crans
/
nixos
mirror of https://gitlab.crans.org/nounous/nixos
19
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nixos/modules/crans/users.nix

76 lines
1.5 KiB
Nix
Raw Blame History

{ config, lib, ... }:
let
cfg = config.crans.users;
inherit (lib)
mkEnableOption
mkOption
types
;
in
{
options.crans.users = {
ldap = {
enable = mkEnableOption "Authentification par le LDAP adm.";
};
root = {
passwordFile = mkOption {
type = types.path;
default = ../../secrets/common/root.age;
example = ../../secrets/apprentix/root.age;
description = "Fichier chiffré par age contenant le mot de passe root.";
};
};
};
config = {
age.secrets.root-passwd-hash = {
file = cfg.root.passwordFile;
};
users = {
mutableUsers = false;
users.root = {
hashedPasswordFile = config.age.secrets.root-passwd-hash.path;
};
ldap = {
enable = cfg.ldap.enable;
base = "dc=crans,dc=org";
server = "ldaps://ldap-adm.adm.crans.org/";
daemon = {
enable = true;
extraConfig = ''
ldap_version 3
tls_reqcert allow
map passwd loginShell /run/current-system/sw/bin/bash
'';
};
};
};
security.sudo = {
enable = true;
extraConfig = ''
Defaults passprompt_override
Defaults passprompt="[sudo] mot de passe pour %p sur %h: "
'';
extraRules = [
{
groups = [ "_user" ];
runAs = "root:ALL";
commands = [ "NOPASSWD:/usr/bin/qm list" ];
}
{
groups = [ "_nounou" ];
commands = [ "ALL" ];
}
];
};
};
}
Reference in New Issue View Git Blame Copy Permalink