Compare commits

...

3 Commits

10 changed files with 434 additions and 25 deletions

View File

@ -48,9 +48,9 @@
** use the same channel the system
** was built with
*/
nix.registry = {
nixpkgs.flake = inputs.nixpkgs;
};
# nix.registry = {
# nixpkgs.flake = inputs.nixpkgs;
# };
nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
environment.systemPackages = with pkgs; [

44
flake.lock generated
View File

@ -7,11 +7,11 @@
]
},
"locked": {
"lastModified": 1715445235,
"narHash": "sha256-SUu+oIWn+xqQIOlwfwNfS9Sek4i1HKsrLJchsDReXwA=",
"lastModified": 1720056646,
"narHash": "sha256-BymcV4HWtx2VFuabDCM4/nEJcfivCx0S02wUCz11mAY=",
"owner": "nix-community",
"repo": "disko",
"rev": "159d87ea5b95bbdea46f0288a33c5e1570272725",
"rev": "64679cd7f318c9b6595902b47d4585b1d51d5f9e",
"type": "github"
},
"original": {
@ -67,11 +67,11 @@
]
},
"locked": {
"lastModified": 1715364232,
"narHash": "sha256-ZJC3SkanEgbV7p+LFhP+85CviRWOXJNHzZwR/Stb7hE=",
"lastModified": 1716065905,
"narHash": "sha256-08uhxBzfakfhl/ooc+gMzDupWKYvTeyQZwuvB1SBS7A=",
"owner": "Programvareverkstedet",
"repo": "grzegorz",
"rev": "3841cda1cdcac470440b06838d56a2eb2256378c",
"rev": "0481aef6553ae9aee86e4edb4ca0ed4f2eba2058",
"type": "github"
},
"original": {
@ -87,11 +87,11 @@
]
},
"locked": {
"lastModified": 1715384651,
"narHash": "sha256-7RhckgUTjqeCjWkhiCc1iB+5CBx9fl80d/3O4Jh+5kM=",
"lastModified": 1716115695,
"narHash": "sha256-aI65l4x+U5v3i/nfn6N3eW5IZodmf4pyAByE7vTJh8I=",
"owner": "Programvareverkstedet",
"repo": "grzegorz-clients",
"rev": "738a4f3dd887f7c3612e4e772b83cbfa3cde5693",
"rev": "b9444658fbb39cd1bf1c61ee5a1d5f0641c49abe",
"type": "github"
},
"original": {
@ -143,11 +143,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1719520878,
"narHash": "sha256-5BXzNOl2RVHcfS/oxaZDKOi7gVuTyWPibQG0DHd5sSc=",
"lastModified": 1720137366,
"narHash": "sha256-Xn+WAX2t2yjNdgZEyEtjCLvkqjrGPVhKRGsM6ujUf8c=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a44bedbb48c367f0476e6a3a27bf28f6330faf23",
"rev": "f2a40608e6b55661cac28e473e28b6208da53c01",
"type": "github"
},
"original": {
@ -158,27 +158,27 @@
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1714858427,
"narHash": "sha256-tCxeDP4C1pWe2rYY3IIhdA40Ujz32Ufd4tcrHPSKx2M=",
"lastModified": 1719720450,
"narHash": "sha256-57+R2Uj3wPeDeq8p8un19tzFFlgWiXJ8PbzgKtBgBX8=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "b980b91038fc4b09067ef97bbe5ad07eecca1e76",
"rev": "78f8641796edff3bfabbf1ef5029deadfe4a21d0",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-23.11",
"ref": "release-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1715435713,
"narHash": "sha256-lb2HqDQGfTdnCCpc1pgF6fkdgIOuBQ0nP8jjVSfLFqg=",
"lastModified": 1720149507,
"narHash": "sha256-OFJoD1jjxzFlY1tAsehEWVA88DbU5smzDPQuu9SmnXY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "52b40f6c4be12742b1504ca2eb4527e597bf2526",
"rev": "d9c0b9d611277e42e6db055636ba0409c59db6d2",
"type": "github"
},
"original": {
@ -249,11 +249,11 @@
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1715244550,
"narHash": "sha256-ffOZL3eaZz5Y1nQ9muC36wBCWwS1hSRLhUzlA9hV2oI=",
"lastModified": 1720187017,
"narHash": "sha256-Zq+T1Bvd0ShZB9XM+bP0VJK3HjsSVQBLolkaCLBQnfQ=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "0dc50257c00ee3c65fef3a255f6564cfbfe6eb7f",
"rev": "1b11e208cee97c47677439625dc22e5289dcdead",
"type": "github"
},
"original": {

