movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-10 03:23:29 +03:00
Code Issues Projects Releases Packages Wiki Activity
nixpkgs/nixos/modules/services/misc/sssd.nix
Silvan Mosberger 4f0dadbf38 treewide: format all inactive Nix files 
After final improvements to the official formatter implementation,
this commit now performs the first treewide reformat of Nix files using it.
This is part of the implementation of RFC 166.

Only "inactive" files are reformatted, meaning only files that
aren't being touched by any PR with activity in the past 2 months.
This is to avoid conflicts for PRs that might soon be merged.
Later we can do a full treewide reformat to get the rest,
which should not cause as many conflicts.

A CI check has already been running for some time to ensure that new and
already-formatted files are formatted, so the files being reformatted here
should also stay formatted.

This commit was automatically created and can be verified using

    nix-build a08b3a4d19.tar.gz \
      --argstr baseRev b32a094368
    result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:26:33 +01:00

181 lines
5.6 KiB
Nix
Raw Permalink Blame History

{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.sssd;
nscd = config.services.nscd;
dataDir = "/var/lib/sssd";
settingsFile = "${dataDir}/sssd.conf";
settingsFileUnsubstituted = pkgs.writeText "${dataDir}/sssd-unsubstituted.conf" cfg.config;
in
{
options = {
services.sssd = {
enable = lib.mkEnableOption "the System Security Services Daemon";
config = lib.mkOption {
type = lib.types.lines;
description = "Contents of {file}`sssd.conf`.";
default = ''
[sssd]
config_file_version = 2
services = nss, pam
domains = shadowutils
[nss]
[pam]
[domain/shadowutils]
id_provider = proxy
proxy_lib_name = files
auth_provider = proxy
proxy_pam_target = sssd-shadowutils
proxy_fast_alias = True
'';
};
sshAuthorizedKeysIntegration = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether to make sshd look up authorized keys from SSS.
For this to work, the `ssh` SSS service must be enabled in the sssd configuration.
'';
};
kcm = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether to use SSS as a Kerberos Cache Manager (KCM).
Kerberos will be configured to cache credentials in SSS.
'';
};
environmentFile = lib.mkOption {
type = lib.types.nullOr lib.types.path;
default = null;
description = ''
Environment file as defined in {manpage}`systemd.exec(5)`.
Secrets may be passed to the service without adding them to the world-readable
Nix store, by specifying placeholder variables as the option value in Nix and
setting these variables accordingly in the environment file.
```
# snippet of sssd-related config
[domain/LDAP]
ldap_default_authtok = $SSSD_LDAP_DEFAULT_AUTHTOK
```
```
# contents of the environment file
SSSD_LDAP_DEFAULT_AUTHTOK=verysecretpassword
```
'';
};
};
};
config = lib.mkMerge [
(lib.mkIf cfg.enable {
# For `sssctl` to work.
environment.etc."sssd/sssd.conf".source = settingsFile;
environment.etc."sssd/conf.d".source = "${dataDir}/conf.d";
systemd.services.sssd = {
description = "System Security Services Daemon";
wantedBy = [ "multi-user.target" ];
before = [
"systemd-user-sessions.service"
"nss-user-lookup.target"
];
after = [
"network-online.target"
"nscd.service"
];
requires = [
"network-online.target"
"nscd.service"
];
wants = [ "nss-user-lookup.target" ];
restartTriggers = [
config.environment.etc."nscd.conf".source
settingsFileUnsubstituted
];
script = ''
export LDB_MODULES_PATH+="''${LDB_MODULES_PATH+:}${pkgs.ldb}/modules/ldb:${pkgs.sssd}/modules/ldb"
mkdir -p /var/lib/sss/{pubconf,db,mc,pipes,gpo_cache,secrets} /var/lib/sss/pipes/private /var/lib/sss/pubconf/krb5.include.d
${pkgs.sssd}/bin/sssd -D -c ${settingsFile}
'';
serviceConfig = {
Type = "forking";
PIDFile = "/run/sssd.pid";
StateDirectory = baseNameOf dataDir;
# We cannot use LoadCredential here because it's not available in ExecStartPre
EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile;
};
preStart = ''
mkdir -p "${dataDir}/conf.d"
[ -f ${settingsFile} ] && rm -f ${settingsFile}
old_umask=$(umask)
umask 0177
${pkgs.envsubst}/bin/envsubst \
-o ${settingsFile} \
-i ${settingsFileUnsubstituted}
umask $old_umask
'';
};
system.nssModules = [ pkgs.sssd ];
system.nssDatabases = {
group = [ "sss" ];
passwd = [ "sss" ];
services = [ "sss" ];
shadow = [ "sss" ];
};
services.dbus.packages = [ pkgs.sssd ];
})
(lib.mkIf cfg.kcm {
systemd.services.sssd-kcm = {
description = "SSSD Kerberos Cache Manager";
requires = [ "sssd-kcm.socket" ];
serviceConfig = {
ExecStartPre = "-${pkgs.sssd}/bin/sssd --genconf-section=kcm";
ExecStart = "${pkgs.sssd}/libexec/sssd/sssd_kcm --uid 0 --gid 0";
};
restartTriggers = [
settingsFileUnsubstituted
];
};
systemd.sockets.sssd-kcm = {
description = "SSSD Kerberos Cache Manager responder socket";
wantedBy = [ "sockets.target" ];
# Matches the default in MIT krb5 and Heimdal:
# https://github.com/krb5/krb5/blob/krb5-1.19.3-final/src/include/kcm.h#L43
listenStreams = [ "/var/run/.heim_org.h5l.kcm-socket" ];
};
security.krb5.settings.libdefaults.default_ccache_name = "KCM:";
})
(lib.mkIf cfg.sshAuthorizedKeysIntegration {
# Ugly: sshd refuses to start if a store path is given because /nix/store is group-writable.
# So indirect by a symlink.
environment.etc."ssh/authorized_keys_command" = {
mode = "0755";
text = ''
#!/bin/sh
exec ${pkgs.sssd}/bin/sss_ssh_authorizedkeys "$@"
'';
};
services.openssh.authorizedKeysCommand = "/etc/ssh/authorized_keys_command";
services.openssh.authorizedKeysCommandUser = "nobody";
})
];
meta.maintainers = with lib.maintainers; [ bbigras ];
}
Reference in a new issue View git blame Copy permalink