From e07e0273eb26efa276cecbf9d7e9e3c6cc928883 Mon Sep 17 00:00:00 2001
From: Gabriel Arazas <foodogsquared@foodogsquared.one>
Date: Wed, 1 Jan 2025 16:08:35 +0800
Subject: [PATCH] hosts/plover/services/idm: add kanidm-unixd and update SSH
 server config

---
 configs/nixos/plover/modules/services/idm.nix | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/configs/nixos/plover/modules/services/idm.nix b/configs/nixos/plover/modules/services/idm.nix
index 3e389c4d..c641c207 100644
--- a/configs/nixos/plover/modules/services/idm.nix
+++ b/configs/nixos/plover/modules/services/idm.nix
@@ -21,6 +21,8 @@ in
 
       services.kanidm = {
         enableServer = true;
+        enablePam = true;
+
         serverSettings = {
           domain = authDomain;
           origin = "https://${authDomain}";
@@ -37,6 +39,30 @@ in
             schedule = "0 0 * * *";
           };
         };
+
+        clientSettings = {
+          uri = "https://${authDomain}";
+          verify_hostnames = true;
+          verify_ca = true;
+        };
+
+        unixSettings = {
+          use_etc_skel = false;
+          pam_allowed_login_groups = [ "kanidm" ];
+        };
+      };
+
+      # Additional SSH server hardening.
+      services.openssh.settings = {
+        PermitEmptyPasswords = "no";
+        GSSAPIAuthentication = "no";
+        KerberosAuthentication = "no";
+
+        # Integrating kanidm-unixd.
+        UsePAM = true;
+        PubkeyAuthentication = true;
+        AuthorizedKeysCommand = "${lib.getExe' config.services.kanidm.package "kanidm_ssh_authorizedkeys"} %u";
+        AuthorizedKeysCommandUser = "nobody";
       };
 
       # The kanidm Nix module already sets the certificates directory to be