diff --git a/hosts/skydick/DATAPOOL.md b/hosts/skydick/DATAPOOL.md index 6193625..695a281 100644 --- a/hosts/skydick/DATAPOOL.md +++ b/hosts/skydick/DATAPOOL.md @@ -10,10 +10,22 @@ |-------|-------------|----------|-----------|--------| | Public files | `/srv/public` | `\\SKYDICK\public` | `/public` | rw, all @storage users | | Media library | `/srv/media/library` | `\\SKYDICK\media` | `/media/library` | ro, all @storage users | -| Personal files | `/srv/users//files` | `\\SKYDICK\` | `/users/` | rw, owner only | +| Personal files | `/srv/users//files` | `\\SKYDICK\` | `/users/` | rw, SMB owner-authenticated; NFS network-trusted all_squash to owner | NFS paths are relative to the NFSv4 pseudo-root (`/srv` on the server, exported with `fsid=0`). +The share/export paths above are live. The dedicated `dick/users/*`, `dick/system/*`, and +`dick/templates/*` ZFS datasets are the intended final layout and still require explicit dataset +creation/migration on a host where only the legacy `dick/{share,media,backup,torrent,vm}` tree exists. + +## Identity and authentication + +- `skydick` resolves POSIX users and groups from LDAP at `ldap://10.0.0.1/`, base + `dc=skyw,dc=top` +- Local `/etc/passwd` users still win if the same username exists both locally and in LDAP +- SMB still uses Samba's local password database (`tdbsam`), not LDAP-backed SMB auth +- NFS still does not authenticate users; it trusts client IPs and export options + ## Connecting via SMB (Windows / macOS / Linux GUI) ### Windows @@ -27,6 +39,7 @@ ``` When prompted, enter your Samba credentials (set by the admin on skydick with `smbpasswd -a `). +LDAP identity on skydick does not replace SMB passwords yet. ### macOS @@ -146,7 +159,7 @@ │ ├── session/ ← client session/resume data │ └── config/ ← client configuration └── vm/ - └── files/ ← VM disk images (file-backed, accessible via NFS/SMB) + └── files/ ← VM disk images (file-backed, NFS-visible by default) ``` `bt-state` holds your torrent client's configuration and state databases. The actual media @@ -162,7 +175,25 @@ Admin procedure — run on skydick as root: -### 1. Add the user to NixOS config +### 1. Create or verify the user in LDAP + +Preferred for storage-only users. The LDAP entry should already contain: + +- `uid` +- `uidNumber` +- `gidNumber` +- `homeDirectory` +- `objectClass: posixAccount` + +Check it on skydick: + +```bash +getent passwd +``` + +### 2. Add a local NixOS user only if needed + +Only do this if the user needs SSH login, sudo, or a fixed local override that should win over LDAP. In `hosts/skydick/default.nix`: @@ -183,37 +214,48 @@ }; ``` -### 2. Add per-user tmpfiles and NFS export +### 3. Add per-user tmpfiles and NFS export + +Use numeric UID/GID in tmpfiles rules for LDAP-only users. This avoids boot-time dependence on NSS +name resolution. + +First get the IDs: + +```bash +uid=$(getent passwd | cut -d: -f3) +gid=$(getent passwd | cut -d: -f4) +``` In `hosts/skydick/datapool.nix`, add to `systemd.tmpfiles.rules`: ```nix -"d /srv/users/ 0700 users -" -"d /srv/users//files 0750 users -" -"d /srv/users//bt-state 0750 users -" -"d /srv/users//vm 0750 users -" -"d /srv/users//vm/files 0750 users -" +"d /srv/users/ 0700 -" +"d /srv/users//files 0750 -" +"d /srv/users//bt-state 0750 -" +"d /srv/users//vm 0750 -" +"d /srv/users//vm/files 0750 -" ``` Add to `services.nfs.server.exports`: ``` -/srv/users/ 10.0.0.0/16(rw,sync,no_subtree_check,all_squash,anonuid=,anongid=100) +/srv/users/ 10.0.0.0/16(rw,sync,no_subtree_check,all_squash,anonuid=,anongid=) ``` -Replace `` with the user's actual numeric UID (`id -u ` after first deploy). +Replace `` and `` with the LDAP-backed numeric IDs from `getent passwd`. -### 3. Deploy NixOS config +### 4. Deploy NixOS config ```bash sudo git -C /etc/nixos pull && sudo