foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-01-30 22:57:55 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

hosts/plover/services/idm: add kanidm-unixd and update SSH server config

Browse Source
This commit is contained in:
Gabriel Arazas 2025-01-01 16:08:35 +08:00
parent 7522ed5fe4
commit e07e0273eb
No known key found for this signature in database
GPG Key ID: 62104B43D00AA360
1 changed files with 26 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
configs/nixos/plover/modules/services/idm.nix
View File

@ -21,6 +21,8 @@ in
services.kanidm = {
enableServer = true;
enablePam = true;
serverSettings = {
domain = authDomain;
origin = "https://${authDomain}";
@ -37,6 +39,30 @@ in
schedule = "0 0 * * *";
};
};
clientSettings = {
uri = "https://${authDomain}";
verify_hostnames = true;
verify_ca = true;
};
unixSettings = {
use_etc_skel = false;
pam_allowed_login_groups = [ "kanidm" ];
};
};
# Additional SSH server hardening.
services.openssh.settings = {
PermitEmptyPasswords = "no";
GSSAPIAuthentication = "no";
KerberosAuthentication = "no";
# Integrating kanidm-unixd.
UsePAM = true;
PubkeyAuthentication = true;
AuthorizedKeysCommand = "${lib.getExe' config.services.kanidm.package "kanidm_ssh_authorizedkeys"} %u";
AuthorizedKeysCommandUser = "nobody";
};
# The kanidm Nix module already sets the certificates directory to be