View File

@ -122,6 +122,7 @@
];
};
buskerud = stableNixosConfig "buskerud" { };
dagali = unstableNixosConfig "dagali" { };
};
devShells = forAllSystems (system: {

78
hosts/dagali/TODO.md Normal file
View File

@ -0,0 +1,78 @@
# Tracking document for new PVV kerberos auth stack
![Bensinstasjon på heimdal](https://bydelsnytt.no/wp-content/uploads/2022/08/esso_heimdal003.jpg)
<div align="center">
Bensinstasjon på heimdal
</div>
### TODO:
- [ ] setup heimdal
- [x] ensure running with systemd
- [x] compile smbk5pwd (part of openldap)
- [ ] set `modify -a -disallow-all-tix,requires-pre-auth default` declaratively
- [ ] fully initialize PVV.NTNU.NO
- [x] `kadmin -l init PVV.NTNU.NO`
- [x] add oysteikt/admin@PVV.NTNU.NO principal
- [x] add oysteikt@PVV.NTNU.NO principal
- [x] add krbtgt/PVV.NTNU.NO@PVV.NTNU.NO principal?
- why is this needed, and where is it documented?
- `kadmin check` seems to work under sudo?
- (it is included by default, just included as error message
in a weird state)
- [x] Ensure client is working correctly
- [x] Ensure kinit works on darbu
- [x] Ensure kpasswd works on darbu
- [x] Ensure kadmin get <user> (and other restricted commands) works on darbu
- [ ] Ensure kdc is working correctly
- [x] Ensure kinit works on dagali
- [x] Ensure kpasswd works on dagali
- [ ] Ensure kadmin get <user> (and other restricte commands) works on dagali
- [x] Fix FQDN
- https://github.com/NixOS/nixpkgs/issues/94011
- https://github.com/NixOS/nixpkgs/issues/261269
- Possibly fixed by disabling systemd-resolved
- [ ] setup cyrus sasl
- [x] ensure running with systemd
- [x] verify GSSAPI support plugin is installed
- `nix-shell -p cyrus_sasl --command pluginviewer`
- [x] create "host/localhost@PVV.NTNU.NO" and export to keytab
- [x] verify cyrus sasl is able to talk to heimdal
- `sudo testsaslauthd -u oysteikt -p <password>`
- [ ] provide ldap principal to cyrus sasl through keytab
- [ ] setup openldap
- [x] ensure running with systemd
- [ ] verify openldap is able to talk to cyrus sasl
- [ ] create user for oysteikt in openldap
- [ ] authenticate openldap login through sasl
- does this require creating an ldap user?
- [ ] fix smbk5pwd integration
- [x] add smbk5pwd schemas to openldap
- [x] create openldap db for smbk5pwd with overlays
- [ ] test to ensure that user sync is working
- [ ] test as user source (replace passwd)
- [ ] test as PAM auth source
- [ ] test as auth source for 3rd party appliation
- [ ] Set up ldap administration panel
- Doesn't seem like there are many good ones out there. Maybe phpLDAPAdmin?
- [ ] Set up kerberos SRV DNS entry
### Information and URLS
- OpenLDAP SASL: https://www.openldap.org/doc/admin24/sasl.html
- Use a keytab: https://kb.iu.edu/d/aumh
- 2 ways for openldap to auth: https://security.stackexchange.com/questions/65093/how-to-test-ldap-that-authenticates-with-kerberos
- Cyrus guide OpenLDAP + SASL + GSSAPI: https://www.cyrusimap.org/sasl/sasl/faqs/openldap-sasl-gssapi.html
- Configuring GSSAPI and Cyrus SASL: https://web.mit.edu/darwin/src/modules/passwordserver_sasl/cyrus_sasl/doc/gssapi.html
- PVV Kerberos docs: https://wiki.pvv.ntnu.no/wiki/Drift/Kerberos
- OpenLDAP smbk5pwd source: https://git.openldap.org/nivanova/openldap/-/tree/master/contrib/slapd-modules/smbk5pwd
- saslauthd(8): https://linux.die.net/man/8/saslauthd

