mirror of https://gitlab.crans.org/nounous/nixos
47 lines
971 B
Nix
47 lines
971 B
Nix
{ config, ... }:
|
|
|
|
{
|
|
users.ldap = {
|
|
enable = true;
|
|
base = "dc=crans,dc=org";
|
|
server = "ldaps://ldap-adm.adm.crans.org/";
|
|
daemon = {
|
|
enable = true;
|
|
extraConfig = ''
|
|
ldap_version 3
|
|
tls_reqcert allow
|
|
map passwd loginShell /run/current-system/sw/bin/bash
|
|
'';
|
|
};
|
|
};
|
|
|
|
security.sudo = {
|
|
enable = true;
|
|
extraConfig = ''
|
|
Defaults passprompt_override
|
|
Defaults passprompt="[sudo] mot de passe pour %p sur %h: "
|
|
'';
|
|
extraRules = [
|
|
{
|
|
groups = [ "_user" ];
|
|
runAs = "root:ALL";
|
|
commands = [ "NOPASSWD:/usr/bin/qm list" ];
|
|
}
|
|
{
|
|
groups = [ "_nounou" ];
|
|
commands = [ "ALL" ];
|
|
}
|
|
];
|
|
};
|
|
|
|
sops.secrets.root-passwd-hash = {
|
|
sopsFile = ../../secrets/common.yaml;
|
|
};
|
|
|
|
users.users.root = {
|
|
hashedPasswordFile = config.sops.secrets.root-passwd-hash.path;
|
|
};
|
|
|
|
services.openssh.settings.PermitRootLogin = "yes";
|
|
}
|