summaryrefslogtreecommitdiff
path: root/fs
diff options
context:
space:
mode:
Diffstat (limited to 'fs')
-rw-r--r--fs/etc/kanidm/config3
-rw-r--r--fs/etc/kanidm/unixd13
-rw-r--r--fs/etc/nsswitch.conf17
-rw-r--r--fs/etc/pam.d/system-auth28
-rw-r--r--fs/etc/ssh/sshd_config30
5 files changed, 91 insertions, 0 deletions
diff --git a/fs/etc/kanidm/config b/fs/etc/kanidm/config
new file mode 100644
index 0000000..c1d7951
--- /dev/null
+++ b/fs/etc/kanidm/config
@@ -0,0 +1,3 @@
+uri = "https://idm.liz.coffee"
+verify_ca = true
+verify_hostnames = true
diff --git a/fs/etc/kanidm/unixd b/fs/etc/kanidm/unixd
new file mode 100644
index 0000000..5a81dc3
--- /dev/null
+++ b/fs/etc/kanidm/unixd
@@ -0,0 +1,13 @@
+version = '2'
+
+default_shell = '/bin/zsh'
+
+home_attr = 'uuid'
+home_alias = 'name'
+home_prefix = '/home/'
+
+uid_attr_map = 'name'
+gid_attr_mao = 'name'
+
+[kanidm]
+pam_allowed_login_groups = ['unixers']
diff --git a/fs/etc/nsswitch.conf b/fs/etc/nsswitch.conf
new file mode 100644
index 0000000..67c95b5
--- /dev/null
+++ b/fs/etc/nsswitch.conf
@@ -0,0 +1,17 @@
+passwd: kanidm files systemd
+group: kanidm files systemd
+
+shadow: files systemd
+gshadow: files systemd
+
+publickey: files
+
+hosts: mymachines resolve [!UNAVAIL=return] files myhostname dns
+networks: files
+
+protocols: files
+services: files
+ethers: files
+rpc: files
+
+netgroup: files
diff --git a/fs/etc/pam.d/system-auth b/fs/etc/pam.d/system-auth
new file mode 100644
index 0000000..82b2f52
--- /dev/null
+++ b/fs/etc/pam.d/system-auth
@@ -0,0 +1,28 @@
+#%PAM-1.0
+
+auth required pam_faillock.so preauth
+auth sufficient pam_kanidm.so
+-auth [success=2 default=ignore] pam_systemd_home.so
+auth [success=1 default=bad] pam_unix.so try_first_pass
+auth [default=die] pam_faillock.so authfail
+auth optional pam_permit.so
+auth required pam_env.so
+auth required pam_faillock.so authsucc
+
+account sufficient pam_kanidm.so
+-account [success=1 default=ignore] pam_systemd_home.so
+account required pam_unix.so
+account optional pam_permit.so
+account required pam_time.so
+
+password sufficient pam_kanidm.so
+-password [success=1 default=ignore] pam_systemd_home.so
+password required pam_unix.so try_first_pass shadow
+password optional pam_permit.so
+
+-session optional pam_systemd_home.so
+session required pam_limits.so
+session required pam_unix.so
+session optional pam_kanidm.so
+session optional pam_permit.so
+
diff --git a/fs/etc/ssh/sshd_config b/fs/etc/ssh/sshd_config
new file mode 100644
index 0000000..dec99a1
--- /dev/null
+++ b/fs/etc/ssh/sshd_config
@@ -0,0 +1,30 @@
+Include /etc/ssh/sshd_config.d/*.conf
+
+Port 22
+
+PermitRootLogin no
+PermitEmptyPasswords no
+PasswordAuthentication no
+
+PubkeyAuthentication yes
+UsePAM yes
+AuthorizedKeysCommand /usr/sbin/kanidm_ssh_authorizedkeys %u
+AuthorizedKeysCommandUser nobody
+
+KbdInteractiveAuthentication no
+GSSAPIAuthentication no
+KerberosAuthentication no
+
+AllowAgentForwarding yes
+X11Forwarding no
+
+PrintMotd no
+PrintLastLog yes
+
+AcceptEnv LANG LC_*
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+TCPKeepAlive yes
+ClientAliveInterval 300
+ClientAliveCountMax 1
+
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2025-09-21 20:04:48 +0000