Skip to main content
Himmelblau provides a NixOS module and a set of packages for x86_64-linux and aarch64-linux. The module handles daemon startup, PAM/NSS wiring, and package installation automatically.

Cachix binary cache

Himmelblau builds and signs packages in CI and uploads them to Cachix. Use the cache to avoid compiling Himmelblau from source on every update: 
nix profile install 'nixpkgs#cachix'
cachix use himmelblau
The cachix use command configures Nix to trust the Himmelblau signing key and adds the cache as a substituter.

Configuration

Choose the style that matches your NixOS setup:
Add the Himmelblau repository to your flake inputs, then import the module and enable the service:
{
    inputs = {
        nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
        himmelblau.url = "github:himmelblau-idm/himmelblau/main";
        himmelblau.inputs.nixpkgs.follows = "nixpkgs";
    };
    outputs = { self, nixpkgs, himmelblau }: {
        nixosModules.azureEntraId = { config, pkgs, lib, ... }: {
            imports = [ himmelblau.nixosModules.himmelblau ];
            environment.systemPackages = [
              himmelblau.packages."x86_64-linux".aad-tool
              # himmelblau.packages."x86_64-linux".o365 # optional: o365 suite with teams-for-linux
              # himmelblau.packages.sso # optional: for browsers other than Firefox / Chrome
            ];
            services.himmelblau = {
                enable = true;
                settings = {
                    domain = "my.domain.net";
                    pam_allow_groups = [ "ENTRA-GROUP-GUID-HERE" ];
                    local_groups = [ "wheel" "docker" ];
                };
            };
        };
        nixosConfigurations."your-machine" = nixpkgs.lib.nixosSystem {
            system = "x86_64-linux";
            modules = [
                self.nixosModules.azureEntraId
                ./machines/your-machine/configuration.nix
            ];
        };
    };
}

Module settings

The services.himmelblau module accepts the following top-level options:
OptionTypeDescription
enableboolEnable the Himmelblau daemon and configure PAM/NSS.
settings.domainstringYour Entra ID tenant domain (e.g. contoso.onmicrosoft.com).
settings.pam_allow_groupslist of stringsEntra group GUIDs whose members are permitted to log in.
settings.local_groupslist of stringsLocal groups to add Entra users to (e.g. wheel, docker).

Available packages

The following packages are available under himmelblau.packages.<arch>:
PackageDescription
daemonThe core himmelblaud authentication daemon.
pamPAM module (pam_himmelblau.so) required for login integration.
nssNSS module required for user/group resolution.
brokerUserspace broker that responds to SSO token requests.
ssoSSO helper for browsers other than Firefox and Chrome. Optional.
aad-toolCLI tool for managing cache, credentials, and idmap. Recommended.
o365Installs teams-for-linux with O365 suite shortcuts. Optional.
Supported architectures are x86_64-linux and aarch64-linux.
When you set services.himmelblau.enable = true, the module automatically installs the daemon, pam, nss, and broker packages. You only need to add aad-tool, sso, or o365 to environment.systemPackages manually if you want them.

Build docs developers (and LLMs) love

Get started for freeTalk to us