-
-
}
diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix
index e5ecdcc..9c7504e 100644
--- a/machines/massicot/services.nix
+++ b/machines/massicot/services.nix
@@ -40,7 +40,7 @@ in
value = {
device = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}";
fsType = "cifs";
- options = ["uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path}"];
+ options = ["uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path},rw,x-systemd.automount"];
};
}) [ "forgejo" "gotosocial" "conduit" "hedgedoc" ] );
@@ -112,6 +112,7 @@ in
ROOT_URL = "https://git.xinyang.life/";
START_SSH_SERVER = true;
BUILTIN_SSH_SERVER_USER = "git";
+ SSH_USER = "git";
SSH_DOMAIN = "ssh.xinyang.life";
SSH_PORT = 2222;
LFS_MAX_FILE_SIZE = 10737418240;
@@ -138,6 +139,15 @@ in
};
};
+ users.users.git = {
+ isSystemUser = true;
+ useDefaultShell = true;
+ group = "git";
+ extraGroups = [ "forgejo" ];
+ };
+ users.groups.git = { };
+
+
services.caddy = {
enable = true;
virtualHosts."xinyang.life:443".extraConfig = ''
diff --git a/modules/home-manager/vscode.nix b/modules/home-manager/vscode.nix
index d3b604c..38e70e9 100644
--- a/modules/home-manager/vscode.nix
+++ b/modules/home-manager/vscode.nix
@@ -67,7 +67,7 @@ in
80
];
"editor.mouseWheelZoom" = true;
- "git.autofetch" = true;
+ "git.autofetch" = false;
"window.zoomLevel" = -1;
"nix.enableLanguageServer" = true;
diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index 81ab1d0..3ba4a9b 100644
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -6,5 +6,6 @@
./prometheus.nix
./hedgedoc.nix
./sing-box.nix
+ ./kanidm-client.nix
];
}
diff --git a/modules/nixos/kanidm-client.nix b/modules/nixos/kanidm-client.nix
new file mode 100644
index 0000000..8821fc1
--- /dev/null
+++ b/modules/nixos/kanidm-client.nix
@@ -0,0 +1,64 @@
+{ config, pkgs, lib, ... }:
+with lib;
+
+let
+ cfg = config.custom.kanidm-client;
+in
+{
+ options = {
+ custom.kanidm-client = {
+ enable = mkEnableOption "Kanidm client service";
+ asSSHAuth = mkOption {
+ type = types.submodule {
+ options = {
+ enable = mkEnableOption "Kanidm as system authentication source";
+ allowedGroups = mkOption {
+ type = types.listOf types.str;
+ example = [ "linux_users" ];
+ };
+ };
+ };
+ };
+ sudoers = mkOption {
+ type = types.listOf types.str;
+ default = [ ];
+ };
+ uri = mkOption {
+ type = types.str;
+ };
+ };
+ };
+ config = mkIf cfg.enable {
+ services.kanidm = mkMerge
+ [ (mkIf cfg.enable {
+ enableClient = true;
+ clientSettings = {
+ uri = cfg.uri;
+ };
+ })
+ (mkIf cfg.asSSHAuth.enable {
+ enablePam = true;
+ unixSettings = {
+ pam_allowed_login_groups = cfg.asSSHAuth.allowedGroups;
+ default_shell = "/bin/sh";
+ };
+ })
+ ];
+ services.openssh = mkIf cfg.asSSHAuth.enable {
+ enable = true;
+ authorizedKeysCommand = "/etc/ssh/auth %u";
+ authorizedKeysCommandUser = "kanidm-ssh-runner";
+ };
+ environment.etc."ssh/auth" = mkIf cfg.asSSHAuth.enable {
+ mode = "0555";
+ text = ''
+ #!${pkgs.stdenv.shell}
+ ${pkgs.kanidm}/bin/kanidm_ssh_authorizedkeys $1
+ '';
+ };
+ users.groups.wheel.members = cfg.sudoers;
+ users.groups.kanidm-ssh-runner = { };
+ users.users.kanidm-ssh-runner = { isSystemUser = true; group = "kanidm-ssh-runner"; };
+ };
+}
+