From 1ed36b4f66f17bf9d3082aa88b74f1446958b54c Mon Sep 17 00:00:00 2001 From: arcnmx Date: Fri, 15 Mar 2024 13:50:47 -0700 Subject: [PATCH] feat(idp): ipa and krb5 hosts --- modules/nixos/kanidm.nix | 4 +- modules/nixos/samba.nix | 124 ++++++++++++------ nixos/base/nixpkgs.nix | 1 + nixos/ipa.nix | 51 +++++++ nixos/kyuuto/nfs.nix | 33 ++++- nixos/kyuuto/opl.nix | 2 +- nixos/nfs.nix | 45 ++++--- nixos/samba.nix | 61 +++++++-- nixos/secrets/samba.yaml | 5 +- overlays/default.nix | 1 + overlays/samba.nix | 30 +++++ packages/default.nix | 4 + packages/freeipa-ipasam.patch | 28 ++++ systems/hakurei/nixos.nix | 1 + systems/hakurei/secrets.yaml | 5 +- systems/reimu/nixos.nix | 1 + systems/reimu/secrets.yaml | 5 +- .../net.auth-rpcgss-module.service.overrides | 2 + systems/reisen/setup.sh | 7 + 19 files changed, 327 insertions(+), 83 deletions(-) create mode 100644 nixos/ipa.nix create mode 100644 overlays/samba.nix create mode 100644 packages/freeipa-ipasam.patch create mode 100644 systems/reisen/net.auth-rpcgss-module.service.overrides diff --git a/modules/nixos/kanidm.nix b/modules/nixos/kanidm.nix index e379f715..77b48c6c 100644 --- a/modules/nixos/kanidm.nix +++ b/modules/nixos/kanidm.nix @@ -1,8 +1,10 @@ { + inputs, lib, config, ... }: let + inherit (inputs.self.lib.lib) mkBaseDn; inherit (lib) mkIf mkMerge mkBefore mkDefault mkOptionDefault mkEnableOption mkOption; inherit (lib.strings) splitString concatMapStringsSep; inherit (config.lib.access) mkSnakeOil; @@ -46,7 +48,7 @@ in { }; baseDn = mkOption { type = str; - default = concatMapStringsSep "," (part: "dc=${part}") (splitString "." cfg.serverSettings.domain); + default = mkBaseDn cfg.serverSettings.domain; }; }; }; diff --git a/modules/nixos/samba.nix b/modules/nixos/samba.nix index 74927496..7da70283 100644 --- a/modules/nixos/samba.nix +++ b/modules/nixos/samba.nix @@ -5,7 +5,7 @@ ... }: let inherit (lib.options) mkOption mkEnableOption; - inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault; + inherit (lib.modules) mkIf mkMerge mkBefore mkForce mkDefault mkOptionDefault; inherit (lib.attrsets) mapAttrs' mapAttrsToList nameValuePair; inherit (lib.strings) hasPrefix concatMapStringsSep; inherit (config.services) samba-wsdd; @@ -25,9 +25,23 @@ in { in { ldap = { enable = mkEnableOption "LDAP"; - idmapDomain = mkOption { - type = str; - default = "*"; + passdb = { + enable = mkEnableOption "LDAP authentication" // { + default = true; + }; + backend = mkOption { + type = enum [ "ldapsam" "ipasam" ]; + default = "ldapsam"; + }; + }; + idmap = { + enable = mkEnableOption "LDAP users" // { + default = true; + }; + domain = mkOption { + type = str; + default = "*"; + }; }; url = mkOption { type = str; @@ -36,7 +50,7 @@ in { type = str; }; adminDn = mkOption { - type = str; + type = nullOr str; default = "name=anonymous,${cfg.ldap.baseDn}"; }; adminPasswordPath = mkOption { @@ -44,6 +58,16 @@ in { default = null; }; }; + kerberos = { + enable = mkEnableOption "krb5"; + realm = mkOption { + type = str; + }; + keytabPath = mkOption { + type = nullOr path; + default = null; + }; + }; usershare = { enable = mkEnableOption "usershare"; group = mkOption { @@ -87,7 +111,7 @@ in { }; max = mkOption { type = int; - default = 10000; + default = 65534; }; }; readOnly = mkOption { @@ -130,53 +154,69 @@ in { config = { services.samba = { - package = mkIf cfg.ldap.enable (mkDefault (pkgs.samba.override { - enableLDAP = true; - })); + package = mkIf cfg.ldap.enable (mkDefault ( + if cfg.ldap.passdb.enable && cfg.ldap.passdb.backend == "ipasam" then pkgs.samba-ipa else pkgs.samba-ldap + )); ldap = { - adminPasswordPath = mkIf (hasPrefix "name=anonymous," cfg.ldap.adminDn) (mkDefault ( + adminPasswordPath = mkIf (cfg.ldap.adminDn != null && hasPrefix "name=anonymous," cfg.ldap.adminDn) (mkDefault ( pkgs.writeText "smb-ldap-anonymous" "anonymous" )); }; idmap.domains = mkMerge [ - (mkIf cfg.ldap.enable { + (mkIf (cfg.ldap.enable && cfg.ldap.idmap.enable) { ldap = { - domain = mkDefault cfg.ldap.idmapDomain; + backend = mkOptionDefault "ldap"; + domain = mkDefault cfg.ldap.idmap.domain; + settings = { + ldap_url = mkOptionDefault cfg.ldap.url; + }; }; }) ]; settings = mkMerge ([ - { - "use sendfile" = mkOptionDefault true; - } - (mkIf (cfg.passdb.smbpasswd.path != null) { - "passdb backend" = mkOptionDefault "smbpasswd:${cfg.passdb.smbpasswd.path}"; - }) - (mkIf cfg.ldap.enable { - "passdb backend" = mkOptionDefault ''ldapsam:"${cfg.ldap.url}"''; - "ldap ssl" = mkIf (hasPrefix "ldaps://" cfg.ldap.url) (mkOptionDefault "off"); - "ldap admin dn" = mkOptionDefault "name=anonymous,${cfg.ldap.baseDn}"; - "ldap suffix" = mkOptionDefault cfg.ldap.baseDn; - }) - (mkIf (cfg.ldap.enable && true) { - "ntlm auth" = mkOptionDefault "disabled"; - "encrypt passwords" = mkOptionDefault false; - }) - (mkIf cfg.usershare.enable { - "usershare allow guests" = mkOptionDefault true; - "usershare max shares" = mkOptionDefault 16; - "usershare owner only" = mkOptionDefault true; - "usershare template share" = mkOptionDefault cfg.usershare.templateShare; - "usershare path" = mkOptionDefault cfg.usershare.path; - "usershare prefix allow list" = mkOptionDefault [cfg.usershare.path]; - }) - (mkIf cfg.guest.enable { - "map to guest" = mkOptionDefault "Bad User"; - "guest account" = mkOptionDefault cfg.guest.user; - }) + { + "use sendfile" = mkOptionDefault true; + } + (mkIf (cfg.passdb.smbpasswd.path != null) { + "passdb backend" = mkOptionDefault "smbpasswd:${cfg.passdb.smbpasswd.path}"; + }) + (mkIf cfg.ldap.enable { + "ldap ssl" = mkIf (hasPrefix "ldaps://" cfg.ldap.url) (mkOptionDefault "off"); + "ldap admin dn" = mkIf (cfg.ldap.adminDn != null) (mkOptionDefault cfg.ldap.adminDn); + "ldap suffix" = mkOptionDefault cfg.ldap.baseDn; + }) + (mkIf cfg.kerberos.enable { + "realm" = mkOptionDefault cfg.kerberos.realm; + "kerberos method" = mkOptionDefault ( + if cfg.kerberos.keytabPath != null then "dedicated keytab" + else "system keytab" + ); + "dedicated keytab file" = mkIf (cfg.kerberos.keytabPath != null) (mkOptionDefault + "FILE:${cfg.kerberos.keytabPath}" + ); + "create krb5 conf" = mkOptionDefault false; + }) + (mkIf cfg.usershare.enable { + "usershare allow guests" = mkOptionDefault true; + "usershare max shares" = mkOptionDefault 16; + "usershare owner only" = mkOptionDefault true; + "usershare template share" = mkOptionDefault cfg.usershare.templateShare; + "usershare path" = mkOptionDefault cfg.usershare.path; + "usershare prefix allow list" = mkOptionDefault [ cfg.usershare.path ]; + }) + (mkIf cfg.guest.enable { + "map to guest" = mkOptionDefault "Bad User"; + "guest account" = mkOptionDefault cfg.guest.user; + }) + ] ++ mapAttrsToList (_: idmap: mapAttrs' (key: value: nameValuePair "idmap config ${idmap.domain} : ${key}" (mkOptionDefault value)) idmap.settings) cfg.idmap.domains); + extraConfig = mkMerge ( + mapAttrsToList (key: value: ''${key} = ${settingValue value}'') cfg.settings + ++ [ + (mkIf (cfg.ldap.enable && cfg.ldap.passdb.enable) (mkBefore '' + passdb backend = ${cfg.ldap.passdb.backend}:"${cfg.ldap.url}" + '')) ] - ++ mapAttrsToList (_: idmap: mapAttrs' (key: value: nameValuePair "idmap config ${idmap.domain} : ${key}" (mkOptionDefault value)) idmap.settings) cfg.idmap.domains); - extraConfig = mkMerge (mapAttrsToList (key: value: ''${key} = ${settingValue value}'') cfg.settings); + ); shares.