View File

@ -0,0 +1,51 @@
{ config, pkgs, values, lib, ... }:
{
imports = [
./hardware-configuration.nix
../../base.nix
../../misc/metrics-exporters.nix
./services/heimdal.nix
#./services/openldap.nix
./services/cyrus-sasl.nix
];
# buskerud does not support efi?
# boot.loader.systemd-boot.enable = true;
# boot.loader.efi.canTouchEfiVariables = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
# resolved messes up FQDN coming from nscd
services.resolved.enable = false;
networking.hostName = "dagali";
networking.domain = lib.mkForce "pvv.local";
networking.hosts = {
"129.241.210.185" = [ "dagali.pvv.local" ];
};
#networking.search = [ "pvv.ntnu.no" "pvv.org" ];
networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
networking.tempAddresses = "disabled";
networking.networkmanager.enable = true;
systemd.network.networks."ens18" = values.defaultNetworkConfig // {
matchConfig.Name = "ens18";
address = with values.hosts.dagali; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
# List packages installed in system profile
environment.systemPackages = with pkgs; [
# TODO: consider adding to base.nix
nix-output-monitor
];
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "24.05"; # Did you read the comment?
}

View File

@ -0,0 +1,33 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/4de345e2-be41-4d10-9b90-823b2c77e9b3";
fsType = "ext4";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/aa4b9a97-a7d8-4608-9f67-4ad084f1baf7"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

View File

@ -0,0 +1,21 @@
{ config, ... }:
let
cfg = config.services.saslauthd;
in
{
# TODO: This is seemingly required for openldap to authenticate
# against kerberos, but I have no idea how to configure it as
# such. Does it need a keytab? There's a binary "testsaslauthd"
# that follows with `pkgs.cyrus_sasl` that might be useful.
services.saslauthd = {
enable = true;
mechanism = "kerberos5";
config = ''
mech_list: gs2-krb5 gssapi
keytab: /etc/krb5.keytab
'';
};
# TODO: maybe the upstream module should consider doing this?
environment.systemPackages = [ cfg.package ];
}

View File

@ -0,0 +1,100 @@
{ config, pkgs, lib, ... }:
let
realm = "PVV.LOCAL";
cfg = config.security.krb5;
in
{
security.krb5 = {
enable = true;
# NOTE: This is required in order to build smbk5pwd, because of some nested includes.
# We should open an issue upstream (heimdal, not nixpkgs), but this patch
# will do for now.
package = pkgs.heimdal.overrideAttrs (prev: {
postInstall = prev.postInstall + ''
cp include/heim_threads.h $dev/include
'';
});
settings = {
realms.${realm} = {
kdc = [ "dagali.${lib.toLower realm}" ];
admin_server = "dagali.${lib.toLower realm}";
kpasswd_server = "dagali.${lib.toLower realm}";
default_domain = lib.toLower realm;
primary_kdc = "dagali.${lib.toLower realm}";
};
kadmin.default_keys = lib.concatStringsSep " " [
"aes256-cts-hmac-sha1-96:pw-salt"
"aes128-cts-hmac-sha1-96:pw-salt"
];
libdefaults.default_etypes = lib.concatStringsSep " " [
"aes256-cts-hmac-sha1-96"
"aes128-cts-hmac-sha1-96"
];
libdefaults = {
default_realm = realm;
dns_lookup_kdc = false;
dns_lookup_realm = false;
};
domain_realm = {
"${lib.toLower realm}" = realm;
".${lib.toLower realm}" = realm;
};
logging = {
# kdc = "CONSOLE";
kdc = "SYSLOG:DEBUG:AUTH";
admin_server = "SYSLOG:DEBUG:AUTH";
default = "SYSLOG:DEBUG:AUTH";
};
};
};
services.kerberos_server = {
enable = true;
settings = {
realms.${realm} = {
dbname = "/var/lib/heimdal/heimdal";
mkey = "/var/lib/heimdal/m-key";
acl = [
{
principal = "kadmin/admin";
access = "all";
}
{
principal = "felixalb/admin";
access = "all";
}
{
principal = "oysteikt/admin";
access = "all";
}
];
};
# kadmin.default_keys = lib.concatStringsSep " " [
# "aes256-cts-hmac-sha1-96:pw-salt"
# "aes128-cts-hmac-sha1-96:pw-salt"
# ];
# libdefaults.default_etypes = lib.concatStringsSep " " [
# "aes256-cts-hmac-sha1-96"
# "aes128-cts-hmac-sha1-96"
# ];
# password_quality.min_length = 8;
};
};
networking.firewall.allowedTCPPorts = [ 88 464 749 ];
networking.firewall.allowedUDPPorts = [ 88 464 749 ];
networking.hosts = {
"127.0.0.2" = lib.mkForce [ ];
"::1" = lib.mkForce [ ];
};
}

