gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(idp): ipa and krb5 hosts

Browse source
This commit is contained in:
arcnmx 2024-03-15 13:50:47 -07:00
parent 81b20878f1
commit 1ed36b4f66
19 changed files with 327 additions and 83 deletions
Download patch file Download diff file Expand all files Collapse all files

4
modules/nixos/kanidm.nix
View file

@ -1,8 +1,10 @@
{ {
inputs,
lib, lib,
config, config,
... ...
}: let }: let
inherit (inputs.self.lib.lib) mkBaseDn;
inherit (lib) mkIf mkMerge mkBefore mkDefault mkOptionDefault mkEnableOption mkOption; inherit (lib) mkIf mkMerge mkBefore mkDefault mkOptionDefault mkEnableOption mkOption;
inherit (lib.strings) splitString concatMapStringsSep; inherit (lib.strings) splitString concatMapStringsSep;
inherit (config.lib.access) mkSnakeOil; inherit (config.lib.access) mkSnakeOil;
@ -46,7 +48,7 @@ in {
}; };
baseDn = mkOption { baseDn = mkOption {
type = str; type = str;
default = concatMapStringsSep "," (part: "dc=${part}") (splitString "." cfg.serverSettings.domain); default = mkBaseDn cfg.serverSettings.domain;
}; };
}; };
}; };

74
modules/nixos/samba.nix
View file

@ -5,7 +5,7 @@
... ...
}: let }: let
inherit (lib.options) mkOption mkEnableOption; inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault; inherit (lib.modules) mkIf mkMerge mkBefore mkForce mkDefault mkOptionDefault;
inherit (lib.attrsets) mapAttrs' mapAttrsToList nameValuePair; inherit (lib.attrsets) mapAttrs' mapAttrsToList nameValuePair;
inherit (lib.strings) hasPrefix concatMapStringsSep; inherit (lib.strings) hasPrefix concatMapStringsSep;
inherit (config.services) samba-wsdd; inherit (config.services) samba-wsdd;
@ -25,10 +25,24 @@ in {
in { in {
ldap = { ldap = {
enable = mkEnableOption "LDAP"; enable = mkEnableOption "LDAP";
idmapDomain = mkOption { passdb = {
enable = mkEnableOption "LDAP authentication" // {
default = true;
};
backend = mkOption {
type = enum [ "ldapsam" "ipasam" ];
default = "ldapsam";
};
};
idmap = {
enable = mkEnableOption "LDAP users" // {
default = true;
};
domain = mkOption {
type = str; type = str;
default = "*"; default = "*";
}; };
};
url = mkOption { url = mkOption {
type = str; type = str;
}; };
@ -36,7 +50,7 @@ in {
type = str; type = str;
}; };
adminDn = mkOption { adminDn = mkOption {
type = str; type = nullOr str;
default = "name=anonymous,${cfg.ldap.baseDn}"; default = "name=anonymous,${cfg.ldap.baseDn}";
}; };
adminPasswordPath = mkOption { adminPasswordPath = mkOption {
@ -44,6 +58,16 @@ in {
default = null; default = null;
}; };
}; };
kerberos = {
enable = mkEnableOption "krb5";
realm = mkOption {
type = str;
};
keytabPath = mkOption {
type = nullOr path;
default = null;
};
};
usershare = { usershare = {
enable = mkEnableOption "usershare"; enable = mkEnableOption "usershare";
group = mkOption { group = mkOption {
@ -87,7 +111,7 @@ in {
}; };
max = mkOption { max = mkOption {
type = int; type = int;
default = 10000; default = 65534;
}; };
}; };
readOnly = mkOption { readOnly = mkOption {
@ -130,18 +154,22 @@ in {
config = { config = {
services.samba = { services.samba = {
package = mkIf cfg.ldap.enable (mkDefault (pkgs.samba.override { package = mkIf cfg.ldap.enable (mkDefault (
enableLDAP = true; if cfg.ldap.passdb.enable && cfg.ldap.passdb.backend == "ipasam" then pkgs.samba-ipa else pkgs.samba-ldap
})); ));
ldap = { ldap = {
adminPasswordPath = mkIf (hasPrefix "name=anonymous," cfg.ldap.adminDn) (mkDefault ( adminPasswordPath = mkIf (cfg.ldap.adminDn != null && hasPrefix "name=anonymous," cfg.ldap.adminDn) (mkDefault (
pkgs.writeText "smb-ldap-anonymous" "anonymous" pkgs.writeText "smb-ldap-anonymous" "anonymous"
)); ));
}; };
idmap.domains = mkMerge [ idmap.domains = mkMerge [
(mkIf cfg.ldap.enable { (mkIf (cfg.ldap.enable && cfg.ldap.idmap.enable) {
ldap = { ldap = {
domain = mkDefault cfg.ldap.idmapDomain; backend = mkOptionDefault "ldap";
domain = mkDefault cfg.ldap.idmap.domain;
settings = {
ldap_url = mkOptionDefault cfg.ldap.url;
};
}; };
}) })
]; ];
@ -153,14 +181,20 @@ in {
"passdb backend" = mkOptionDefault "smbpasswd:${cfg.passdb.smbpasswd.path}"; "passdb backend" = mkOptionDefault "smbpasswd:${cfg.passdb.smbpasswd.path}";
}) })
(mkIf cfg.ldap.enable { (mkIf cfg.ldap.enable {
"passdb backend" = mkOptionDefault ''ldapsam:"${cfg.ldap.url}"'';
"ldap ssl" = mkIf (hasPrefix "ldaps://" cfg.ldap.url) (mkOptionDefault "off"); "ldap ssl" = mkIf (hasPrefix "ldaps://" cfg.ldap.url) (mkOptionDefault "off");
"ldap admin dn" = mkOptionDefault "name=anonymous,${cfg.ldap.baseDn}"; "ldap admin dn" = mkIf (cfg.ldap.adminDn != null) (mkOptionDefault cfg.ldap.adminDn);
"ldap suffix" = mkOptionDefault cfg.ldap.baseDn; "ldap suffix" = mkOptionDefault cfg.ldap.baseDn;
}) })
(mkIf (cfg.ldap.enable && true) { (mkIf cfg.kerberos.enable {
"ntlm auth" = mkOptionDefault "disabled"; "realm" = mkOptionDefault cfg.kerberos.realm;
"encrypt passwords" = mkOptionDefault false; "kerberos method" = mkOptionDefault (
if cfg.kerberos.keytabPath != null then "dedicated keytab"
else "system keytab"
);
"dedicated keytab file" = mkIf (cfg.kerberos.keytabPath != null) (mkOptionDefault
"FILE:${cfg.kerberos.keytabPath}"
);
"create krb5 conf" = mkOptionDefault false;
}) })
(mkIf cfg.usershare.enable { (mkIf cfg.usershare.enable {
"usershare allow guests" = mkOptionDefault true; "usershare allow guests" = mkOptionDefault true;
@ -174,9 +208,15 @@ in {
"map to guest" = mkOptionDefault "Bad User"; "map to guest" = mkOptionDefault "Bad User";
"guest account" = mkOptionDefault cfg.guest.user; "guest account" = mkOptionDefault cfg.guest.user;
}) })
] ++ mapAttrsToList (_: idmap: mapAttrs' (key: value: nameValuePair "idmap config ${idmap.domain} : ${key}" (mkOptionDefault value)) idmap.settings) cfg.idmap.domains);
extraConfig = mkMerge (
mapAttrsToList (key: value: ''${key} = ${settingValue value}'') cfg.settings
++ [
(mkIf (cfg.ldap.enable && cfg.ldap.passdb.enable) (mkBefore ''
passdb backend = ${cfg.ldap.passdb.backend}:"${cfg.ldap.url}"
''))
] ]
++ mapAttrsToList (_: idmap: mapAttrs' (key: value: nameValuePair "idmap config ${idmap.domain} : ${key}" (mkOptionDefault value)) idmap.settings) cfg.idmap.domains); );
extraConfig = mkMerge (mapAttrsToList (key: value: ''${key} = ${settingValue value}'') cfg.settings);
shares.${cfg.usershare.templateShare} = mkIf cfg.usershare.enable { shares.${cfg.usershare.templateShare} = mkIf cfg.usershare.enable {
"-valid" = false; "-valid" = false;
}; };

