{ config, lib, pkgs, ... }: let cfg = config.sydnix.deertopia.lldap.pam; in { options.sydnix.deertopia.lldap.pam = { enable = lib.mkEnableOption "LLDAP PAM integration"; }; # See https://github.com/lldap/lldap/blob/main/example_configs/pam/README.md. config = lib.mkIf cfg.enable { sydnix.sops.secrets = let e = { mode = "0440"; owner = "sssd"; group = "sssd"; }; in { sssd-environment = {}; }; services.sssd = let inherit (config.sydnix.deertopia.lldap) baseDN; ldaps-port = config.services.lldap.settings.ldaps_options.port; in { enable = true; environmentFile = "/run/secrets/sssd-environment"; config = '' [sssd] config_file_version = 2 # Change the domain below. It must match with the one in the [domain/] # part domains = deertopia.net [nss] [pam] # Put the same domain here [domain/deertopia.net] id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_schema = rfc2307 # Place your LDAP server url here ldap_uri = ldaps://deertopia.net:${builtins.toString ldaps-port}/ # Put your LDAP dc here ldap_search_base = ${baseDN} # Bind credentials # Bind user username (Should be in group lldap_strict_readonly) ldap_default_bind_dn = uid=sssd,ou=people,${baseDN} # Bind user password. Defined by `services.sssd.environmentFile`. ldap_default_authtok = $SSSD_LDAP_DEFAULT_AUTHTOK # TLS settings ldap_tls_reqcert = demand # Put the certificate you generate for LDAPS here ldap_tls_cacert = ${./cert.pem} # User mappings # Put your LDAP dc here ldap_user_search_base = ou=people,${baseDN} ldap_user_object_class = posixAccount ldap_user_name = uid ldap_user_gecos = uid ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_home_directory = homeDirectory ldap_user_shell = unixShell # Uncomment for SSH Key Sync setup #ldap_user_ssh_public_key = sshPublicKey # Group mappings # Put your LDAP dc here ldap_group_search_base = ou=groups,${baseDN} ldap_group_object_class = groupOfUniqueNames ldap_group_name = cn ldap_group_member = uniqueMember access_provider = permit cache_credentials = true ''; }; }; }