${cfg.usershare.templateShare} = mkIf cfg.usershare.enable { "-valid" = false; }; diff --git a/nixos/base/nixpkgs.nix b/nixos/base/nixpkgs.nix index 92288607..9dea092e 100644 --- a/nixos/base/nixpkgs.nix +++ b/nixos/base/nixpkgs.nix @@ -2,6 +2,7 @@ nixpkgs = { overlays = [ inputs.arcexprs.overlays.default + (import ../../overlays/samba.nix) ]; config = { allowUnfree = true; diff --git a/nixos/ipa.nix b/nixos/ipa.nix new file mode 100644 index 00000000..a65f0184 --- /dev/null +++ b/nixos/ipa.nix @@ -0,0 +1,51 @@ +{ inputs, pkgs, config, lib, ... }: let + inherit (inputs.self.lib.lib) mkBaseDn; + inherit (lib.modules) mkIf mkForce mkDefault; + inherit (lib.strings) toUpper splitString concatMapStringsSep; + inherit (config.networking) domain; + cfg = config.security.ipa; + baseDn = mkBaseDn domain; + caPem = pkgs.fetchurl { + name = "idp.${domain}.ca.pem"; + url = "https://freeipa.${domain}/ipa/config/ca.crt"; + sha256 = "sha256-PKjnjn1jIq9x4BX8+WGkZfj4HQtmnHqmFSALqggo91o="; + }; +in { + # NOTE: requires manual post-install setup... + # :; kinit admin + # :; ipa-join --hostname=${config.networking.fqdn} -k /tmp/krb5.keytab -s idp.${domain} + # then to authorize it for a specific service... + # :; ipa-getkeytab -k /tmp/krb5.keytab -s idp.${domain} -p ${serviceName}/idp.${domain}@${toUpper domain} + # once the sops secret has been updated with keytab... + # :; systemctl restart sssd + config = { + security.ipa = { + enable = mkDefault true; + certificate = mkDefault caPem; + basedn = mkDefault baseDn; + chromiumSupport = mkDefault false; + domain = mkDefault domain; + realm = mkDefault (toUpper domain); + server = mkDefault "idp.${domain}"; + ifpAllowedUids = [ + "root" + ] ++ config.users.groups.wheel.members; + dyndns.enable = mkDefault false; + }; + networking.extraHosts = mkIf cfg.enable '' + 10.1.1.46 idp.${domain} + ''; + systemd.services.auth-rpcgss-module = mkIf (cfg.enable && !config.boot.modprobeConfig.enable) { + serviceConfig.ExecStart = mkForce [ + "" + "${pkgs.coreutils}/bin/true" + ]; + }; + sops.secrets = { + krb5-keytab = mkIf cfg.enable { + mode = "0400"; + path = "/etc/krb5.keytab"; + }; + }; + }; +} diff --git a/nixos/kyuuto/nfs.nix b/nixos/kyuuto/nfs.nix index 28a3547e..a9386c16 100644 --- a/nixos/kyuuto/nfs.nix +++ b/nixos/kyuuto/nfs.nix @@ -9,15 +9,40 @@ inherit (config) kyuuto; in { services.nfs.server.exports = let - mapPerm = perm: map (addr: "${addr}(${perm})"); + mapPerm = perm: map (addr: "${addr}(${concatStringsSep "," perm})"); toPerms = concatStringsSep " "; localAddrs = cidrForNetwork.loopback.all ++ cidrForNetwork.local.all; tailAddrs = optionals config.services.tailscale.enable cidrForNetwork.tail.all; allAddrs = localAddrs ++ tailAddrs; + globalAddrs = [ + "@peeps" + ]; + common = [ + "no_subtree_check" + ]; + sec = [ + "sec=${concatStringsSep ":" [ "krb5i" "krb5" "krb5p" ]}" + # TODO: no_root_squash..? + ]; + anon = [ + "sec=sys" + "all_squash" + "anonuid=${toString config.users.users.guest.uid}" + "anongid=${toString config.users.groups.${config.users.users.guest.group}.gid}" + ]; + # TODO: this can be simplified by specifying `sec=` multiple times, with restrictive options following sec=sys,all_squash,ro,etc + kyuutoOpts = common; kyuutoPerms = - mapPerm "ro" localAddrs - ++ mapPerm "rw" tailAddrs; - transferPerms = mapPerm "rw" allAddrs; + mapPerm (kyuutoOpts ++ [ "rw" ] ++ sec) globalAddrs + ++ mapPerm (kyuutoOpts ++ [ "ro" ] ++ anon) localAddrs + # XXX: remove me once kerberos is set up! + ++ mapPerm (kyuutoOpts ++ [ "rw" "sec=sys" ]) tailAddrs + ; + transferOpts = common ++ [ "rw" "async" ]; + transferPerms = + mapPerm (transferOpts ++ sec) globalAddrs + ++ mapPerm (transferOpts ++ anon) allAddrs + ; in '' ${kyuuto.mountDir} ${toPerms kyuutoPerms} ${kyuuto.transferDir} ${toPerms transferPerms} diff --git a/nixos/kyuuto/opl.nix