mirror of
https://github.com/gensokyo-zone/infrastructure.git
synced 2026-02-09 12:29:19 -08:00
feat(idp): ipa and krb5 hosts
This commit is contained in:
arcnmx
parent
81b20878f1
commit
1ed36b4f66
19 changed files with 327 additions and 83 deletions
|
|
@ -1,8 +1,10 @@
|
|||
{
|
||||
inputs,
|
||||
lib,
|
||||
config,
|
||||
...
|
||||
}: let
|
||||
inherit (inputs.self.lib.lib) mkBaseDn;
|
||||
inherit (lib) mkIf mkMerge mkBefore mkDefault mkOptionDefault mkEnableOption mkOption;
|
||||
inherit (lib.strings) splitString concatMapStringsSep;
|
||||
inherit (config.lib.access) mkSnakeOil;
|
||||
|
|
@ -46,7 +48,7 @@ in {
|
|||
};
|
||||
baseDn = mkOption {
|
||||
type = str;
|
||||
default = concatMapStringsSep "," (part: "dc=${part}") (splitString "." cfg.serverSettings.domain);
|
||||
default = mkBaseDn cfg.serverSettings.domain;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
...
|
||||
}: let
|
||||
inherit (lib.options) mkOption mkEnableOption;
|
||||
inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault;
|
||||
inherit (lib.modules) mkIf mkMerge mkBefore mkForce mkDefault mkOptionDefault;
|
||||
inherit (lib.attrsets) mapAttrs' mapAttrsToList nameValuePair;
|
||||
inherit (lib.strings) hasPrefix concatMapStringsSep;
|
||||
inherit (config.services) samba-wsdd;
|
||||
|
|
@ -25,9 +25,23 @@ in {
|
|||
in {
|
||||
ldap = {
|
||||
enable = mkEnableOption "LDAP";
|
||||
idmapDomain = mkOption {
|
||||
type = str;
|
||||
default = "*";
|
||||
passdb = {
|
||||
enable = mkEnableOption "LDAP authentication" // {
|
||||
default = true;
|
||||
};
|
||||
backend = mkOption {
|
||||
type = enum [ "ldapsam" "ipasam" ];
|
||||
default = "ldapsam";
|
||||
};
|
||||
};
|
||||
idmap = {
|
||||
enable = mkEnableOption "LDAP users" // {
|
||||
default = true;
|
||||
};
|
||||
domain = mkOption {
|
||||
type = str;
|
||||
default = "*";
|
||||
};
|
||||
};
|
||||
url = mkOption {
|
||||
type = str;
|
||||
|
|
@ -36,7 +50,7 @@ in {
|
|||
type = str;
|
||||
};
|
||||
adminDn = mkOption {
|
||||
type = str;
|
||||
type = nullOr str;
|
||||
default = "name=anonymous,${cfg.ldap.baseDn}";
|
||||
};
|
||||
adminPasswordPath = mkOption {
|
||||
|
|
@ -44,6 +58,16 @@ in {
|
|||
default = null;
|
||||
};
|
||||
};
|
||||
kerberos = {
|
||||
enable = mkEnableOption "krb5";
|
||||
realm = mkOption {
|
||||
type = str;
|
||||
};
|
||||
keytabPath = mkOption {
|
||||
type = nullOr path;
|
||||
default = null;
|
||||
};
|
||||
};
|
||||
usershare = {
|
||||
enable = mkEnableOption "usershare";
|
||||
group = mkOption {
|
||||
|
|
@ -87,7 +111,7 @@ in {
|
|||
};
|
||||
max = mkOption {
|
||||
type = int;
|
||||
default = 10000;
|
||||
default = 65534;
|
||||
};
|
||||
};
|
||||
readOnly = mkOption {
|
||||
|
|
@ -130,53 +154,69 @@ in {
|
|||
|
||||
config = {
|
||||
services.samba = {
|
||||
package = mkIf cfg.ldap.enable (mkDefault (pkgs.samba.override {
|
||||
enableLDAP = true;
|
||||
}));
|
||||
package = mkIf cfg.ldap.enable (mkDefault (
|
||||
if cfg.ldap.passdb.enable && cfg.ldap.passdb.backend == "ipasam" then pkgs.samba-ipa else pkgs.samba-ldap
|
||||
));
|
||||
ldap = {
|
||||
adminPasswordPath = mkIf (hasPrefix "name=anonymous," cfg.ldap.adminDn) (mkDefault (
|
||||
adminPasswordPath = mkIf (cfg.ldap.adminDn != null && hasPrefix "name=anonymous," cfg.ldap.adminDn) (mkDefault (
|
||||
pkgs.writeText "smb-ldap-anonymous" "anonymous"
|
||||
));
|
||||
};
|
||||
idmap.domains = mkMerge [
|
||||
(mkIf cfg.ldap.enable {
|
||||
(mkIf (cfg.ldap.enable && cfg.ldap.idmap.enable) {
|
||||
ldap = {
|
||||
domain = mkDefault cfg.ldap.idmapDomain;
|
||||
backend = mkOptionDefault "ldap";
|
||||
domain = mkDefault cfg.ldap.idmap.domain;
|
||||
settings = {
|
||||
ldap_url = mkOptionDefault cfg.ldap.url;
|
||||
};