1
nixos/base/nixpkgs.nix
View file

@ -2,6 +2,7 @@
nixpkgs = { nixpkgs = {
overlays = [ overlays = [
inputs.arcexprs.overlays.default inputs.arcexprs.overlays.default
(import ../../overlays/samba.nix)
]; ];
config = { config = {
allowUnfree = true; allowUnfree = true;

51
nixos/ipa.nix Normal file
View file

@ -0,0 +1,51 @@
{ inputs, pkgs, config, lib, ... }: let
inherit (inputs.self.lib.lib) mkBaseDn;
inherit (lib.modules) mkIf mkForce mkDefault;
inherit (lib.strings) toUpper splitString concatMapStringsSep;
inherit (config.networking) domain;
cfg = config.security.ipa;
baseDn = mkBaseDn domain;
caPem = pkgs.fetchurl {
name = "idp.${domain}.ca.pem";
url = "https://freeipa.${domain}/ipa/config/ca.crt";
sha256 = "sha256-PKjnjn1jIq9x4BX8+WGkZfj4HQtmnHqmFSALqggo91o=";
};
in {
# NOTE: requires manual post-install setup...
# :; kinit admin
# :; ipa-join --hostname=${config.networking.fqdn} -k /tmp/krb5.keytab -s idp.${domain}
# then to authorize it for a specific service...
# :; ipa-getkeytab -k /tmp/krb5.keytab -s idp.${domain} -p ${serviceName}/idp.${domain}@${toUpper domain}
# once the sops secret has been updated with keytab...
# :; systemctl restart sssd
config = {
security.ipa = {
enable = mkDefault true;
certificate = mkDefault caPem;
basedn = mkDefault baseDn;
chromiumSupport = mkDefault false;
domain = mkDefault domain;
realm = mkDefault (toUpper domain);
server = mkDefault "idp.${domain}";
ifpAllowedUids = [
"root"
] ++ config.users.groups.wheel.members;
dyndns.enable = mkDefault false;
};
networking.extraHosts = mkIf cfg.enable ''
10.1.1.46 idp.${domain}
'';
systemd.services.auth-rpcgss-module = mkIf (cfg.enable && !config.boot.modprobeConfig.enable) {
serviceConfig.ExecStart = mkForce [
""
"${pkgs.coreutils}/bin/true"
];
};
sops.secrets = {
krb5-keytab = mkIf cfg.enable {
mode = "0400";
path = "/etc/krb5.keytab";
};
};
};
}

33
nixos/kyuuto/nfs.nix
View file

@ -9,15 +9,40 @@
inherit (config) kyuuto; inherit (config) kyuuto;
in { in {
services.nfs.server.exports = let services.nfs.server.exports = let
mapPerm = perm: map (addr: "${addr}(${perm})"); mapPerm = perm: map (addr: "${addr}(${concatStringsSep "," perm})");
toPerms = concatStringsSep " "; toPerms = concatStringsSep " ";
localAddrs = cidrForNetwork.loopback.all ++ cidrForNetwork.local.all; localAddrs = cidrForNetwork.loopback.all ++ cidrForNetwork.local.all;
tailAddrs = optionals config.services.tailscale.enable cidrForNetwork.tail.all; tailAddrs = optionals config.services.tailscale.enable cidrForNetwork.tail.all;
allAddrs = localAddrs ++ tailAddrs; allAddrs = localAddrs ++ tailAddrs;
globalAddrs = [
"@peeps"
];
common = [
"no_subtree_check"
];
sec = [
"sec=${concatStringsSep ":" [ "krb5i" "krb5" "krb5p" ]}"
# TODO: no_root_squash..?
];
anon = [
"sec=sys"
"all_squash"
"anonuid=${toString config.users.users.guest.uid}"
"anongid=${toString config.users.groups.${config.users.users.guest.group}.gid}"
];
# TODO: this can be simplified by specifying `sec=` multiple times, with restrictive options following sec=sys,all_squash,ro,etc
kyuutoOpts = common;
kyuutoPerms = kyuutoPerms =
mapPerm "ro" localAddrs mapPerm (kyuutoOpts ++ [ "rw" ] ++ sec) globalAddrs
++ mapPerm "rw" tailAddrs; ++ mapPerm (kyuutoOpts ++ [ "ro" ] ++ anon) localAddrs
transferPerms = mapPerm "rw" allAddrs; # XXX: remove me once kerberos is set up!
++ mapPerm (kyuutoOpts ++ [ "rw" "sec=sys" ]) tailAddrs
;
transferOpts = common ++ [ "rw" "async" ];
transferPerms =
mapPerm (transferOpts ++ sec) globalAddrs
++ mapPerm (transferOpts ++ anon) allAddrs
;
in '' in ''
${kyuuto.mountDir} ${toPerms kyuutoPerms} ${kyuuto.mountDir} ${toPerms kyuutoPerms}
${kyuuto.transferDir} ${toPerms transferPerms} ${kyuuto.transferDir} ${toPerms transferPerms}