nixos-rebuild switch --flake /etc/nixos ``` -### 4. Create ZFS datasets on skydick +### 5. Create ZFS datasets on skydick ```bash -# Get the user's UID -uid=$(id -u ) +# Get the user's UID/GID +uid=$(getent passwd | cut -d: -f3) +gid=$(getent passwd | cut -d: -f4) # Create datasets zfs create -o mountpoint=/srv/users/ -o quota=10T dick/users/ @@ -223,21 +265,23 @@ mkdir -p /srv/users//vm/files # Set ownership -chown :users /srv/users/ && chmod 0700 /srv/users/ +chown "$uid:$gid" /srv/users/ && chmod 0700 /srv/users/ for d in files bt-state vm vm/files; do - chown :users /srv/users//$d && chmod 0750 /srv/users//$d + chown "$uid:$gid" /srv/users//$d && chmod 0750 /srv/users//$d done ``` -### 5. Set Samba password +### 6. Set Samba password ```bash smbpasswd -a ``` +This is still required even if the user exists in LDAP, because Samba auth is not LDAP-backed yet. + The user can now connect via SMB and NFS. -### 6. Re-export NFS +### 7. Re-export NFS ```bash exportfs -ra @@ -245,8 +289,8 @@ ## Quotas -Each user has a ZFS quota on their `dick/users/` dataset (default 10TB). This caps the -total across all child datasets (files + bt-state + vm). Check usage: +When a user's `dick/users/` dataset exists, its ZFS quota (default 10TB in the examples +above) caps the total across all child datasets (files + bt-state + vm). Check usage: ```bash zfs list -o name,used,quota -r dick/users @@ -304,9 +348,9 @@ ### SMB authentication fails -- Samba uses its own password database (tdbsam), separate from Unix login passwords +- Samba uses its own password database (tdbsam), separate from Unix login passwords and LDAP - Admin must run `smbpasswd -a ` on skydick to create/reset the Samba password -- LDAP-backed Samba auth is not yet configured +- `getent passwd ` succeeding only proves LDAP/NSS lookup works; it does not create an SMB login ### Slow NFS transfers diff --git a/hosts/skydick/default.nix b/hosts/skydick/default.nix index bc728ae..6bc5de9 100644 --- a/hosts/skydick/default.nix +++ b/hosts/skydick/default.nix @@ -200,6 +200,40 @@ }; # ========================================================================== + # LDAP IDENTITY + # ========================================================================== + age.secrets.skydick-ldap-bind = { + file = ../../secrets/skydick-ldap-bind.age; + owner = "nslcd"; + group = "nslcd"; + mode = "0400"; + }; + + # LDAP is used here for POSIX identity lookups only. SMB still uses Samba's + # local passdb until sambaSamAccount objects are provisioned in LDAP. + users.ldap = { + enable = true; + loginPam = false; + nsswitch = true; + daemon.enable = true; + server = "ldap://10.0.0.1/"; + base = "dc=skyw,dc=top"; + useTLS = false; + timeLimit = 5; + + bind = { + distinguishedName = "cn=query_user,dc=skyw,dc=top"; + passwordFile = config.age.secrets.skydick-ldap-bind.path; + timeLimit = 5; + policy = "hard_open"; + }; + + daemon.extraConfig = '' + nss_initgroups_ignoreusers ALLLOCAL + ''; + }; + + # ========================================================================== # MONITORING # ========================================================================== services.smartd = { @@ -231,6 +265,7 @@ iperf3 ethtool tcpdump + openldap # Performance & NUMA numactl diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 72c410c..613b2f7 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -12,4 +12,5 @@ "xlab-wg-wgnet-psk.age".publicKeys = [ admin xlab-gateway ]; "xlab-wg-warp.age".publicKeys = [ admin xlab-gateway ]; "influxdb-token.age".publicKeys = [ admin skydick ]; + "skydick-ldap-bind.age".publicKeys = [ admin skydick ]; } diff --git a/secrets/skydick-ldap-bind.age b/secrets/skydick-ldap-bind.age new file mode 100644 index 0000000..e229a77 --- /dev/null +++ b/secrets/skydick-ldap-bind.age Binary files differ