|
||||
};
|
||||
})
|
||||
];
|
||||
settings = mkMerge ([
|
||||
{
|
||||
"use sendfile" = mkOptionDefault true;
|
||||
}
|
||||
(mkIf (cfg.passdb.smbpasswd.path != null) {
|
||||
"passdb backend" = mkOptionDefault "smbpasswd:${cfg.passdb.smbpasswd.path}";
|
||||
})
|
||||
(mkIf cfg.ldap.enable {
|
||||
"passdb backend" = mkOptionDefault ''ldapsam:"${cfg.ldap.url}"'';
|
||||
"ldap ssl" = mkIf (hasPrefix "ldaps://" cfg.ldap.url) (mkOptionDefault "off");
|
||||
"ldap admin dn" = mkOptionDefault "name=anonymous,${cfg.ldap.baseDn}";
|
||||
"ldap suffix" = mkOptionDefault cfg.ldap.baseDn;
|
||||
})
|
||||
(mkIf (cfg.ldap.enable && true) {
|
||||
"ntlm auth" = mkOptionDefault "disabled";
|
||||
"encrypt passwords" = mkOptionDefault false;
|
||||
})
|
||||
(mkIf cfg.usershare.enable {
|
||||
"usershare allow guests" = mkOptionDefault true;
|
||||
"usershare max shares" = mkOptionDefault 16;
|
||||
"usershare owner only" = mkOptionDefault true;
|
||||
"usershare template share" = mkOptionDefault cfg.usershare.templateShare;
|
||||
"usershare path" = mkOptionDefault cfg.usershare.path;
|
||||
"usershare prefix allow list" = mkOptionDefault [cfg.usershare.path];
|
||||
})
|
||||
(mkIf cfg.guest.enable {
|
||||
"map to guest" = mkOptionDefault "Bad User";
|
||||
"guest account" = mkOptionDefault cfg.guest.user;
|
||||
})
|
||||
{
|
||||
"use sendfile" = mkOptionDefault true;
|
||||
}
|
||||
(mkIf (cfg.passdb.smbpasswd.path != null) {
|
||||
"passdb backend" = mkOptionDefault "smbpasswd:${cfg.passdb.smbpasswd.path}";
|
||||
})
|
||||
(mkIf cfg.ldap.enable {
|
||||
"ldap ssl" = mkIf (hasPrefix "ldaps://" cfg.ldap.url) (mkOptionDefault "off");
|
||||
"ldap admin dn" = mkIf (cfg.ldap.adminDn != null) (mkOptionDefault cfg.ldap.adminDn);
|
||||
"ldap suffix" = mkOptionDefault cfg.ldap.baseDn;
|
||||
})
|
||||
(mkIf cfg.kerberos.enable {
|
||||
"realm" = mkOptionDefault cfg.kerberos.realm;
|
||||
"kerberos method" = mkOptionDefault (
|
||||
if cfg.kerberos.keytabPath != null then "dedicated keytab"
|
||||
else "system keytab"
|
||||
);
|
||||
"dedicated keytab file" = mkIf (cfg.kerberos.keytabPath != null) (mkOptionDefault
|
||||
"FILE:${cfg.kerberos.keytabPath}"
|
||||
);
|
||||
"create krb5 conf" = mkOptionDefault false;
|
||||
})
|
||||
(mkIf cfg.usershare.enable {
|
||||
"usershare allow guests" = mkOptionDefault true;
|
||||
"usershare max shares" = mkOptionDefault 16;
|
||||
"usershare owner only" = mkOptionDefault true;
|
||||
"usershare template share" = mkOptionDefault cfg.usershare.templateShare;
|
||||
"usershare path" = mkOptionDefault cfg.usershare.path;
|
||||
"usershare prefix allow list" = mkOptionDefault [ cfg.usershare.path ];
|
||||
})
|
||||
(mkIf cfg.guest.enable {
|
||||
"map to guest" = mkOptionDefault "Bad User";
|
||||
"guest account" = mkOptionDefault cfg.guest.user;
|
||||
})
|
||||
] ++ mapAttrsToList (_: idmap: mapAttrs' (key: value: nameValuePair "idmap config ${idmap.domain} : ${key}" (mkOptionDefault value)) idmap.settings) cfg.idmap.domains);
|
||||
extraConfig = mkMerge (
|
||||
mapAttrsToList (key: value: ''${key} = ${settingValue value}'') cfg.settings
|
||||
++ [
|
||||
(mkIf (cfg.ldap.enable && cfg.ldap.passdb.enable) (mkBefore ''
|
||||
passdb backend = ${cfg.ldap.passdb.backend}:"${cfg.ldap.url}"
|
||||
''))
|
||||
]
|
||||
++ mapAttrsToList (_: idmap: mapAttrs' (key: value: nameValuePair "idmap config ${idmap.domain} : ${key}" (mkOptionDefault value)) idmap.settings) cfg.idmap.domains);
|
||||
extraConfig = mkMerge (mapAttrsToList (key: value: ''${key} = ${settingValue value}'') cfg.settings);
|
||||
);
|
||||
shares.${cfg.usershare.templateShare} = mkIf cfg.usershare.enable {
|
||||
"-valid" = false;
|
||||
};
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue