diff options
author | Alyssa Ross <hi@alyssa.is> | 2022-05-31 09:59:33 +0000 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2022-05-31 09:59:57 +0000 |
commit | 9ff36293d1e428cd7bf03e8d4b03611b6d361c28 (patch) | |
tree | 1ab51a42b868c55b83f6ccdb80371b9888739dd9 /nixos/modules/security/google_oslogin.nix | |
parent | 1c4fcd0d4b0541e674ee56ace1053e23e562cc80 (diff) | |
parent | ddc3c396a51918043bb0faa6f676abd9562be62c (diff) | |
download | nixpkgs-9ff36293d1e428cd7bf03e8d4b03611b6d361c28.tar nixpkgs-9ff36293d1e428cd7bf03e8d4b03611b6d361c28.tar.gz nixpkgs-9ff36293d1e428cd7bf03e8d4b03611b6d361c28.tar.bz2 nixpkgs-9ff36293d1e428cd7bf03e8d4b03611b6d361c28.tar.lz nixpkgs-9ff36293d1e428cd7bf03e8d4b03611b6d361c28.tar.xz nixpkgs-9ff36293d1e428cd7bf03e8d4b03611b6d361c28.tar.zst nixpkgs-9ff36293d1e428cd7bf03e8d4b03611b6d361c28.zip |
Last good Nixpkgs for Weston+nouveau? archive
I came this commit hash to terwiz[m] on IRC, who is trying to figure out what the last version of Spectrum that worked on their NUC with Nvidia graphics is.
Diffstat (limited to 'nixos/modules/security/google_oslogin.nix')
-rw-r--r-- | nixos/modules/security/google_oslogin.nix | 71 |
1 files changed, 71 insertions, 0 deletions
diff --git a/nixos/modules/security/google_oslogin.nix b/nixos/modules/security/google_oslogin.nix new file mode 100644 index 00000000000..cf416035ef6 --- /dev/null +++ b/nixos/modules/security/google_oslogin.nix @@ -0,0 +1,71 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.security.googleOsLogin; + package = pkgs.google-guest-oslogin; + +in + +{ + + options = { + + security.googleOsLogin.enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable Google OS Login. + + The OS Login package enables the following components: + AuthorizedKeysCommand to query valid SSH keys from the user's OS Login + profile during ssh authentication phase. + NSS Module to provide user and group information + PAM Module for the sshd service, providing authorization and + authentication support, allowing the system to use data stored in + Google Cloud IAM permissions to control both, the ability to log into + an instance, and to perform operations as root (sudo). + ''; + }; + + }; + + config = mkIf cfg.enable { + security.pam.services.sshd = { + makeHomeDir = true; + googleOsLoginAccountVerification = true; + googleOsLoginAuthentication = true; + }; + + security.sudo.extraConfig = '' + #includedir /run/google-sudoers.d + ''; + systemd.tmpfiles.rules = [ + "d /run/google-sudoers.d 750 root root -" + "d /var/google-users.d 750 root root -" + ]; + + systemd.packages = [ package ]; + systemd.timers.google-oslogin-cache.wantedBy = [ "timers.target" ]; + + # enable the nss module, so user lookups etc. work + system.nssModules = [ package ]; + system.nssDatabases.passwd = [ "cache_oslogin" "oslogin" ]; + system.nssDatabases.group = [ "cache_oslogin" "oslogin" ]; + + # Ugly: sshd refuses to start if a store path is given because /nix/store is group-writable. + # So indirect by a symlink. + environment.etc."ssh/authorized_keys_command_google_oslogin" = { + mode = "0755"; + text = '' + #!/bin/sh + exec ${package}/bin/google_authorized_keys "$@" + ''; + }; + services.openssh.authorizedKeysCommand = "/etc/ssh/authorized_keys_command_google_oslogin %u"; + services.openssh.authorizedKeysCommandUser = "nobody"; + }; + +} |