b/nixos/kyuuto/opl.nix index 34c797b8..5628676b 100644 --- a/nixos/kyuuto/opl.nix +++ b/nixos/kyuuto/opl.nix @@ -38,6 +38,7 @@ in { settings = mkIf cfg.enable { "ntlm auth" = mkDefault "ntlmv1-permitted"; "server min protocol" = mkDefault "NT1"; + "keepalive" = mkDefault 0; }; shares.opl = let inherit (config.networking.access) cidrForNetwork; @@ -57,7 +58,6 @@ in { "@kyuuto-peeps" ]; "strict sync" = false; - "keepalive" = 0; "hosts allow" = localAddrs; }; }; diff --git a/nixos/nfs.nix b/nixos/nfs.nix index f1d6a0b3..ddd22e07 100644 --- a/nixos/nfs.nix +++ b/nixos/nfs.nix @@ -1,13 +1,15 @@ { + inputs, config, lib, - access, ... }: let - inherit (lib.modules) mkIf mkDefault; + inherit (inputs.self.lib.lib) mkBaseDn; + inherit (lib.modules) mkIf mkForce mkDefault; inherit (lib.lists) optional; - inherit (lib.strings) concatStringsSep concatMapStringsSep splitString; + inherit (lib.strings) toUpper concatStringsSep concatMapStringsSep splitString; cfg = config.services.nfs; + inherit (config.networking) domain; openPorts = [ (mkIf cfg.server.enable 2049) (mkIf config.services.rpcbind.enable 111) @@ -16,8 +18,7 @@ (mkIf (cfg.server.mountdPort != null) cfg.server.mountdPort) ]; enableLdap = false; - system = access.nixosFor "tei"; - inherit (system.services) kanidm; + baseDn = mkBaseDn domain; in { services.nfs = { server = { @@ -27,25 +28,35 @@ in { mountdPort = mkDefault 4002; }; idmapd.settings = { - General.Domain = mkDefault config.networking.domain; - Translation.GSS-Methods = concatStringsSep "," ( - ["static"] + General = { + Domain = mkForce domain; + Local-Realms = concatStringsSep "," [ + (toUpper domain) + #(toString config.networking.fqdn) + ]; + }; + Translation.Method = mkForce (concatStringsSep "," ( + [ "static" ] ++ optional enableLdap "umich_ldap" - ++ ["nsswitch"] - ); + ++ [ "nsswitch" ] + )); Static = { }; UMICH_SCHEMA = mkIf enableLdap { - LDAP_server = "ldap.local.${config.networking.domain}"; + LDAP_server = "ldap.local.${domain}"; LDAP_use_ssl = true; LDAP_ca_cert = "/etc/ssl/certs/ca-bundle.crt"; - LDAP_base = kanidm.server.ldap.baseDn; - NFSv4_person_objectclass = "account"; - NFSv4_group_objectclass = "group"; - NFSv4_name_attr = "name"; - NFSv4_group_attr = "name"; + LDAP_base = baseDn; + LDAP_people_base = "cn=users,cn=accounts,${baseDn}"; + LDAP_group_base = "cn=groups,cn=accounts,${baseDn}"; + GSS_principal_attr = "krbPrincipalName"; + NFSv4_person_objectclass = "posixaccount"; # or "person"? + NFSv4_group_objectclass = "posixgroup"; + NFSv4_name_attr = "krbCanonicalName"; # uid? cn? gecos? + NFSv4_group_attr = "cn"; NFSv4_uid_attr = "gidnumber"; - NFSv4_gid_attr = "gidnumber"; + NFSv4_gid_attr = "uidnumber"; + #LDAP_use_memberof_for_groups = true; LDAP_canonicalize_name = false; }; }; diff --git a/nixos/samba.nix b/nixos/samba.nix index ffa9b61d..f1f9a12d 100644 --- a/nixos/samba.nix +++ b/nixos/samba.nix @@ -1,12 +1,15 @@ { + inputs, config, lib, ... }: let - inherit (lib.modules) mkIf mkDefault; + inherit (inputs.self.lib.lib) mkBaseDn; + inherit (lib.modules) mkIf mkMerge mkDefault; inherit (lib.lists) any; - inherit (lib.strings) hasInfix concatMapStringsSep splitString; + inherit (lib.strings) toUpper hasInfix; cfg = config.services.samba; + inherit (config.networking) domain; hasIpv4 = any (hasInfix ".") config.systemd.network.networks.eth0.address or []; in { services.samba = { @@ -15,8 +18,25 @@ in { enableNmbd = mkDefault hasIpv4; securityType = mkDefault "user"; ldap = { - url = mkDefault "ldaps://ldap.local.${config.networking.domain}"; - baseDn = mkDefault (concatMapStringsSep "," (part: "dc=${part}") (splitString "." config.networking.domain)); + enable = mkDefault true; + url = mkDefault "ldaps://ldap.local.