ideas that aren't done yet

author: Elizabeth <me@liz.coffee> 2025-05-29 13:32:08 -0700
committer: Elizabeth <me@liz.coffee> 2025-05-29 13:32:08 -0700
commit: dbad03a65449c798ac8bccaf806dbdef8a360689 (patch)
tree: 0951040fa027069e2a08dac66ac8b02bf2802f32 /setup_kanidm.sh
parent: b7ee3b7eebb51dfe12d2db12fd891e58caee9cc3 (diff)
download: archinstall-dbad03a65449c798ac8bccaf806dbdef8a360689.tar.gz
archinstall-dbad03a65449c798ac8bccaf806dbdef8a360689.zip
1 files changed, 56 insertions, 0 deletions
diff --git a/setup_kanidm.sh b/setup_kanidm.sh
new file mode 100644
index 0000000..d6d50ab
--- /dev/null
+++ b/setup_kanidm.sh
@@ -0,0 +1,56 @@
+#!/bin/bash
+
+UNIXERS_GROUP = {{ unixers }}
+
+/etc/kanidm/config
+<<<
+uri = "https://{{ idm_domain }}"
+verify_ca = true
+verify_hostnames = true
+>>>
+
+/etc/kanidm/unixd
+<<<
+version = '2'
+
+default_shell = "/bin/zsh"
+
+home_attr = "uuid"
+home_alias = "name"
+home_prefix = "/home/"
+
+[kanidm]
+pam_allowed_login_groups = ["{{ unixers }}"]
+
+[[kanidm.map_group]]
+local = "admins"
+with = "coffee_admins"
+>>>
+
+/etc/sudo
+<<<
+%admins ALL=(ALL:ALL) ALL
+>>>
+
+systemctl enable --now kanidm-unixd
+systemctl enable --now kanidm-unixd-tasks
+
+add_line /etc/nsswitch.conf
+<<<
+passwd: kanidm files systemd
+group:  kanidm [SUCCESS=merge] files systemd
+>>>
+
+add_line /etc/ssh/sshd_config.d/10-kanidm-keys.conf
+<<<
+PubkeyAuthentication yes
+UsePAM yes
+
+Match Group {{ unixers_group }}
+	AuthorizedKeysCommand /usr/sbin/kanidm_ssh_authorizedkeys %u
+	AuthorizedKeysCommandUser nobody
+>>>
+
+# PAM
+add_line /etc/pam.d/common-account
+<<<
author	Elizabeth <me@liz.coffee>	2025-05-29 13:32:08 -0700
committer	Elizabeth <me@liz.coffee>	2025-05-29 13:32:08 -0700
commit	dbad03a65449c798ac8bccaf806dbdef8a360689 (patch)
tree	0951040fa027069e2a08dac66ac8b02bf2802f32 /setup_kanidm.sh
parent	b7ee3b7eebb51dfe12d2db12fd891e58caee9cc3 (diff)
download	archinstall-dbad03a65449c798ac8bccaf806dbdef8a360689.tar.gz archinstall-dbad03a65449c798ac8bccaf806dbdef8a360689.zip