2
nixos/kyuuto/opl.nix
View file

@ -38,6 +38,7 @@ in {
settings = mkIf cfg.enable { settings = mkIf cfg.enable {
"ntlm auth" = mkDefault "ntlmv1-permitted"; "ntlm auth" = mkDefault "ntlmv1-permitted";
"server min protocol" = mkDefault "NT1"; "server min protocol" = mkDefault "NT1";
"keepalive" = mkDefault 0;
}; };
shares.opl = let shares.opl = let
inherit (config.networking.access) cidrForNetwork; inherit (config.networking.access) cidrForNetwork;
@ -57,7 +58,6 @@ in {
"@kyuuto-peeps" "@kyuuto-peeps"
]; ];
"strict sync" = false; "strict sync" = false;
"keepalive" = 0;
"hosts allow" = localAddrs; "hosts allow" = localAddrs;
}; };
}; };

41
nixos/nfs.nix
View file

@ -1,13 +1,15 @@
{ {
inputs,
config, config,
lib, lib,
access,
... ...
}: let }: let
inherit (lib.modules) mkIf mkDefault; inherit (inputs.self.lib.lib) mkBaseDn;
inherit (lib.modules) mkIf mkForce mkDefault;
inherit (lib.lists) optional; inherit (lib.lists) optional;
inherit (lib.strings) concatStringsSep concatMapStringsSep splitString; inherit (lib.strings) toUpper concatStringsSep concatMapStringsSep splitString;
cfg = config.services.nfs; cfg = config.services.nfs;
inherit (config.networking) domain;
openPorts = [ openPorts = [
(mkIf cfg.server.enable 2049) (mkIf cfg.server.enable 2049)
(mkIf config.services.rpcbind.enable 111) (mkIf config.services.rpcbind.enable 111)
@ -16,8 +18,7 @@
(mkIf (cfg.server.mountdPort != null) cfg.server.mountdPort) (mkIf (cfg.server.mountdPort != null) cfg.server.mountdPort)
]; ];
enableLdap = false; enableLdap = false;
system = access.nixosFor "tei"; baseDn = mkBaseDn domain;
inherit (system.services) kanidm;
in { in {
services.nfs = { services.nfs = {
server = { server = {
@ -27,25 +28,35 @@ in {
mountdPort = mkDefault 4002; mountdPort = mkDefault 4002;
}; };
idmapd.settings = { idmapd.settings = {
General.Domain = mkDefault config.networking.domain; General = {
Translation.GSS-Methods = concatStringsSep "," ( Domain = mkForce domain;
Local-Realms = concatStringsSep "," [
(toUpper domain)
#(toString config.networking.fqdn)
];
};
Translation.Method = mkForce (concatStringsSep "," (
[ "static" ] [ "static" ]
++ optional enableLdap "umich_ldap" ++ optional enableLdap "umich_ldap"
++ [ "nsswitch" ] ++ [ "nsswitch" ]
); ));
Static = { Static = {
}; };
UMICH_SCHEMA = mkIf enableLdap { UMICH_SCHEMA = mkIf enableLdap {
LDAP_server = "ldap.local.${config.networking.domain}"; LDAP_server = "ldap.local.${domain}";
LDAP_use_ssl = true; LDAP_use_ssl = true;
LDAP_ca_cert = "/etc/ssl/certs/ca-bundle.crt"; LDAP_ca_cert = "/etc/ssl/certs/ca-bundle.crt";
LDAP_base = kanidm.server.ldap.baseDn; LDAP_base = baseDn;
NFSv4_person_objectclass = "account"; LDAP_people_base = "cn=users,cn=accounts,${baseDn}";
NFSv4_group_objectclass = "group"; LDAP_group_base = "cn=groups,cn=accounts,${baseDn}";
NFSv4_name_attr = "name"; GSS_principal_attr = "krbPrincipalName";
NFSv4_group_attr = "name"; NFSv4_person_objectclass = "posixaccount"; # or "person"?
NFSv4_group_objectclass = "posixgroup";
NFSv4_name_attr = "krbCanonicalName"; # uid? cn? gecos?
NFSv4_group_attr = "cn";
NFSv4_uid_attr = "gidnumber"; NFSv4_uid_attr = "gidnumber";
NFSv4_gid_attr = "gidnumber"; NFSv4_gid_attr = "uidnumber";
#LDAP_use_memberof_for_groups = true;
LDAP_canonicalize_name = false; LDAP_canonicalize_name = false;
}; };
}; };

