lytedev/nix
1
0
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Kanidm upstream and ghostty hotkeys
Some checks failed
/ check (push) Failing after 2m22s
Details

Browse source
This commit is contained in:
Daniel Flanagan 2025-02-11 00:41:52 -06:00
parent 4128df0e9e
commit 75b8bc26a5
2 changed files with 71 additions and 252 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
modules/home-manager/ghostty/config
View file

@ -959,7 +959,6 @@ working-directory =
# keybind = ctrl+zero=reset_font_size # keybind = ctrl+zero=reset_font_size
# keybind = alt+three=goto_tab:3 # keybind = alt+three=goto_tab:3
# keybind = ctrl+shift+j=write_scrollback_file:paste # keybind = ctrl+shift+j=write_scrollback_file:paste
# keybind = ctrl+enter=toggle_fullscreen
# keybind = ctrl+page_up=previous_tab # keybind = ctrl+page_up=previous_tab
# keybind = shift+right=adjust_selection:right # keybind = shift+right=adjust_selection:right
# keybind = ctrl+tab=next_tab # keybind = ctrl+tab=next_tab
@ -990,6 +989,12 @@ working-directory =
# keybind = alt+six=goto_tab:6 # keybind = alt+six=goto_tab:6
# keybind = alt+seven=goto_tab:7 # keybind = alt+seven=goto_tab:7
keybind = ctrl+shift+2=increase_font_size:4
keybind = ctrl+shift+minus=decrease_font_size:0.5
keybind = ctrl+shift+plus=increase_font_size:0.5
keybind = ctrl+shift+zero=reset_font_size
keybind = alt+enter=toggle_fullscreen
keybind = ctrl+shift+z=toggle_split_zoom
keybind = performable:ctrl+shift+h=new_split:left keybind = performable:ctrl+shift+h=new_split:left
keybind = performable:ctrl+shift+l=new_split:right keybind = performable:ctrl+shift+l=new_split:right
keybind = performable:ctrl+shift+j=new_split:down keybind = performable:ctrl+shift+j=new_split:down

314
nixos/beefcake.nix
View file

@ -1399,86 +1399,11 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
options, options,
... ...
}: let }: let
toml = pkgs.formats.toml {};
kanidm-package = config.services.kanidm.package;
domain = "idm.h.lyte.dev"; domain = "idm.h.lyte.dev";
name = "kanidm"; name = "kanidm";
storage = "/storage/${name}";
cert = "${storage}/certs/idm.h.lyte.dev.crt";
key = "${storage}/certs/idm.h.lyte.dev.key";
serverSettings = {
inherit domain;
bindaddress = "127.0.0.1:8443";
# ldapbindaddress
tls_chain = cert;
tls_key = key;
origin = "https://${domain}";
db_path = "${storage}/data/kanidm.db";
log_level = "info";
online_backup = {
path = "${storage}/backups/";
schedule = "00 22 * * *";
# versions = 7;
};
};
unixdSettings = {
hsm_pin_path = "/var/cache/${name}-unixd/hsm-pin";
pam_allowed_login_groups = [];
};
clientSettings = {
uri = "https://idm.h.lyte.dev";
};
user = name; user = name;
group = name; group = name;
serverConfigFile = toml.generate "server.toml" serverSettings; storage = "/storage/${name}";
unixdConfigFile = toml.generate "kanidm-unixd.toml" unixdSettings;
clientConfigFile = toml.generate "kanidm-config.toml" clientSettings;
defaultServiceConfig = {
BindReadOnlyPaths = [
"/nix/store"
"-/etc/resolv.conf"
"-/etc/nsswitch.conf"
"-/etc/hosts"
"-/etc/localtime"
];
CapabilityBoundingSet = [];
# ProtectClock= adds DeviceAllow=char-rtc r
DeviceAllow = "";
# Implies ProtectSystem=strict, which re-mounts all paths
# DynamicUser = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateNetwork = true;
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
# Would re-mount paths ignored by temporary root
#ProtectSystem = "strict";
ProtectControlGroups = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
RestrictAddressFamilies = [];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = ["@system-service" "~@privileged @resources @setuid @keyring"];
# Does not work well with the temporary root
#UMask = "0066";
};
in { in {
# kanidm # kanidm
config = { config = {
@ -1499,9 +1424,9 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
script = '' script = ''
umask 077 umask 077
# this line should be unnecessary now that we have this in tmpfiles # this line should be unnecessary now that we have this in tmpfiles
install -d -m 0700 -o "${user}" -g "${group}" "${storage}/data" "${storage}/certs" install -d -m 0700 -o "${name}" -g "${name}" "${storage}/data" "${storage}/certs"
cd /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/idm.h.lyte.dev cd /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/idm.h.lyte.dev
install -m 0700 -o "${user}" -g "${group}" idm.h.lyte.dev.key idm.h.lyte.dev.crt "${storage}/certs" install -m 0700 -o "${name}" -g "${name}" idm.h.lyte.dev.key idm.h.lyte.dev.crt "${storage}/certs"
''; '';
path = with pkgs; [rsync]; path = with pkgs; [rsync];
serviceConfig = { serviceConfig = {
@ -1510,18 +1435,12 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
}; };
}; };
environment.systemPackages = [kanidm-package];
systemd.tmpfiles.settings."10-kanidm" = { systemd.tmpfiles.settings."10-kanidm" = {
"${serverSettings.online_backup.path}".d = { "${config.services.kanidm.serverSettings.online_backup.path}".d = {
inherit user group; user = name;
group = name;
mode = "0700"; mode = "0700";
}; };
## "${builtins.dirOf unixdSettings.hsm_pin_path}".d = {
## user = "${user}-unixd";
## group = "${group}-unixd";
## mode = "0700";
## };
"${storage}/data".d = { "${storage}/data".d = {
inherit user group; inherit user group;
mode = "0700"; mode = "0700";
@ -1532,174 +1451,69 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
}; };
}; };
users.groups = { services.kanidm = {
${group} = {}; enableServer = true;
"${group}-unixd" = {}; serverSettings = {
}; inherit domain;
origin = "https://${domain}";
users.users.${user} = { bindaddress = "127.0.0.1:8443";
inherit group; tls_chain = "${storage}/certs/idm.h.lyte.dev.crt";
description = "kanidm server"; tls_key = "${storage}/certs/idm.h.lyte.dev.key";
isSystemUser = true; log_level = "info";
packages = [kanidm-package]; online_backup = {
}; path = "${storage}/backups/";
users.users."${user}-unixd" = { schedule = "00 22 * * *";
group = "${group}-unixd"; versions = 50;
description = lib.mkForce "kanidm PAM daemon"; };
isSystemUser = true; };
};
enablePam = false;
# the kanidm module in nixpkgs was not working for me, so I rolled my own unixSettings = {
# loosely based off it # pam_allowed_login_groups = [];
systemd.services.kanidm = { };
enable = true;
path = with pkgs; [openssl] ++ [kanidm-package]; enableClient = true;
description = "kanidm identity management daemon"; clientSettings = {
wantedBy = ["multi-user.target"]; uri = "https://idm.h.lyte.dev";
after = ["network.target"]; };
requires = ["copy-kanidm-certificates-from-caddy.service"];
script = '' provision = {
pwd # enable = true;
ls -la # instanceUrl = "https://${domain}";
ls -laR /storage/kanidm # adminPasswordFile = config.sops.secrets.kanidm-admin-password-file.path
${kanidm-package}/bin/kanidmd server -c ${serverConfigFile} # idmAdminPasswordFile = config.sops.secrets.kanidm-admin-password-file.path
''; # autoRemove = true;
# environment.RUST_LOG = serverSettings.log_level; # groups = {
serviceConfig = lib.mkMerge [ # myGroup = {
defaultServiceConfig # members = ["myUser" /* ...*/];
{ # }
StateDirectory = name; # };
StateDirectoryMode = "0700"; # persons = {
RuntimeDirectory = "${name}d"; # myUser = {
User = user; # displayName = "display name";
Group = group; # legalName = "My User";
# mailAddresses = ["myuser@example.com"];
AmbientCapabilities = ["CAP_NET_BIND_SERVICE"]; # groups = ["myGroup"];
CapabilityBoundingSet = ["CAP_NET_BIND_SERVICE"]; # }
PrivateUsers = lib.mkForce false; # };
PrivateNetwork = lib.mkForce false; # systems = {
RestrictAddressFamilies = ["AF_INET" "AF_INET6" "AF_UNIX"]; # oauth2 = {
# TemporaryFileSystem = "/:ro"; # mySystem = {
BindReadOnlyPaths = [ # enableLegacyCrypto = false;
"${storage}/certs" # enableLocalhostRedirects = true; # only for public
]; # allowInsecureClientDisablePkce = false;
BindPaths = [ # basicSecretFile = config.sops.secrets.basic-secret-file...
"${storage}/data" # claimMap = {};
# };
# socket # };
"/run/${name}d:/run/${name}d" # };
# backups
serverSettings.online_backup.path
];
}
];
};
systemd.services.kanidm-unixd = {
description = "Kanidm PAM daemon";
wantedBy = ["multi-user.target"];
after = ["network.target"];
restartTriggers = [unixdConfigFile clientConfigFile];
serviceConfig = lib.mkMerge [
defaultServiceConfig
{
CacheDirectory = "${name}-unixd";
CacheDirectoryMode = "0700";
RuntimeDirectory = "${name}-unixd";
ExecStart = "${kanidm-package}/bin/kanidm_unixd";
User = "${user}-unixd";
Group = "${group}-unixd";
BindReadOnlyPaths = [
"-/etc/kanidm"
"-/etc/static/kanidm"
"-/etc/ssl"
"-/etc/static/ssl"
"-/etc/passwd"
"-/etc/group"
];
BindPaths = [
# socket
"/run/kanidm-unixd:/var/run/kanidm-unixd"
];
# Needs to connect to kanidmd
PrivateNetwork = lib.mkForce false;
RestrictAddressFamilies = ["AF_INET" "AF_INET6" "AF_UNIX"];
TemporaryFileSystem = "/:ro";
}
];
environment.RUST_LOG = serverSettings.log_level;
};
systemd.services.kanidm-unixd-tasks = {
description = "Kanidm PAM home management daemon";
wantedBy = ["multi-user.target"];
after = ["network.target" "kanidm-unixd.service"];
partOf = ["kanidm-unixd.service"];
restartTriggers = [unixdConfigFile clientConfigFile];
serviceConfig = {
ExecStart = "${kanidm-package}/bin/kanidm_unixd_tasks";
BindReadOnlyPaths = [
"/nix/store"
"-/etc/resolv.conf"
"-/etc/nsswitch.conf"
"-/etc/hosts"
"-/etc/localtime"
"-/etc/kanidm"
"-/etc/static/kanidm"
];
BindPaths = [
# To manage home directories
"/home"
# To connect to kanidm-unixd
"/run/kanidm-unixd:/var/run/kanidm-unixd"
];
# CAP_DAC_OVERRIDE is needed to ignore ownership of unixd socket
CapabilityBoundingSet = ["CAP_CHOWN" "CAP_FOWNER" "CAP_DAC_OVERRIDE" "CAP_DAC_READ_SEARCH"];
IPAddressDeny = "any";
# Need access to users
PrivateUsers = false;
# Need access to home directories
ProtectHome = false;
RestrictAddressFamilies = ["AF_UNIX"];
TemporaryFileSystem = "/:ro";
Restart = "on-failure";
}; };
environment.RUST_LOG = serverSettings.log_level;
}; };
environment.etc = { services.caddy.virtualHosts."idm.h.lyte.dev" = {
"kanidm/server.toml".source = serverConfigFile; extraConfig = ''reverse_proxy https://idm.h.lyte.dev:8443'';
"kanidm/config".source = clientConfigFile;
"kanidm/unixd".source = unixdConfigFile;
}; };
system.nssModules = [kanidm-package];
system.nssDatabases.group = [name];
system.nssDatabases.passwd = [name];
## environment.etc."kanidm/server.toml" = {
## mode = "0600";
## group = "kanidm";
## user = "kanidm";
## };
## environment.etc."kanidm/config" = {
## mode = "0600";
## group = "kanidm";
## user = "kanidm";
## };
# services.caddy.virtualHosts."idm.h.lyte.dev" = {
# extraConfig = ''reverse_proxy https://idm.h.lyte.dev:8443'';
# };
networking = { networking = {
extraHosts = '' extraHosts = ''
::1 idm.h.lyte.dev ::1 idm.h.lyte.dev