feat(www): www

modules/nixos/deertopia/lldap/pam.nix

@@ -7,6 +7,16 @@ in {
   };
 
   # See https://github.com/lldap/lldap/blob/main/example_configs/pam/README.md.
+
+  # Required imperative configuration: you will need to add the following custom
+  # attributes to the user schema in the LLDAP web UI.
+  #
+  #   • uidNumber (integer)
+  #   • gidNumber (integer, multiple values)
+  #   • homeDirectory (string)
+  #   • unixShell (string)
+  #   • sshPublicKey (string) (only if you’re setting up SSH Public Key Sync)
+
   config = lib.mkIf cfg.enable {
     sydnix.sops.secrets =
       let
@@ -19,6 +29,32 @@ in {
         sssd-environment = {};
       };
 
+    # TODO: The existence of a dynamic set of users leads to some complexities
+    # when combined with Impermanence.  Static users (i.e. those defined in the
+    # NixOS config) shall opt in to Impermanence via the Home-manager setting,
+    # but "dynamic" users (i.e. those per LDAP/PAM) should be persisted
+    # unconditionally.  Implementing this behaviour takes quite the hack:
+    #
+    #   • /home is persisted.
+    #
+    #   • A impersistent directory /transient-home is created.
+    #
+    #   • "Dynamic" users are assigned subdirectories of /home like usual.
+    #     Since /home is persisted, so are the users' individual home
+    #     directories.
+    #
+    #   • The home directories of "static" users (that are opted in to
+    #     Impermanence) are created at /transient-home/«user» and bind-mounted
+    #     to /home/«user».
+
+    security.pam.services."ldap".makeHomeDir = true;
+
+    # For synchronizations of SSH keys.
+    services.openssh.settings = {
+      AuthorizedKeysCommand = lib.getExe' pkgs.sssd "sss_ssh_authorizedkeys";
+      AuthorizedKeysCommandUser = "nobody";
+    };
+
     services.sssd =
       let
         inherit (config.sydnix.deertopia.lldap) baseDN;
@@ -71,7 +107,7 @@ in {
           ldap_user_shell = unixShell
 
           # Uncomment for SSH Key Sync setup
-          #ldap_user_ssh_public_key = sshPublicKey
+          ldap_user_ssh_public_key = sshPublicKey
 
           # Group mappings
           # Put your LDAP dc here