${domain}"; + baseDn = mkDefault (mkBaseDn domain); + adminDn = mkDefault "uid=samba,cn=sysaccounts,cn=etc,${cfg.ldap.baseDn}"; + adminPasswordPath = mkIf cfg.ldap.enable ( + mkDefault config.sops.secrets.smb-ldap-password.path + ); + passdb = { + # XXX: broken backend :< + #backend = mkIf config.security.ipa.enable (mkDefault "ipasam"); + }; + idmap = { + enable = mkIf config.services.sssd.enable (mkDefault false); + domain = mkDefault cfg.settings.workgroup; + }; + }; + kerberos = mkIf (config.security.krb5.enable || config.security.ipa.enable) { + enable = true; + realm = toUpper domain; }; usershare = { group = mkDefault "peeps"; @@ -25,8 +45,10 @@ in { enable = mkDefault true; user = mkDefault "guest"; }; - passdb.smbpasswd.path = mkDefault config.sops.secrets.smbpasswd.path; - settings = { + passdb.smbpasswd.path = mkIf (!cfg.ldap.enable || !cfg.ldap.passdb.enable) ( + mkDefault config.sops.secrets.smbpasswd.path + ); + settings = mkMerge [ { workgroup = "GENSOKYO"; "local master" = false; "preferred master" = false; @@ -37,12 +59,22 @@ in { "remote announce" = mkIf hasIpv4 [ "10.1.1.255/${cfg.settings.workgroup}" ]; - }; - idmap.domains = mkIf (!cfg.ldap.enable) { - nss = { + } (mkIf cfg.ldap.enable { + "ldapsam:trusted" = true; + "ldapsam:editposix" = false; + "ldap user suffix" = "cn=users,cn=accounts"; + "ldap group suffix" = "cn=groups,cn=accounts"; + }) ]; + idmap.domains = { + nss = mkIf (!cfg.ldap.enable || !cfg.ldap.idmap.enable) { backend = "nss"; domain = "*"; range.min = 8000; + #range.max = 8256; + }; + ldap = mkIf (cfg.ldap.enable && cfg.ldap.idmap.enable) { + range.min = 8000; + #range.min = 8256; }; }; }; @@ -52,8 +84,13 @@ in { hostname = mkDefault config.networking.hostName; }; - sops.secrets.smbpasswd = { - sopsFile = mkDefault ./secrets/samba.yaml; - #path = "/var/lib/samba/private/smbpasswd"; + sops.secrets = { + smbpasswd = mkIf (!cfg.ldap.enable || !cfg.ldap.passdb.enable) { + sopsFile = mkDefault ./secrets/samba.yaml; + #path = "/var/lib/samba/private/smbpasswd"; + }; + smb-ldap-password = mkIf cfg.ldap.enable { + sopsFile = mkDefault ./secrets/samba.yaml; + }; }; } diff --git a/nixos/secrets/samba.yaml b/nixos/secrets/samba.yaml index 0343a3e9..58a6a193 100644 --- a/nixos/secrets/samba.yaml +++ b/nixos/secrets/samba.yaml @@ -1,4 +1,5 @@ smbpasswd: ENC[AES256_GCM,data:W77mPgQ4sgdEsYgL271Kw34oHXYqMgGOM13KhY6XKlMVpIu1iznzuECXEG/6tDpv7J6hCMex8i4FMy85mUb2a/FLscx+vF7ncSATKZSGSKZZgU/kc5qGqM2yJrm7TnvmjSt7YRJfXBACM2h5X6eVKZ+0mtOAoQD72JLyM7aO8W4z4XyQQpudCqnpmNT5s8icHJGjRQubIm/25Znw8y5RME/OrA2/YkuGXeCNT7dEqHl6/KiH94//+XhCKij8lSV3iaE7ZKLiA3bqQJmp2n8Owvd+cDVZ1wWQU0TQGE1aAKysiHg1Yc1io7ek0t9UxyE5ZrOyifiWv6f2jdxbA7dvIihmlP0XWghdo30T9v4GE97cuNRG2rJTZEi3lP9Qy7Y4yS/XWRfSPLQnZ0D5xvuNxbVbXUR8OBcBlLeG6TFKtLPJgRr8oUrxw/03MHT8wxAOrfFPUYofd377DBIXQSv2Jbxg8117yAI1a/fBl8zFBrdkKDQvUjOSTTlCJ6J9goNe0Ra91noh9GMDC4qRzNheC22QVKWYExbtKyW0+OeIrpTfJ/1Ml1Jrb+FRjS0CDOHgHwYOqaPiyp1tlIgqhYEb3gIF7Ru69A1ctNdugaZAgz83Z951T2kpBNYguIoJn09X/MBq7ZKToWrFBi0kgOCnGbJfC9MusXGdJ1275Co6Xiaq2/mOWRwsH0e6HEjzSaFoOMgDe5jtq4+UIhbbS9u1dvn8/mR4mR/MsHDsT3FUWQ+c3C04/zTdJbt91w/f9PEs+Zi4qKwsyG0AtHzVV8/NADU4xAr1GFYBL9crMe/Y1vvPFXzpIlnfQrg+vYXE9vqXTXOgFB8KKUlT,iv:Ciw/zsXUiITP9vZJgvb9hDRgPZ1jSFISK+8Dqb2DeOs=,tag:Hn/k1t7AmM60tc6fOjj35w==,type:str] +smb-ldap-password: ENC[AES256_GCM,data:ny+9oyh7MwRWXkq175vJ9IKWP6tyWAqjNHqlSiYNnYY=,iv:7BAZ05CgR0FZGc6xP/RfeVtK0vh+1PtJnk25wdXNchk=,tag:OmBHpUwgVQtyfRv9wASQYg==,type:str] sops: shamir_threshold: 1 kms: [] @@ -42,8 +43,8 @@ sops: VitlT3d6d1FOSzFKTFRIWDU3cmJ2aXMKDN7HPa6pQSZd21cLvfk+sYvLqZm9eN+7 K1v7M9MXLY+nh1YGGbtDbWHh09p8g37tS1OwgGAiETh+z7hWsGHYdw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-02-28T21:51:11Z" - mac: ENC[AES256_GCM,data:nHX08Itwgn4HI98tzq08VOwVG+bZGlBYMUe19SEECo9dRpH9P5eApV1ho8RknPHrTv6m3PBvapaIsTjp7uDVajjXRDKcWCb+5wYN+g0FHTSICohoRvwq0JNqHFszW+CnT5EdMw4V09B94LwDJB2YRABCTwPn2x69p8QU3GLjhrY=,iv:tCYrAcJLV5+OqL3wHNMRA4kxNZo2m73MgUXlCpAGSZg=,tag:6JndAJnSveti0jxqyOAbuw==,type:str] + lastmodified: "2024-03-17T20:04:41Z" + mac: ENC[AES256_GCM,data:hXmwO+HJXophW/ddh1SVp85wELva1ieJeTUPRMjO0mxgiCJWlRNMAPwg6iPvwsuwgzJh3dVa4dHKKRsjDTNEQ7PTOaPYKZWxCdxXlaxPnm+0F8GeB1tnMEScHryJe6718AbuCmxOTPX1TwyJarISlHBaxCZ0D4d1aDGRvC3fiYY=,iv:IKwTuIoJJAADIYMqq4CF/t3Gz6OUxt8BtM6mmdSz9+Q=,tag:w7pG1IPlLO++4g0crobSOA==,type:str] pgp: - created_at: "2024-01-30T22:23:56Z" enc: |- diff --git a/overlays/default.nix b/overlays/default.nix index fbbc701f..f4c82ed6 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -7,6 +7,7 @@ overlays = [ inputs.deploy-rs.overlay inputs.arcexprs.overlays.default + (import ./samba.nix) (final: prev: { jemalloc = if final.hostPlatform != "aarch64-darwin" diff --git a/overlays/samba.nix b/overlays/samba.nix new file mode 100644 index 00000000..8c283f6b --- /dev/null +++ b/overlays/samba.nix @@ -0,0 +1,30 @@ +final: prev: let + inherit (final) lib; +in { + freeipa-ipasam = let + attrs = old: { + pname = "freeipa-ipasam"; + patches = old.patches or [ ] ++ [ + ../packages/freeipa-ipasam.patch + ]; + configureFlags = lib.filter (f: f != "--disable-server") old.configureFlags; + }; + overrides = { + samba = final.samba-ldap; + }; + in (final.freeipa.override overrides).overrideAttrs attrs; + + samba-ldap = final.samba.override { + enableLDAP = true; + }; + + samba-ipa = final.samba-ldap.overrideAttrs (old: { + buildInputs = old.buildInputs ++ [ + final.freeipa-ipasam + ]; + postInstall = '' + ${old.postInstall or ""} + cp -a ${final.freeipa-ipasam}/lib/samba/pdb/ipasam.so $out/lib/samba/pdb/ + ''; + }); +} diff --git a/packages/default.nix b/packages/default.nix index 3aa0a4eb..f0f5568c 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -32,6 +32,9 @@ jq ; inherit (inputs.deploy-rs.packages.${system}) deploy-rs; + + inherit (pkgs) freeipa-ipasam samba-ldap samba-ipa; + nf-deploy = pkgs.writeShellScriptBin "nf-deploy" '' ${exports} ${exportsSsh} @@ -56,6 +59,7 @@ INPUT_INFRA_PVE = reisen + "/bin/pve.sh"; INPUT_INFRA_MKPAM = reisen + "/bin/mkpam.sh"; INPUT_INFRA_CT_CONFIG = reisen + "/bin/ct-config.sh"; + INPUT_AUTHRPCGSS_OVERRIDES = reisen + "/net.auth-rpcgss-module.service.overrides"; }; inputVars = set.mapToValues (key: path: ''${key}="$(base64 -w0 < ${path})"'') inputAttrs; in diff --git a/packages/freeipa-ipasam.patch b/packages/freeipa-ipasam.patch new file mode 100644 index 00000000..37151834 --- /dev/null +++ b/packages/freeipa-ipasam.patch @@ -0,0 +1,28 @@ +diff --git a/Makefile.am b/Makefile.am +--- a/Makefile.am ++++ b/Makefile.am +@@ -3,8 +3,7 @@ NULL = + ACLOCAL_AMFLAGS = -I m4 + + if ENABLE_SERVER +- IPASERVER_SUBDIRS = ipaserver ipasphinx +- SERVER_SUBDIRS = daemons init install ++ SERVER_SUBDIRS = daemons + endif + + if WITH_IPATESTS +diff --git a/daemons/Makefile.am b/daemons/Makefile.am +--- a/daemons/Makefile.am ++++ b/daemons/Makefile.am +@@ -9,11 +9,7 @@ noinst_HEADERS = ipa-version.h.in + + SUBDIRS = \ + . \ +- dnssec \ +- ipa-kdb \ +- ipa-slapi-plugins \ + ipa-sam \ +- ipa-otpd \ + $(NULL) + + ipa-version.h: ipa-version.h.in $(top_builddir)/$(CONFIG_STATUS) diff --git a/systems/hakurei/nixos.nix b/systems/hakurei/nixos.nix index 59baf6df..4b70f1c2 100644 --- a/systems/hakurei/nixos.nix +++ b/systems/hakurei/nixos.nix @@ -22,6 +22,7 @@ in { nixos.steam.account-switch nixos.steam.beatsaber nixos.tailscale + nixos.ipa nixos.cloudflared nixos.ddclient nixos.acme diff --git a/systems/hakurei/secrets.yaml b/systems/hakurei/secrets.yaml index 2387979c..8f3bf82c 100644 --- a/systems/hakurei/secrets.yaml +++ b/systems/hakurei/secrets.yaml @@ -2,6 +2,7 @@ tailscale-key: ENC[AES256_GCM,data:HmowloL0TsKM/XFI5GDd6Nl+9uSZcYevB6CObq1Eg5cvy cloudflared-tunnel-hakurei: ENC[AES256_GCM,data:Pwj8/8RSLrfylwl1Et6SHOJSMWxm+Kn1WpYgZhvWoUQ9GsiuRFf2j0mdu36zid9N+6QC3NK9yv6mMfIgvLJkjXhiYtMidZD4e6a4kQMVbbui+Ohj6wf92Jg5rRdassFHJZSCyZtbaeBXqOzzqF51QrEEWRFxfxt6cvwqZjvSMsbctjltwiD7CehhzQGvDdstZAsVhJC6c+GKDs5pFU3KPTTIHc6b1IzZFijgJZKtNNgKrc4Wqw0=,iv:i2YZq7WMuKiDEHMUJS3QD+SP68Rkpt2fS4X8pkv8s3I=,tag:+0RuoOBf9Vm6aJdCsDfvKg==,type:str] tf-proxmox-passwd: ENC[AES256_GCM,data:kLLFPr5jILsUt7yecUc1Eb1V9hXEUFBytT7ehcwLv7W9Vfar/BdMQasNecs8S1Ilt7uAjpiXIkNGr5hkktNanIegJw539B43Pnk=,iv:rOy27QkhMM7LrNgYoHgZCwoZHtzUzDrUnhroLSqbKSw=,tag:HkFBkiws/jlQmXP8SpcUYg==,type:str] tf-proxmox-identity: ENC[AES256_GCM,data:DxcMFL9FqeulnxRZZHn4ByuRBPSI3hrAntvtwONDFIJhm7G9X2YPij9K36Sl7pE9oTHu/BQCFQdypt4LJyLVIg2AuTJusf1UCR1YcECEPnjFkJybM2Ggiuo34rrJOZh3b9SzD64ks4fFgv9S5P1JuOW9LewjH75v0iAZHvskznak0QiVgPy24pnRQwpR7znkjrH5Hmx9UHZ4JDIw7y8rXWBl7/HOV8mAsZOWZVwuhtKt+se/CDlaG2AlVJJmCjpAi5bi0yfhXlWXfjSy6cyhVCgiv4Ua+V4F+JSyZHk+wMEmICROWzmUuu5ZT2iHkh1SS9AutH307JNF8muDVzdZUVxdpQQHEFCu+SNjhEdcgJdmSZ3O04glzPZTBTAl2PLFGKXMKq24bLtBQquoWw2wneu1/Gha6bIpMjxJFmmaLaAoL9OPDysBALsTJxpsH38g12sk3t2Lk2EYCluyp313CTmWDVj0O8DT//Daigvk2eFmc72WCTsY4bucof9mF4/mzDAdDZDKOx7EAYVJmYgRW8HJK/nv4MQEidqy,iv:dUUGP+HspbqutGpcGxrVn8071S+h8nobUlfgUuFz9io=,tag:HhgrC6699p36RFzpSwvf0Q==,type:str] +krb5-keytab: ENC[AES256_GCM,data:53lA9ZRGpQIY22s9xtdRKOI9kn6flNcBlME+0qxH0/DfsN6PMORkHPz34lehf56BZbO1pnIDa8STh5xJGi4xlwtkvkGN77LrLwWgnveenGpCFQ+XNLY1sdl9pbuCppJ1fRq72rGvF/EjOLY25kmRWUSLz9h94yJXsFcIpxrqxywqr579MBHMBjHseNWC/8w6DQLMZLXULrNJTIvP2FICbiUJj27EheBzbbrKtWT269qTsCxp7To7E0uFzPonpFvMDPhKwvnAPVQeFDfThQrHtbWhWrKBgLfq/RO5E7hFWGGrh3ZEs27jxJ3AHuuflI6DEZYGszB1fGRSNHLd5NCvcoSy26WRzpnepneyoZdDsx2SGubDy343vY5tN1/yIngsnL3jK8/4/L+RknhjIgnPNk6foAIphGMhDp6NWMFuTo1MlsuYjl3tnqShmOFt/Sep7JuFN27qN8NwsIIH+rDA49/LSPj2g89QQ/vPHBXjycjg0gKWjofrd73P3C3z5ROdUS2Ge9gF6VerbSRxPaD1O25HQ94x2/qZcpRv3NgzqC5w2Y0HkcnuJGmnOjLwiQ8JoDWY1ZEasafXXz/ffTkMycL3wH+NyLuGlu5FQG8VPfps+O1qz9Pkq11bzkugSZ1PBdOA9ki4RcVdms6ivIQWdjWTsz3Xi/Y0KBnjylY/qGRepBVJ5I1wXb3jcZkm8PCdL40ObxlcIX43bRGW1mqY9zKDkic6FXmwd0LdxO+z9Cd/r33X3yf3wDoCKwhngQVJqjQySGj+E5sJST1SfrrQTRyAbu9ca+hEkgq2o5x9PsJvkGj7+h9fXVWbo9J0NFqFHOtMAcom/HFdkiBhxVeTFoHNVpgKlY3QSR0OANXmvJ5lNZONWq7nOVxAy60fUC1b5ZjuoaRmt5t44HWbNb6HW1kW06Q901ZMFR29qE5F/ciJ3DsT3mJ62hJMdOc3+m1wxY+INarPeZvdbuC3mQekZvbjQJVYXD/8DIg93+LPMvD88vymIVWsdrIzzH9JzHwEcEuLTv0coLXsRoips8dV6c1KjZr1uQz42FuydxdIXFy6pwZ8C2bD7Obla8mUqe6vniX0xHtuuAOxsZzJFIMgZqaPZnMG18J/d1Lw/a2UZw9iFzh6MEirGSviMcIV5sVgYqo27qr55OKxeRDmlb/WQI2qrt50TtYNdItVGlnJKmDBw3+txU5+toqxSdlTMRmQIQZc7y/iXqLskXlwaWQLuAoXKHIQ8JGbvw2sZLzIcy6LIQqLQgQwmB+u4ZwExjuJ/h3EkBK3VzA0P014CphkWrQIpva1k9JUhbGvfM6CO32xEZpWWtThov0bGcNDTa/OB2JuGD+FpiCf3q4w5kXbMdSLpm+FQcEdZAHJbgHOAeq7kGNJ9f6yVsCi5DZiH/F1DUqhrRCJXz2yxVlp8JsQG/8WeTM1+w/jl3e6MtejRa/OQIwOa+c=,iv:210i0Kj0KVXIg8DTDlsJYyuxjAd1ASGvqGlHOhYLLNY=,tag:Eb42niH6t/Dpgw0scblmIg==,type:str] sops: shamir_threshold: 1 kms: [] @@ -18,8 +19,8 @@ sops: ZEpzdWJZWGdEaElLZUc1YW5ON0YrM2MKk/dZvaFVzfkMD3poreaDGfJwG5j5fL3L kuV/3fEHBf5HszR/VTy/bZ2+abN6x3UG5h0l+QaS9ux+mtwFCyYYjg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-26T20:09:45Z" - mac: ENC[AES256_GCM,data:jVC5XpyzRHHB03ijZlN711qE7D6n+YehrkyFZZ9JmRre+oR7H171Be+BYq3QZl5pp0VGlfFRPmGrBlh3nwxL1FYYIzDMWMmkJrce2pdYKgOwQxRqR5bbW6yH8zYbyD2f1gZ9DIo/UPlPvdWFsFHZOKNWo/gPeDeI1MZQCNmQpnY=,iv:vOoGpsG5FJt+leB7sblkvwyDNa+2TvUg1cqWAzMgRks=,tag:hbpdem+/E042g5IiQa+TFw==,type:str] + lastmodified: "2024-03-17T22:21:26Z" + mac: ENC[AES256_GCM,data:q0YqiY24G58KUk6UJ2kqjtERe9AcTSsb2MS3CP8zyPUVrYtP0V8MUyJ0z7ZfbeD0cXlY6UtVLBV+EwXyFCyR2enyP1FufAdR7jQLxDS219JPVipKfOGu12N3F7e91PK4Glh36bVoBNsXjbtWlQMiwZe7sV9e/rnRBe3gks6PCnU=,iv:A7i8+WKZwifRBTwrBnxMDHk6JtvqD7JVZA7TXShKJRM=,tag:dpJ/J/AUHXx4F98PuqEbjw==,type:str] pgp: - created_at: "2024-01-19T18:57:37Z" enc: |- diff --git a/systems/reimu/nixos.nix b/systems/reimu/nixos.nix index ca227936..8d88e388 100644 --- a/systems/reimu/nixos.nix +++ b/systems/reimu/nixos.nix @@ -9,6 +9,7 @@ nixos.steam.account-switch nixos.steam.beatsaber nixos.tailscale + nixos.ipa nixos.nfs ]; diff --git a/systems/reimu/secrets.yaml b/systems/reimu/secrets.yaml index 14d9a8d6..83ced021 100644 --- a/systems/reimu/secrets.yaml +++ b/systems/reimu/secrets.yaml @@ -1,4 +1,5 @@ tailscale-key: ENC[AES256_GCM,data:X1oDglyEjyFyeBgkV52IAcvS7krEeUfuJYhp/GN0cLH7She/RLdScbMcGBLwkDdtgoBkSK/HEjk=,iv:7eJg2IMVxZX7O3rzqeai3gjbAMLu3ScU49rrQPxnl0s=,tag:L2EgzeAvr4PLxaTBe9vObg==,type:str] +krb5-keytab: ENC[AES256_GCM,data:3Dx4YkMFnxpg7HzylRbqe1KdfYgqBNvKYU7tb1lZQ1uwghdSn4U3ZztOE8SO5t2wGaIPHhOwv6eR0MWZnjU3vjWAPrrNlrc3mK3WLw+Gvbe/hfiLSKDvqzDcaYfBSFNvG9LFai5o8fGfPnAS/5AUY8iBY+NaPflsK+HV5MfadXg5J6EYduGSo82C6eWmLJcsBMieI3CLg/OCPI5rfo1ibbVJR2ma2EyiUl9KujqCJL3Nb5DH87YCFuiBScMkQP+GRL5Rf1p3otF14HsK9sVvJjkF7NgGvM/OUHv5u9eq7gBiWJSoGBE3Vsl5odep5x0r259nZy9oAQenhmJ9layVI40c4UI5B4m5nwKvUYeXnINX09dtBZy1+7iOBdjFwzP+cCbliW8GbtqwWDVYuuqSTosQPBtUWFBKPwn9HcSmVowN9VsuAjdOIFao6xNcTmUT4EJc4FTcbtsOXzynILYmb8n0S1nsT6h20i5hC7ltiwUOFOxOwl0Q/I1wQDFZH4HeGYNeqE/Icy2z1jnkj5g4XK+WFzNSJmdKzFE9fOnO5gwSkqoy72ohqz9giyKvEtAhBDBjuUcHnVmnNHWEGhFUCy2GP3f9KaowD6isJ9ICIa1mrHsol8agjpCvUTNLz/8LV6235vk/RZ96QoI8Hue/5M5p+0Qe8bRLfYmKQ7WPB6ywWr2NJFvgep+95XmVJvhzUXa6Zdj7RSWa+AVuK+lhWBpCO5Yo5s/3XF+1OLEGc6sErbjXOD5ofUmQYXfvh+P6IjtrUYoq96EZzQqC4pYx63q+E2zLIX3Ua6XFtoISs3qvduRVu0CROfBY3rMzbEEgwwR55fyoKomIs6ihxl1XyK0kvyRTWtQ6oky3HDmWee1AYXo598K6HeZnxDbyC/ov5sdccFgcG7aGhCn036AThJajZHHyC3Vg/47iqREpV84vqpoAj5c=,iv:xzjH/RaRSHx39TkQW3Ns7pLf6/ogeFHWqNvfkgOgsEA=,tag:IvmpHdZi04cdYFaXh3YTIg==,type:str] sops: shamir_threshold: 1 kms: [] @@ -15,8 +16,8 @@ sops: UERXZU1FaTNGU09mTm91M05MNitvQzgKhaWavZCVVMA+MqdX4LDsywN9ySSskH0X 2K+YRI34/3oY0Mv2s6OEIa+laYf2XRImSh6BN1F4b/AezQa1LCTTaw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-30T23:58:54Z" - mac: ENC[AES256_GCM,data:ih1RwcmiaD4yQnSoxo+uoJFZCEQp5xs1+O976EeLIUxkhcbpJ3//jhch591TyQbCf6IHBkjrmTbsQdEX6607n4KV6RLYW1822Fc34d76QdJMAJOxRD8oYpf9+iUN8VmfkO2PqPFvxub/iOmt38AkV+1cK+8LYaTXPT+yY6fJ2h4=,iv:Yb7MAsyH980A8hAifhzk+jtOoVsAapsH+mD1h7oWjKI=,tag:IcVWkobQWg2zwrXP7kRAyA==,type:str] + lastmodified: "2024-03-16T20:48:49Z" + mac: ENC[AES256_GCM,data:si2YKYqOtaNm1xOlcK698jeK5XWnRIFW6OTyUxv2TxlmgoqximGVl7a/dv/CePQSA1m7pPBZFCAMGV9lmMtMGMM9ipxlaFIkHDRHcBndriy+a9Cijdc/Q5OybYOh6FA+Jktqn7afuF8IrWETWK7wO1E3lg1QmNQrW04gzzwNXLU=,iv:rGNEBBuZIT4asB3JsEF0AImxjgpbhCNeRjIeB1RFpyk=,tag:eKwBpWNVXGmU63gAg+TQ3g==,type:str] pgp: - created_at: "2024-01-30T23:58:18Z" enc: |- diff --git a/systems/reisen/net.auth-rpcgss-module.service.overrides b/systems/reisen/net.auth-rpcgss-module.service.overrides new file mode 100644 index 00000000..f8d5faf8 --- /dev/null +++ b/systems/reisen/net.auth-rpcgss-module.service.overrides @@ -0,0 +1,2 @@ +[Unit] +ConditionPathExists= diff --git a/systems/reisen/setup.sh b/systems/reisen/setup.sh index b023ca9e..e469bbdf 100644 --- a/systems/reisen/setup.sh +++ b/systems/reisen/setup.sh @@ -157,3 +157,10 @@ mkshared plex 100193 100193 0755 mkshared postgresql 100071 100071 0750 mkshared unifi 100990 100990 0755 mkshared zigbee2mqtt 100317 100317 0700 + +ln -sf /lib/systemd/system/auth-rpcgss-module.service /etc/systemd/system/ +mkdir -p /etc/systemd/system/auth-rpcgss-module.service.d +ln -sf /etc/systemd/system/auth-rpcgss-module.service /etc/systemd/system/multi-user.target.wants/ +base64 -d > /etc/systemd/system/auth-rpcgss-module.service.d/overrides.conf <