57
nixos/samba.nix
View file

@ -1,12 +1,15 @@
{ {
inputs,
config, config,
lib, lib,
... ...
}: let }: let
inherit (lib.modules) mkIf mkDefault; inherit (inputs.self.lib.lib) mkBaseDn;
inherit (lib.modules) mkIf mkMerge mkDefault;
inherit (lib.lists) any; inherit (lib.lists) any;
inherit (lib.strings) hasInfix concatMapStringsSep splitString; inherit (lib.strings) toUpper hasInfix;
cfg = config.services.samba; cfg = config.services.samba;
inherit (config.networking) domain;
hasIpv4 = any (hasInfix ".") config.systemd.network.networks.eth0.address or []; hasIpv4 = any (hasInfix ".") config.systemd.network.networks.eth0.address or [];
in { in {
services.samba = { services.samba = {
@ -15,8 +18,25 @@ in {
enableNmbd = mkDefault hasIpv4; enableNmbd = mkDefault hasIpv4;
securityType = mkDefault "user"; securityType = mkDefault "user";
ldap = { ldap = {
url = mkDefault "ldaps://ldap.local.${config.networking.domain}"; enable = mkDefault true;
baseDn = mkDefault (concatMapStringsSep "," (part: "dc=${part}") (splitString "." config.networking.domain)); url = mkDefault "ldaps://ldap.local.${domain}";
baseDn = mkDefault (mkBaseDn domain);
adminDn = mkDefault "uid=samba,cn=sysaccounts,cn=etc,${cfg.ldap.baseDn}";
adminPasswordPath = mkIf cfg.ldap.enable (
mkDefault config.sops.secrets.smb-ldap-password.path
);
passdb = {
# XXX: broken backend :<
#backend = mkIf config.security.ipa.enable (mkDefault "ipasam");
};
idmap = {
enable = mkIf config.services.sssd.enable (mkDefault false);
domain = mkDefault cfg.settings.workgroup;
};
};
kerberos = mkIf (config.security.krb5.enable || config.security.ipa.enable) {
enable = true;
realm = toUpper domain;
}; };
usershare = { usershare = {
group = mkDefault "peeps"; group = mkDefault "peeps";
@ -25,8 +45,10 @@ in {
enable = mkDefault true; enable = mkDefault true;
user = mkDefault "guest"; user = mkDefault "guest";
}; };
passdb.smbpasswd.path = mkDefault config.sops.secrets.smbpasswd.path; passdb.smbpasswd.path = mkIf (!cfg.ldap.enable || !cfg.ldap.passdb.enable) (
settings = { mkDefault config.sops.secrets.smbpasswd.path
);
settings = mkMerge [ {
workgroup = "GENSOKYO"; workgroup = "GENSOKYO";
"local master" = false; "local master" = false;
"preferred master" = false; "preferred master" = false;
@ -37,12 +59,22 @@ in {
"remote announce" = mkIf hasIpv4 [ "remote announce" = mkIf hasIpv4 [
"10.1.1.255/${cfg.settings.workgroup}" "10.1.1.255/${cfg.settings.workgroup}"
]; ];
}; } (mkIf cfg.ldap.enable {
idmap.domains = mkIf (!cfg.ldap.enable) { "ldapsam:trusted" = true;
nss = { "ldapsam:editposix" = false;
"ldap user suffix" = "cn=users,cn=accounts";
"ldap group suffix" = "cn=groups,cn=accounts";
}) ];
idmap.domains = {
nss = mkIf (!cfg.ldap.enable || !cfg.ldap.idmap.enable) {
backend = "nss"; backend = "nss";
domain = "*"; domain = "*";
range.min = 8000; range.min = 8000;
#range.max = 8256;
};
ldap = mkIf (cfg.ldap.enable && cfg.ldap.idmap.enable) {
range.min = 8000;
#range.min = 8256;
}; };
}; };
}; };
@ -52,8 +84,13 @@ in {
hostname = mkDefault config.networking.hostName; hostname = mkDefault config.networking.hostName;
}; };
sops.secrets.smbpasswd = { sops.secrets = {
smbpasswd = mkIf (!cfg.ldap.enable || !cfg.ldap.passdb.enable) {
sopsFile = mkDefault ./secrets/samba.yaml; sopsFile = mkDefault ./secrets/samba.yaml;
#path = "/var/lib/samba/private/smbpasswd"; #path = "/var/lib/samba/private/smbpasswd";
}; };
smb-ldap-password = mkIf cfg.ldap.enable {
sopsFile = mkDefault ./secrets/samba.yaml;
};
};
} }

5
nixos/secrets/samba.yaml
View file

@ -1,4 +1,5 @@
smbpasswd: ENC[AES256_GCM,data:W77mPgQ4sgdEsYgL271Kw34oHXYqMgGOM13KhY6XKlMVpIu1iznzuECXEG/6tDpv7J6hCMex8i4FMy85mUb2a/FLscx+vF7ncSATKZSGSKZZgU/kc5qGqM2yJrm7TnvmjSt7YRJfXBACM2h5X6eVKZ+0mtOAoQD72JLyM7aO8W4z4XyQQpudCqnpmNT5s8icHJGjRQubIm/25Znw8y5RME/OrA2/YkuGXeCNT7dEqHl6/KiH94//+XhCKij8lSV3iaE7ZKLiA3bqQJmp2n8Owvd+cDVZ1wWQU0TQGE1aAKysiHg1Yc1io7ek0t9UxyE5ZrOyifiWv6f2jdxbA7dvIihmlP0XWghdo30T9v4GE97cuNRG2rJTZEi3lP9Qy7Y4yS/XWRfSPLQnZ0D5xvuNxbVbXUR8OBcBlLeG6TFKtLPJgRr8oUrxw/03MHT8wxAOrfFPUYofd377DBIXQSv2Jbxg8117yAI1a/fBl8zFBrdkKDQvUjOSTTlCJ6J9goNe0Ra91noh9GMDC4qRzNheC22QVKWYExbtKyW0+OeIrpTfJ/1Ml1Jrb+FRjS0CDOHgHwYOqaPiyp1tlIgqhYEb3gIF7Ru69A1ctNdugaZAgz83Z951T2kpBNYguIoJn09X/MBq7ZKToWrFBi0kgOCnGbJfC9MusXGdJ1275Co6Xiaq2/mOWRwsH0e6HEjzSaFoOMgDe5jtq4+UIhbbS9u1dvn8/mR4mR/MsHDsT3FUWQ+c3C04/zTdJbt91w/f9PEs+Zi4qKwsyG0AtHzVV8/NADU4xAr1GFYBL9crMe/Y1vvPFXzpIlnfQrg+vYXE9vqXTXOgFB8KKUlT,iv:Ciw/zsXUiITP9vZJgvb9hDRgPZ1jSFISK+8Dqb2DeOs=,tag:Hn/k1t7AmM60tc6fOjj35w==,type:str] smbpasswd: ENC[AES256_GCM,data:W77mPgQ4sgdEsYgL271Kw34oHXYqMgGOM13KhY6XKlMVpIu1iznzuECXEG/6tDpv7J6hCMex8i4FMy85mUb2a/FLscx+vF7ncSATKZSGSKZZgU/kc5qGqM2yJrm7TnvmjSt7YRJfXBACM2h5X6eVKZ+0mtOAoQD72JLyM7aO8W4z4XyQQpudCqnpmNT5s8icHJGjRQubIm/25Znw8y5RME/OrA2/YkuGXeCNT7dEqHl6/KiH94//+XhCKij8lSV3iaE7ZKLiA3bqQJmp2n8Owvd+cDVZ1wWQU0TQGE1aAKysiHg1Yc1io7ek0t9UxyE5ZrOyifiWv6f2jdxbA7dvIihmlP0XWghdo30T9v4GE97cuNRG2rJTZEi3lP9Qy7Y4yS/XWRfSPLQnZ0D5xvuNxbVbXUR8OBcBlLeG6TFKtLPJgRr8oUrxw/03MHT8wxAOrfFPUYofd377DBIXQSv2Jbxg8117yAI1a/fBl8zFBrdkKDQvUjOSTTlCJ6J9goNe0Ra91noh9GMDC4qRzNheC22QVKWYExbtKyW0+OeIrpTfJ/1Ml1Jrb+FRjS0CDOHgHwYOqaPiyp1tlIgqhYEb3gIF7Ru69A1ctNdugaZAgz83Z951T2kpBNYguIoJn09X/MBq7ZKToWrFBi0kgOCnGbJfC9MusXGdJ1275Co6Xiaq2/mOWRwsH0e6HEjzSaFoOMgDe5jtq4+UIhbbS9u1dvn8/mR4mR/MsHDsT3FUWQ+c3C04/zTdJbt91w/f9PEs+Zi4qKwsyG0AtHzVV8/NADU4xAr1GFYBL9crMe/Y1vvPFXzpIlnfQrg+vYXE9vqXTXOgFB8KKUlT,iv:Ciw/zsXUiITP9vZJgvb9hDRgPZ1jSFISK+8Dqb2DeOs=,tag:Hn/k1t7AmM60tc6fOjj35w==,type:str]
smb-ldap-password: ENC[AES256_GCM,data:ny+9oyh7MwRWXkq175vJ9IKWP6tyWAqjNHqlSiYNnYY=,iv:7BAZ05CgR0FZGc6xP/RfeVtK0vh+1PtJnk25wdXNchk=,tag:OmBHpUwgVQtyfRv9wASQYg==,type:str]
sops: sops:
shamir_threshold: 1 shamir_threshold: 1
kms: [] kms: []
@ -42,8 +43,8 @@ sops:
VitlT3d6d1FOSzFKTFRIWDU3cmJ2aXMKDN7HPa6pQSZd21cLvfk+sYvLqZm9eN+7 VitlT3d6d1FOSzFKTFRIWDU3cmJ2aXMKDN7HPa6pQSZd21cLvfk+sYvLqZm9eN+7
K1v7M9MXLY+nh1YGGbtDbWHh09p8g37tS1OwgGAiETh+z7hWsGHYdw== K1v7M9MXLY+nh1YGGbtDbWHh09p8g37tS1OwgGAiETh+z7hWsGHYdw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-02-28T21:51:11Z" lastmodified: "2024-03-17T20:04:41Z"
mac: ENC[AES256_GCM,data:nHX08Itwgn4HI98tzq08VOwVG+bZGlBYMUe19SEECo9dRpH9P5eApV1ho8RknPHrTv6m3PBvapaIsTjp7uDVajjXRDKcWCb+5wYN+g0FHTSICohoRvwq0JNqHFszW+CnT5EdMw4V09B94LwDJB2YRABCTwPn2x69p8QU3GLjhrY=,iv:tCYrAcJLV5+OqL3wHNMRA4kxNZo2m73MgUXlCpAGSZg=,tag:6JndAJnSveti0jxqyOAbuw==,type:str] mac: ENC[AES256_GCM,data:hXmwO+HJXophW/ddh1SVp85wELva1ieJeTUPRMjO0mxgiCJWlRNMAPwg6iPvwsuwgzJh3dVa4dHKKRsjDTNEQ7PTOaPYKZWxCdxXlaxPnm+0F8GeB1tnMEScHryJe6718AbuCmxOTPX1TwyJarISlHBaxCZ0D4d1aDGRvC3fiYY=,iv:IKwTuIoJJAADIYMqq4CF/t3Gz6OUxt8BtM6mmdSz9+Q=,tag:w7pG1IPlLO++4g0crobSOA==,type:str]
pgp: pgp:
- created_at: "2024-01-30T22:23:56Z" - created_at: "2024-01-30T22:23:56Z"
enc: |- enc: |-

1
overlays/default.nix
View file

@ -7,6 +7,7 @@
overlays = [ overlays = [
inputs.deploy-rs.overlay inputs.deploy-rs.overlay
inputs.arcexprs.overlays.default inputs.arcexprs.overlays.default
(import ./samba.nix)
(final: prev: { (final: prev: {
jemalloc = jemalloc =
if final.hostPlatform != "aarch64-darwin" if final.hostPlatform != "aarch64-darwin"

30
overlays/samba.nix Normal file
View file

@ -0,0 +1,30 @@
final: prev: let
inherit (final) lib;
in {
freeipa-ipasam = let
attrs = old: {
pname = "freeipa-ipasam";
patches = old.patches or [ ] ++ [
../packages/freeipa-ipasam.patch
];
configureFlags = lib.filter (f: f != "--disable-server") old.configureFlags;
};
overrides = {
samba = final.samba-ldap;
};
in (final.freeipa.override overrides).overrideAttrs attrs;
samba-ldap = final.samba.override {
enableLDAP = true;
};
samba-ipa = final.samba-ldap.overrideAttrs (old: {
buildInputs = old.buildInputs ++ [
final.freeipa-ipasam
];
postInstall = ''
${old.postInstall or ""}
cp -a ${final.freeipa-ipasam}/lib/samba/pdb/ipasam.so $out/lib/samba/pdb/
'';
});
}

4
packages/default.nix
View file

@ -32,6 +32,9 @@
jq jq
; ;
inherit (inputs.deploy-rs.packages.${system}) deploy-rs; inherit (inputs.deploy-rs.packages.${system}) deploy-rs;
inherit (pkgs) freeipa-ipasam samba-ldap samba-ipa;
nf-deploy = pkgs.writeShellScriptBin "nf-deploy" '' nf-deploy = pkgs.writeShellScriptBin "nf-deploy" ''
${exports} ${exports}
${exportsSsh} ${exportsSsh}
@ -56,6 +59,7 @@
INPUT_INFRA_PVE = reisen + "/bin/pve.sh"; INPUT_INFRA_PVE = reisen + "/bin/pve.sh";
INPUT_INFRA_MKPAM = reisen + "/bin/mkpam.sh"; INPUT_INFRA_MKPAM = reisen + "/bin/mkpam.sh";
INPUT_INFRA_CT_CONFIG = reisen + "/bin/ct-config.sh"; INPUT_INFRA_CT_CONFIG = reisen + "/bin/ct-config.sh";
INPUT_AUTHRPCGSS_OVERRIDES = reisen + "/net.auth-rpcgss-module.service.overrides";
}; };
inputVars = set.mapToValues (key: path: ''${key}="$(base64 -w0 < ${path})"'') inputAttrs; inputVars = set.mapToValues (key: path: ''${key}="$(base64 -w0 < ${path})"'') inputAttrs;
in in

28
packages/freeipa-ipasam.patch Normal file
View file

@ -0,0 +1,28 @@
diff --git a/Makefile.am b/Makefile.am
--- a/Makefile.am
+++ b/Makefile.am
@@ -3,8 +3,7 @@ NULL =
ACLOCAL_AMFLAGS = -I m4
if ENABLE_SERVER
- IPASERVER_SUBDIRS = ipaserver ipasphinx
- SERVER_SUBDIRS = daemons init install
+ SERVER_SUBDIRS = daemons
endif
if WITH_IPATESTS
diff --git a/daemons/Makefile.am b/daemons/Makefile.am
--- a/daemons/Makefile.am
+++ b/daemons/Makefile.am
@@ -9,11 +9,7 @@ noinst_HEADERS = ipa-version.h.in
SUBDIRS = \
. \
- dnssec \
- ipa-kdb \
- ipa-slapi-plugins \
ipa-sam \
- ipa-otpd \
$(NULL)
ipa-version.h: ipa-version.h.in $(top_builddir)/$(CONFIG_STATUS)

1
systems/hakurei/nixos.nix
View file

@ -22,6 +22,7 @@ in {
nixos.steam.account-switch nixos.steam.account-switch
nixos.steam.beatsaber nixos.steam.beatsaber
nixos.tailscale nixos.tailscale
nixos.ipa
nixos.cloudflared nixos.cloudflared
nixos.ddclient nixos.ddclient
nixos.acme nixos.acme

5
systems/hakurei/secrets.yaml
View file

@ -2,6 +2,7 @@ tailscale-key: ENC[AES256_GCM,data:HmowloL0TsKM/XFI5GDd6Nl+9uSZcYevB6CObq1Eg5cvy
cloudflared-tunnel-hakurei: ENC[AES256_GCM,data:Pwj8/8RSLrfylwl1Et6SHOJSMWxm+Kn1WpYgZhvWoUQ9GsiuRFf2j0mdu36zid9N+6QC3NK9yv6mMfIgvLJkjXhiYtMidZD4e6a4kQMVbbui+Ohj6wf92Jg5rRdassFHJZSCyZtbaeBXqOzzqF51QrEEWRFxfxt6cvwqZjvSMsbctjltwiD7CehhzQGvDdstZAsVhJC6c+GKDs5pFU3KPTTIHc6b1IzZFijgJZKtNNgKrc4Wqw0=,iv:i2YZq7WMuKiDEHMUJS3QD+SP68Rkpt2fS4X8pkv8s3I=,tag:+0RuoOBf9Vm6aJdCsDfvKg==,type:str] cloudflared-tunnel-hakurei: ENC[AES256_GCM,data:Pwj8/8RSLrfylwl1Et6SHOJSMWxm+Kn1WpYgZhvWoUQ9GsiuRFf2j0mdu36zid9N+6QC3NK9yv6mMfIgvLJkjXhiYtMidZD4e6a4kQMVbbui+Ohj6wf92Jg5rRdassFHJZSCyZtbaeBXqOzzqF51QrEEWRFxfxt6cvwqZjvSMsbctjltwiD7CehhzQGvDdstZAsVhJC6c+GKDs5pFU3KPTTIHc6b1IzZFijgJZKtNNgKrc4Wqw0=,iv:i2YZq7WMuKiDEHMUJS3QD+SP68Rkpt2fS4X8pkv8s3I=,tag:+0RuoOBf9Vm6aJdCsDfvKg==,type:str]
tf-proxmox-passwd: ENC[AES256_GCM,data:kLLFPr5jILsUt7yecUc1Eb1V9hXEUFBytT7ehcwLv7W9Vfar/BdMQasNecs8S1Ilt7uAjpiXIkNGr5hkktNanIegJw539B43Pnk=,iv:rOy27QkhMM7LrNgYoHgZCwoZHtzUzDrUnhroLSqbKSw=,tag:HkFBkiws/jlQmXP8SpcUYg==,type:str] tf-proxmox-passwd: ENC[AES256_GCM,data:kLLFPr5jILsUt7yecUc1Eb1V9hXEUFBytT7ehcwLv7W9Vfar/BdMQasNecs8S1Ilt7uAjpiXIkNGr5hkktNanIegJw539B43Pnk=,iv:rOy27QkhMM7LrNgYoHgZCwoZHtzUzDrUnhroLSqbKSw=,tag:HkFBkiws/jlQmXP8SpcUYg==,type:str]
tf-proxmox-identity: ENC[AES256_GCM,data:DxcMFL9FqeulnxRZZHn4ByuRBPSI3hrAntvtwONDFIJhm7G9X2YPij9K36Sl7pE9oTHu/BQCFQdypt4LJyLVIg2AuTJusf1UCR1YcECEPnjFkJybM2Ggiuo34rrJOZh3b9SzD64ks4fFgv9S5P1JuOW9LewjH75v0iAZHvskznak0QiVgPy24pnRQwpR7znkjrH5Hmx9UHZ4JDIw7y8rXWBl7/HOV8mAsZOWZVwuhtKt+se/CDlaG2AlVJJmCjpAi5bi0yfhXlWXfjSy6cyhVCgiv4Ua+V4F+JSyZHk+wMEmICROWzmUuu5ZT2iHkh1SS9AutH307JNF8muDVzdZUVxdpQQHEFCu+SNjhEdcgJdmSZ3O04glzPZTBTAl2PLFGKXMKq24bLtBQquoWw2wneu1/Gha6bIpMjxJFmmaLaAoL9OPDysBALsTJxpsH38g12sk3t2Lk2EYCluyp313CTmWDVj0O8DT//Daigvk2eFmc72WCTsY4bucof9mF4/mzDAdDZDKOx7EAYVJmYgRW8HJK/nv4MQEidqy,iv:dUUGP+HspbqutGpcGxrVn8071S+h8nobUlfgUuFz9io=,tag:HhgrC6699p36RFzpSwvf0Q==,type:str] tf-proxmox-identity: ENC[AES256_GCM,data:DxcMFL9FqeulnxRZZHn4ByuRBPSI3hrAntvtwONDFIJhm7G9X2YPij9K36Sl7pE9oTHu/BQCFQdypt4LJyLVIg2AuTJusf1UCR1YcECEPnjFkJybM2Ggiuo34rrJOZh3b9SzD64ks4fFgv9S5P1JuOW9LewjH75v0iAZHvskznak0QiVgPy24pnRQwpR7znkjrH5Hmx9UHZ4JDIw7y8rXWBl7/HOV8mAsZOWZVwuhtKt+se/CDlaG2AlVJJmCjpAi5bi0yfhXlWXfjSy6cyhVCgiv4Ua+V4F+JSyZHk+wMEmICROWzmUuu5ZT2iHkh1SS9AutH307JNF8muDVzdZUVxdpQQHEFCu+SNjhEdcgJdmSZ3O04glzPZTBTAl2PLFGKXMKq24bLtBQquoWw2wneu1/Gha6bIpMjxJFmmaLaAoL9OPDysBALsTJxpsH38g12sk3t2Lk2EYCluyp313CTmWDVj0O8DT//Daigvk2eFmc72WCTsY4bucof9mF4/mzDAdDZDKOx7EAYVJmYgRW8HJK/nv4MQEidqy,iv:dUUGP+HspbqutGpcGxrVn8071S+h8nobUlfgUuFz9io=,tag:HhgrC6699p36RFzpSwvf0Q==,type:str]
krb5-keytab: ENC[AES256_GCM,data:53lA9ZRGpQIY22s9xtdRKOI9kn6flNcBlME+0qxH0/DfsN6PMORkHPz34lehf56BZbO1pnIDa8STh5xJGi4xlwtkvkGN77LrLwWgnveenGpCFQ+XNLY1sdl9pbuCppJ1fRq72rGvF/EjOLY25kmRWUSLz9h94yJXsFcIpxrqxywqr579MBHMBjHseNWC/8w6DQLMZLXULrNJTIvP2FICbiUJj27EheBzbbrKtWT269qTsCxp7To7E0uFzPonpFvMDPhKwvnAPVQeFDfThQrHtbWhWrKBgLfq/RO5E7hFWGGrh3ZEs27jxJ3AHuuflI6DEZYGszB1fGRSNHLd5NCvcoSy26WRzpnepneyoZdDsx2SGubDy343vY5tN1/yIngsnL3jK8/4/L+RknhjIgnPNk6foAIphGMhDp6NWMFuTo1MlsuYjl3tnqShmOFt/Sep7JuFN27qN8NwsIIH+rDA49/LSPj2g89QQ/vPHBXjycjg0gKWjofrd73P3C3z5ROdUS2Ge9gF6VerbSRxPaD1O25HQ94x2/qZcpRv3NgzqC5w2Y0HkcnuJGmnOjLwiQ8JoDWY1ZEasafXXz/ffTkMycL3wH+NyLuGlu5FQG8VPfps+O1qz9Pkq11bzkugSZ1PBdOA9ki4RcVdms6ivIQWdjWTsz3Xi/Y0KBnjylY/qGRepBVJ5I1wXb3jcZkm8PCdL40ObxlcIX43bRGW1mqY9zKDkic6FXmwd0LdxO+z9Cd/r33X3yf3wDoCKwhngQVJqjQySGj+E5sJST1SfrrQTRyAbu9ca+hEkgq2o5x9PsJvkGj7+h9fXVWbo9J0NFqFHOtMAcom/HFdkiBhxVeTFoHNVpgKlY3QSR0OANXmvJ5lNZONWq7nOVxAy60fUC1b5ZjuoaRmt5t44HWbNb6HW1kW06Q901ZMFR29qE5F/ciJ3DsT3mJ62hJMdOc3+m1wxY+INarPeZvdbuC3mQekZvbjQJVYXD/8DIg93+LPMvD88vymIVWsdrIzzH9JzHwEcEuLTv0coLXsRoips8dV6c1KjZr1uQz42FuydxdIXFy6pwZ8C2bD7Obla8mUqe6vniX0xHtuuAOxsZzJFIMgZqaPZnMG18J/d1Lw/a2UZw9iFzh6MEirGSviMcIV5sVgYqo27qr55OKxeRDmlb/WQI2qrt50TtYNdItVGlnJKmDBw3+txU5+toqxSdlTMRmQIQZc7y/iXqLskXlwaWQLuAoXKHIQ8JGbvw2sZLzIcy6LIQqLQgQwmB+u4ZwExjuJ/h3EkBK3VzA0P014CphkWrQIpva1k9JUhbGvfM6CO32xEZpWWtThov0bGcNDTa/OB2JuGD+FpiCf3q4w5kXbMdSLpm+FQcEdZAHJbgHOAeq7kGNJ9f6yVsCi5DZiH/F1DUqhrRCJXz2yxVlp8JsQG/8WeTM1+w/jl3e6MtejRa/OQIwOa+c=,iv:210i0Kj0KVXIg8DTDlsJYyuxjAd1ASGvqGlHOhYLLNY=,tag:Eb42niH6t/Dpgw0scblmIg==,type:str]
sops: sops:
shamir_threshold: 1 shamir_threshold: 1
kms: [] kms: []
@ -18,8 +19,8 @@ sops:
ZEpzdWJZWGdEaElLZUc1YW5ON0YrM2MKk/dZvaFVzfkMD3poreaDGfJwG5j5fL3L ZEpzdWJZWGdEaElLZUc1YW5ON0YrM2MKk/dZvaFVzfkMD3poreaDGfJwG5j5fL3L
kuV/3fEHBf5HszR/VTy/bZ2+abN6x3UG5h0l+QaS9ux+mtwFCyYYjg== kuV/3fEHBf5HszR/VTy/bZ2+abN6x3UG5h0l+QaS9ux+mtwFCyYYjg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-26T20:09:45Z" lastmodified: "2024-03-17T22:21:26Z"
mac: ENC[AES256_GCM,data:jVC5XpyzRHHB03ijZlN711qE7D6n+YehrkyFZZ9JmRre+oR7H171Be+BYq3QZl5pp0VGlfFRPmGrBlh3nwxL1FYYIzDMWMmkJrce2pdYKgOwQxRqR5bbW6yH8zYbyD2f1gZ9DIo/UPlPvdWFsFHZOKNWo/gPeDeI1MZQCNmQpnY=,iv:vOoGpsG5FJt+leB7sblkvwyDNa+2TvUg1cqWAzMgRks=,tag:hbpdem+/E042g5IiQa+TFw==,type:str] mac: ENC[AES256_GCM,data:q0YqiY24G58KUk6UJ2kqjtERe9AcTSsb2MS3CP8zyPUVrYtP0V8MUyJ0z7ZfbeD0cXlY6UtVLBV+EwXyFCyR2enyP1FufAdR7jQLxDS219JPVipKfOGu12N3F7e91PK4Glh36bVoBNsXjbtWlQMiwZe7sV9e/rnRBe3gks6PCnU=,iv:A7i8+WKZwifRBTwrBnxMDHk6JtvqD7JVZA7TXShKJRM=,tag:dpJ/J/AUHXx4F98PuqEbjw==,type:str]
pgp: pgp:
- created_at: "2024-01-19T18:57:37Z" - created_at: "2024-01-19T18:57:37Z"
enc: |- enc: |-

1
systems/reimu/nixos.nix
View file

@ -9,6 +9,7 @@
nixos.steam.account-switch nixos.steam.account-switch
nixos.steam.beatsaber nixos.steam.beatsaber
nixos.tailscale nixos.tailscale
nixos.ipa
nixos.nfs nixos.nfs
]; ];

5
systems/reimu/secrets.yaml
View file

@ -1,4 +1,5 @@
tailscale-key: ENC[AES256_GCM,data:X1oDglyEjyFyeBgkV52IAcvS7krEeUfuJYhp/GN0cLH7She/RLdScbMcGBLwkDdtgoBkSK/HEjk=,iv:7eJg2IMVxZX7O3rzqeai3gjbAMLu3ScU49rrQPxnl0s=,tag:L2EgzeAvr4PLxaTBe9vObg==,type:str] tailscale-key: ENC[AES256_GCM,data:X1oDglyEjyFyeBgkV52IAcvS7krEeUfuJYhp/GN0cLH7She/RLdScbMcGBLwkDdtgoBkSK/HEjk=,iv:7eJg2IMVxZX7O3rzqeai3gjbAMLu3ScU49rrQPxnl0s=,tag:L2EgzeAvr4PLxaTBe9vObg==,type:str]
krb5-keytab: ENC[AES256_GCM,data:3Dx4YkMFnxpg7HzylRbqe1KdfYgqBNvKYU7tb1lZQ1uwghdSn4U3ZztOE8SO5t2wGaIPHhOwv6eR0MWZnjU3vjWAPrrNlrc3mK3WLw+Gvbe/hfiLSKDvqzDcaYfBSFNvG9LFai5o8fGfPnAS/5AUY8iBY+NaPflsK+HV5MfadXg5J6EYduGSo82C6eWmLJcsBMieI3CLg/OCPI5rfo1ibbVJR2ma2EyiUl9KujqCJL3Nb5DH87YCFuiBScMkQP+GRL5Rf1p3otF14HsK9sVvJjkF7NgGvM/OUHv5u9eq7gBiWJSoGBE3Vsl5odep5x0r259nZy9oAQenhmJ9layVI40c4UI5B4m5nwKvUYeXnINX09dtBZy1+7iOBdjFwzP+cCbliW8GbtqwWDVYuuqSTosQPBtUWFBKPwn9HcSmVowN9VsuAjdOIFao6xNcTmUT4EJc4FTcbtsOXzynILYmb8n0S1nsT6h20i5hC7ltiwUOFOxOwl0Q/I1wQDFZH4HeGYNeqE/Icy2z1jnkj5g4XK+WFzNSJmdKzFE9fOnO5gwSkqoy72ohqz9giyKvEtAhBDBjuUcHnVmnNHWEGhFUCy2GP3f9KaowD6isJ9ICIa1mrHsol8agjpCvUTNLz/8LV6235vk/RZ96QoI8Hue/5M5p+0Qe8bRLfYmKQ7WPB6ywWr2NJFvgep+95XmVJvhzUXa6Zdj7RSWa+AVuK+lhWBpCO5Yo5s/3XF+1OLEGc6sErbjXOD5ofUmQYXfvh+P6IjtrUYoq96EZzQqC4pYx63q+E2zLIX3Ua6XFtoISs3qvduRVu0CROfBY3rMzbEEgwwR55fyoKomIs6ihxl1XyK0kvyRTWtQ6oky3HDmWee1AYXo598K6HeZnxDbyC/ov5sdccFgcG7aGhCn036AThJajZHHyC3Vg/47iqREpV84vqpoAj5c=,iv:xzjH/RaRSHx39TkQW3Ns7pLf6/ogeFHWqNvfkgOgsEA=,tag:IvmpHdZi04cdYFaXh3YTIg==,type:str]
sops: sops:
shamir_threshold: 1 shamir_threshold: 1
kms: [] kms: []
@ -15,8 +16,8 @@ sops:
UERXZU1FaTNGU09mTm91M05MNitvQzgKhaWavZCVVMA+MqdX4LDsywN9ySSskH0X UERXZU1FaTNGU09mTm91M05MNitvQzgKhaWavZCVVMA+MqdX4LDsywN9ySSskH0X
2K+YRI34/3oY0Mv2s6OEIa+laYf2XRImSh6BN1F4b/AezQa1LCTTaw== 2K+YRI34/3oY0Mv2s6OEIa+laYf2XRImSh6BN1F4b/AezQa1LCTTaw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-30T23:58:54Z" lastmodified: "2024-03-16T20:48:49Z"
mac: ENC[AES256_GCM,data:ih1RwcmiaD4yQnSoxo+uoJFZCEQp5xs1+O976EeLIUxkhcbpJ3//jhch591TyQbCf6IHBkjrmTbsQdEX6607n4KV6RLYW1822Fc34d76QdJMAJOxRD8oYpf9+iUN8VmfkO2PqPFvxub/iOmt38AkV+1cK+8LYaTXPT+yY6fJ2h4=,iv:Yb7MAsyH980A8hAifhzk+jtOoVsAapsH+mD1h7oWjKI=,tag:IcVWkobQWg2zwrXP7kRAyA==,type:str] mac: ENC[AES256_GCM,data:si2YKYqOtaNm1xOlcK698jeK5XWnRIFW6OTyUxv2TxlmgoqximGVl7a/dv/CePQSA1m7pPBZFCAMGV9lmMtMGMM9ipxlaFIkHDRHcBndriy+a9Cijdc/Q5OybYOh6FA+Jktqn7afuF8IrWETWK7wO1E3lg1QmNQrW04gzzwNXLU=,iv:rGNEBBuZIT4asB3JsEF0AImxjgpbhCNeRjIeB1RFpyk=,tag:eKwBpWNVXGmU63gAg+TQ3g==,type:str]
pgp: pgp:
- created_at: "2024-01-30T23:58:18Z" - created_at: "2024-01-30T23:58:18Z"
enc: |- enc: |-

2
systems/reisen/net.auth-rpcgss-module.service.overrides Normal file
View file

@ -0,0 +1,2 @@
[Unit]
ConditionPathExists=

7
systems/reisen/setup.sh
View file

@ -157,3 +157,10 @@ mkshared plex 100193 100193 0755
mkshared postgresql 100071 100071 0750 mkshared postgresql 100071 100071 0750
mkshared unifi 100990 100990 0755 mkshared unifi 100990 100990 0755
mkshared zigbee2mqtt 100317 100317 0700 mkshared zigbee2mqtt 100317 100317 0700
ln -sf /lib/systemd/system/auth-rpcgss-module.service /etc/systemd/system/
mkdir -p /etc/systemd/system/auth-rpcgss-module.service.d
ln -sf /etc/systemd/system/auth-rpcgss-module.service /etc/systemd/system/multi-user.target.wants/
base64 -d > /etc/systemd/system/auth-rpcgss-module.service.d/overrides.conf <<EOF
$INPUT_AUTHRPCGSS_OVERRIDES
EOF