View File

@ -0,0 +1,121 @@
{ config, pkgs, lib, ... }:
{
services.openldap = let
dn = "dc=pvv,dc=ntnu,dc=no";
cfg = config.services.openldap;
heimdal = config.security.krb5.package;
in {
enable = true;
# NOTE: this is a custom build of openldap with support for
# perl and kerberos.
package = pkgs.openldap.overrideAttrs (prev: {
# https://github.com/openldap/openldap/blob/master/configure
configureFlags = prev.configureFlags ++ [
# Connect to slapd via UNIX socket
"--enable-local"
# Cyrus SASL
"--enable-spasswd"
# Reverse hostname lookups
"--enable-rlookups"
# perl
"--enable-perl"
];
buildInputs = prev.buildInputs ++ [
pkgs.perl
# NOTE: do not upstream this, it might not work with
# MIT in the same way
heimdal
];
extraContribModules = prev.extraContribModules ++ [
# https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules
"smbk5pwd"
];
});
settings = {
attrs = {
olcLogLevel = [ "stats" "config" "args" ];
# olcAuthzRegexp = ''
# gidNumber=.*\\\+uidNumber=0,cn=peercred,cn=external,cn=auth
# "uid=heimdal,${dn2}"
# '';
# olcSaslSecProps = "minssf=0";
};
children = {
"cn=schema".includes = let
# NOTE: needed for smbk5pwd.so module
schemaToLdif = name: path: pkgs.runCommandNoCC name {
buildInputs = with pkgs; [ schema2ldif ];
} ''
schema2ldif "${path}" > $out
'';
hdb-ldif = schemaToLdif "hdb.ldif" "${heimdal.src}/lib/hdb/hdb.schema";
samba-ldif = schemaToLdif "samba.ldif" "${heimdal.src}/tests/ldap/samba.schema";
in [
"${cfg.package}/etc/schema/core.ldif"
"${cfg.package}/etc/schema/cosine.ldif"
"${cfg.package}/etc/schema/nis.ldif"
"${cfg.package}/etc/schema/inetorgperson.ldif"
"${hdb-ldif}"
"${samba-ldif}"
];
# NOTE: installation of smbk5pwd.so module
# https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules/smbk5pwd
"cn=module{0}".attrs = {
objectClass = [ "olcModuleList" ];
olcModuleLoad = [ "${cfg.package}/lib/modules/smbk5pwd.so" ];
};
# NOTE: activation of smbk5pwd.so module for {1}mdb
"olcOverlay={0}smbk5pwd,olcDatabase={1}mdb".attrs = {
objectClass = [ "olcOverlayConfig" "olcSmbK5PwdConfig" ];
olcOverlay = "{0}smbk5pwd";
olcSmbK5PwdEnable = [ "krb5" "samba" ];
olcSmbK5PwdMustChange = toString (60 * 60 * 24 * 10000);
};
"olcDatabase={1}mdb".attrs = {
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
olcDatabase = "{1}mdb";
olcSuffix = dn;
# TODO: PW is supposed to be a secret, but it's probably fine for testing
olcRootDN = "cn=users,${dn}";
# TODO: replace with proper secret
olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
olcDbDirectory = "/var/lib/openldap/test-smbk5pwd-db";
olcDbIndex = "objectClass eq";
olcAccess = [
''{0}to attrs=userPassword,shadowLastChange
by dn.exact=cn=users,${dn} write
by self write
by anonymous auth
by * none''
''{1}to dn.base=""
by * read''
/* allow read on anything else */
# ''{2}to *
# by cn=users,${dn} write by dn.exact=gidNumber=0+uidNumber=0+cn=peercred,cn=external write
# by * read''
];
};
};
};
};
}

View File

@ -29,6 +29,10 @@ in rec {
ipv4 = pvv-ipv4 168;
ipv6 = pvv-ipv6 168;
};
dagali = {
ipv4 = pvv-ipv4 185;
ipv6 = pvv-ipv6 185;
};
ildkule = {
ipv4 = "10.212.25.209";
ipv6 = "2001:700:300:6025:f816:3eff:feee:812d";