| blob | f2798c1f30b4534f8bc1b932a510c866f5ac884c |
1 { config, lib, pkgs, ... }:
2 with lib;
3 let
4 cfg = config.services.sssd;
5 nscd = config.services.nscd;
7 dataDir = "/var/lib/sssd";
8 settingsFile = "${dataDir}/sssd.conf";
9 settingsFileUnsubstituted = pkgs.writeText "${dataDir}/sssd-unsubstituted.conf" cfg.config;
10 in {
11 options = {
12 services.sssd = {
13 enable = mkEnableOption "the System Security Services Daemon";
15 config = mkOption {
16 type = types.lines;
17 description = "Contents of {file}`sssd.conf`.";
18 default = ''
19 [sssd]
20 config_file_version = 2
21 services = nss, pam
22 domains = shadowutils
24 [nss]
26 [pam]
28 [domain/shadowutils]
29 id_provider = proxy
30 proxy_lib_name = files
31 auth_provider = proxy
32 proxy_pam_target = sssd-shadowutils
33 proxy_fast_alias = True
34 '';
35 };
37 sshAuthorizedKeysIntegration = mkOption {
38 type = types.bool;
39 default = false;
40 description = ''
41 Whether to make sshd look up authorized keys from SSS.
42 For this to work, the `ssh` SSS service must be enabled in the sssd configuration.
43 '';
44 };
46 kcm = mkOption {
47 type = types.bool;
48 default = false;
49 description = ''
50 Whether to use SSS as a Kerberos Cache Manager (KCM).
51 Kerberos will be configured to cache credentials in SSS.
52 '';
53 };
54 environmentFile = mkOption {
55 type = types.nullOr types.path;
56 default = null;
57 description = ''
58 Environment file as defined in {manpage}`systemd.exec(5)`.
60 Secrets may be passed to the service without adding them to the world-readable
61 Nix store, by specifying placeholder variables as the option value in Nix and
62 setting these variables accordingly in the environment file.
64 ```
65 # snippet of sssd-related config
66 [domain/LDAP]
67 ldap_default_authtok = $SSSD_LDAP_DEFAULT_AUTHTOK
68 ```
70 ```
71 # contents of the environment file
72 SSSD_LDAP_DEFAULT_AUTHTOK=verysecretpassword
73 ```
74 '';
75 };
76 };
77 };
78 config = mkMerge [
79 (mkIf cfg.enable {
80 # For `sssctl` to work.
81 environment.etc."sssd/sssd.conf".source = settingsFile;
82 environment.etc."sssd/conf.d".source = "${dataDir}/conf.d";
84 systemd.services.sssd = {
85 description = "System Security Services Daemon";
86 wantedBy = [ "multi-user.target" ];
87 before = [ "systemd-user-sessions.service" "nss-user-lookup.target" ];
88 after = [ "network-online.target" "nscd.service" ];
89 requires = [ "network-online.target" "nscd.service" ];
90 wants = [ "nss-user-lookup.target" ];
91 restartTriggers = [
92 config.environment.etc."nscd.conf".source
93 settingsFileUnsubstituted
94 ];
95 script = ''
96 export LDB_MODULES_PATH+="''${LDB_MODULES_PATH+:}${pkgs.ldb}/modules/ldb:${pkgs.sssd}/modules/ldb"
97 mkdir -p /var/lib/sss/{pubconf,db,mc,pipes,gpo_cache,secrets} /var/lib/sss/pipes/private /var/lib/sss/pubconf/krb5.include.d
98 ${pkgs.sssd}/bin/sssd -D -c ${settingsFile}
99 '';
100 serviceConfig = {
101 Type = "forking";
102 PIDFile = "/run/sssd.pid";
103 StateDirectory = baseNameOf dataDir;
104 # We cannot use LoadCredential here because it's not available in ExecStartPre
105 EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile;
106 };
107 preStart = ''
108 mkdir -p "${dataDir}/conf.d"
109 [ -f ${settingsFile} ] && rm -f ${settingsFile}
110 old_umask=$(umask)
111 umask 0177
112 ${pkgs.envsubst}/bin/envsubst \
113 -o ${settingsFile} \
114 -i ${settingsFileUnsubstituted}
115 umask $old_umask
116 '';
117 };
119 system.nssModules = [ pkgs.sssd ];
120 system.nssDatabases = {
121 group = [ "sss" ];
122 passwd = [ "sss" ];
123 services = [ "sss" ];
124 shadow = [ "sss" ];
125 };
126 services.dbus.packages = [ pkgs.sssd ];
127 })
129 (mkIf cfg.kcm {
130 systemd.services.sssd-kcm = {
131 description = "SSSD Kerberos Cache Manager";
132 requires = [ "sssd-kcm.socket" ];
133 serviceConfig = {
134 ExecStartPre = "-${pkgs.sssd}/bin/sssd --genconf-section=kcm";
135 ExecStart = "${pkgs.sssd}/libexec/sssd/sssd_kcm --uid 0 --gid 0";
136 };
137 restartTriggers = [
138 settingsFileUnsubstituted
139 ];
140 };
141 systemd.sockets.sssd-kcm = {
142 description = "SSSD Kerberos Cache Manager responder socket";
143 wantedBy = [ "sockets.target" ];
144 # Matches the default in MIT krb5 and Heimdal:
145 # https://github.com/krb5/krb5/blob/krb5-1.19.3-final/src/include/kcm.h#L43
146 listenStreams = [ "/var/run/.heim_org.h5l.kcm-socket" ];
147 };
148 security.krb5.settings.libdefaults.default_ccache_name = "KCM:";
149 })
151 (mkIf cfg.sshAuthorizedKeysIntegration {
152 # Ugly: sshd refuses to start if a store path is given because /nix/store is group-writable.
153 # So indirect by a symlink.
154 environment.etc."ssh/authorized_keys_command" = {
155 mode = "0755";
156 text = ''
157 #!/bin/sh
158 exec ${pkgs.sssd}/bin/sss_ssh_authorizedkeys "$@"
159 '';
160 };
161 services.openssh.authorizedKeysCommand = "/etc/ssh/authorized_keys_command";
162 services.openssh.authorizedKeysCommandUser = "nobody";
163 })];
165 meta.maintainers = with maintainers; [ bbigras ];
166 }