feat(idp): ipa and krb5 hosts

2026-02-09 04:19:19 -08:00 · 2024-03-15 13:50:47 -07:00 · 2024-03-15 13:50:47 -07:00 · 1ed36b4f66
commit 1ed36b4f66
parent 81b20878f1
19 changed files with 327 additions and 83 deletions
--- a/nixos/samba.nix
+++ b/nixos/samba.nix
@ -1,12 +1,15 @@
 {
+  inputs,
  config,
  lib,
  ...
 }: let
-  inherit (lib.modules) mkIf mkDefault;
+  inherit (inputs.self.lib.lib) mkBaseDn;
+  inherit (lib.modules) mkIf mkMerge mkDefault;
  inherit (lib.lists) any;
-  inherit (lib.strings) hasInfix concatMapStringsSep splitString;
+  inherit (lib.strings) toUpper hasInfix;
  cfg = config.services.samba;
+  inherit (config.networking) domain;
  hasIpv4 = any (hasInfix ".") config.systemd.network.networks.eth0.address or [];
 in {
  services.samba = {
@ -15,8 +18,25 @@ in {
    enableNmbd = mkDefault hasIpv4;
    securityType = mkDefault "user";
    ldap = {
-      url = mkDefault "ldaps://ldap.local.${config.networking.domain}";
-      baseDn = mkDefault (concatMapStringsSep "," (part: "dc=${part}") (splitString "." config.networking.domain));
+      enable = mkDefault true;
+      url = mkDefault "ldaps://ldap.local.${domain}";
+      baseDn = mkDefault (mkBaseDn domain);
+      adminDn = mkDefault "uid=samba,cn=sysaccounts,cn=etc,${cfg.ldap.baseDn}";
+      adminPasswordPath = mkIf cfg.ldap.enable (
+        mkDefault config.sops.secrets.smb-ldap-password.path
+      );
+      passdb = {
+        # XXX: broken backend :<
+        #backend = mkIf config.security.ipa.enable (mkDefault "ipasam");
+      };
+      idmap = {
+        enable = mkIf config.services.sssd.enable (mkDefault false);
+        domain = mkDefault cfg.settings.workgroup;
+      };
+    };
+    kerberos = mkIf (config.security.krb5.enable || config.security.ipa.enable) {
+      enable = true;
+      realm = toUpper domain;
    };
    usershare = {
      group = mkDefault "peeps";
@ -25,8 +45,10 @@ in {
      enable = mkDefault true;
      user = mkDefault "guest";
    };
-    passdb.smbpasswd.path = mkDefault config.sops.secrets.smbpasswd.path;
-    settings = {
+    passdb.smbpasswd.path = mkIf (!cfg.ldap.enable || !cfg.ldap.passdb.enable) (
+      mkDefault config.sops.secrets.smbpasswd.path
+    );
+    settings = mkMerge [ {
      workgroup = "GENSOKYO";
      "local master" = false;
      "preferred master" = false;
@ -37,12 +59,22 @@ in {
      "remote announce" = mkIf hasIpv4 [
        "10.1.1.255/${cfg.settings.workgroup}"
      ];
-    };
-    idmap.domains = mkIf (!cfg.ldap.enable) {
-      nss = {
+    } (mkIf cfg.ldap.enable {
+      "ldapsam:trusted" = true;
+      "ldapsam:editposix" = false;
+      "ldap user suffix" = "cn=users,cn=accounts";
+      "ldap group suffix" = "cn=groups,cn=accounts";
+    }) ];
+    idmap.domains = {
+      nss = mkIf (!cfg.ldap.enable || !cfg.ldap.idmap.enable) {
        backend = "nss";
        domain = "*";
        range.min = 8000;
+        #range.max = 8256;
+      };
+      ldap = mkIf (cfg.ldap.enable && cfg.ldap.idmap.enable) {
+        range.min = 8000;
+        #range.min = 8256;
      };
    };
  };
@ -52,8 +84,13 @@ in {
    hostname = mkDefault config.networking.hostName;
  };

-  sops.secrets.smbpasswd = {
-    sopsFile = mkDefault ./secrets/samba.yaml;
-    #path = "/var/lib/samba/private/smbpasswd";
+  sops.secrets = {
+    smbpasswd = mkIf (!cfg.ldap.enable || !cfg.ldap.passdb.enable) {
+      sopsFile = mkDefault ./secrets/samba.yaml;
+      #path = "/var/lib/samba/private/smbpasswd";
+    };
+    smb-ldap-password = mkIf cfg.ldap.enable {
+      sopsFile = mkDefault ./secrets/samba.yaml;
+    };
  };
 }