Merge pull request #185803 from Ma27/sssd-secrets

pyrox.dev / nixpkgs

fork atom

lol

fork atom

nixos/sssd: Add secrets handling (patch originally from @yayayayaka)

authored by

Maximilian Bosch and committed by

GitHub 3 years ago 6a126350 94d31d1c

+46 -9

2 changed files

expand all

nixos

modules

services

misc

sssd.nix

tests

sssd-ldap.nix

+42 -7

nixos/modules/services/misc/sssd.nix

··· 3 3 let 4 4 cfg = config.services.sssd; 5 5 nscd = config.services.nscd; 6 + 7 + dataDir = "/var/lib/sssd"; 8 + settingsFile = "${dataDir}/sssd.conf"; 9 + settingsFileUnsubstituted = pkgs.writeText "${dataDir}/sssd-unsubstituted.conf" cfg.config; 6 10 in { 7 11 options = { 8 12 services.sssd = { ··· 47 51 Kerberos will be configured to cache credentials in SSS. 48 52 ''; 49 53 }; 54 + environmentFile = mkOption { 55 + type = types.nullOr types.path; 56 + default = null; 57 + description = '' 58 + Environment file as defined in <citerefentry> 59 + <refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum> 60 + </citerefentry>. 61 + 62 + Secrets may be passed to the service without adding them to the world-readable 63 + Nix store, by specifying placeholder variables as the option value in Nix and 64 + setting these variables accordingly in the environment file. 65 + 66 + <programlisting> 67 + # snippet of sssd-related config 68 + [domain/LDAP] 69 + ldap_default_authtok = $SSSD_LDAP_DEFAULT_AUTHTOK 70 + </programlisting> 71 + 72 + <programlisting> 73 + # contents of the environment file 74 + SSSD_LDAP_DEFAULT_AUTHTOK=verysecretpassword 75 + </programlisting> 76 + ''; 77 + }; 50 78 }; 51 79 }; 52 80 config = mkMerge [ ··· 60 88 wants = [ "nss-user-lookup.target" ]; 61 89 restartTriggers = [ 62 90 config.environment.etc."nscd.conf".source 63 - config.environment.etc."sssd/sssd.conf".source 91 + settingsFileUnsubstituted 64 92 ]; 65 93 script = '' 66 94 export LDB_MODULES_PATH+="''${LDB_MODULES_PATH+:}${pkgs.ldb}/modules/ldb:${pkgs.sssd}/modules/ldb" 67 95 mkdir -p /var/lib/sss/{pubconf,db,mc,pipes,gpo_cache,secrets} /var/lib/sss/pipes/private /var/lib/sss/pubconf/krb5.include.d 68 - ${pkgs.sssd}/bin/sssd -D 96 + ${pkgs.sssd}/bin/sssd -D -c ${settingsFile} 69 97 ''; 70 98 serviceConfig = { 71 99 Type = "forking"; 72 100 PIDFile = "/run/sssd.pid"; 101 + StateDirectory = baseNameOf dataDir; 102 + # We cannot use LoadCredential here because it's not available in ExecStartPre 103 + EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile; 73 104 }; 74 - }; 75 - 76 - environment.etc."sssd/sssd.conf" = { 77 - text = cfg.config; 78 - mode = "0400"; 105 + preStart = '' 106 + [ -f ${settingsFile} ] && rm -f ${settingsFile} 107 + old_umask=$(umask) 108 + umask 0177 109 + ${pkgs.envsubst}/bin/envsubst \ 110 + -o ${settingsFile} \ 111 + -i ${settingsFileUnsubstituted} 112 + umask $old_umask 113 + ''; 79 114 }; 80 115 81 116 system.nssModules = [ pkgs.sssd ];

+4 -2

nixos/tests/sssd-ldap.nix

··· 28 28 attrs = { 29 29 objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; 30 30 olcDatabase = "{1}mdb"; 31 - olcDbDirectory = "/var/db/openldap"; 31 + olcDbDirectory = "/var/lib/openldap/db"; 32 32 olcSuffix = dbSuffix; 33 33 olcRootDN = "cn=${ldapRootUser},${dbSuffix}"; 34 34 olcRootPW = ldapRootPassword; ··· 67 67 68 68 services.sssd = { 69 69 enable = true; 70 + # just for testing purposes, don't put this into the Nix store in production! 71 + environmentFile = "${pkgs.writeText "ldap-root" "LDAP_BIND_PW=${ldapRootPassword}"}"; 70 72 config = '' 71 73 [sssd] 72 74 config_file_version = 2 ··· 80 82 ldap_search_base = ${dbSuffix} 81 83 ldap_default_bind_dn = cn=${ldapRootUser},${dbSuffix} 82 84 ldap_default_authtok_type = password 83 - ldap_default_authtok = ${ldapRootPassword} 85 + ldap_default_authtok = $LDAP_BIND_PW 84 86 ''; 85 87 }; 86 88 };