gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(idp): ipa and krb5 hosts

Browse source
This commit is contained in:
arcnmx 2024-03-15 13:50:47 -07:00
parent 81b20878f1
commit 1ed36b4f66
19 changed files with 327 additions and 83 deletions
Download patch file Download diff file Expand all files Collapse all files

4
modules/nixos/kanidm.nix
View file

@ -1,8 +1,10 @@
{
inputs,
lib,
config,
...
}: let
inherit (inputs.self.lib.lib) mkBaseDn;
inherit (lib) mkIf mkMerge mkBefore mkDefault mkOptionDefault mkEnableOption mkOption;
inherit (lib.strings) splitString concatMapStringsSep;
inherit (config.lib.access) mkSnakeOil;
@ -46,7 +48,7 @@ in {
};
baseDn = mkOption {
type = str;
default = concatMapStringsSep "," (part: "dc=${part}") (splitString "." cfg.serverSettings.domain);
default = mkBaseDn cfg.serverSettings.domain;
};
};
};

124
modules/nixos/samba.nix
View file

@ -5,7 +5,7 @@
...
}: let
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault;
inherit (lib.modules) mkIf mkMerge mkBefore mkForce mkDefault mkOptionDefault;
inherit (lib.attrsets) mapAttrs' mapAttrsToList nameValuePair;
inherit (lib.strings) hasPrefix concatMapStringsSep;
inherit (config.services) samba-wsdd;
@ -25,9 +25,23 @@ in {
in {
ldap = {
enable = mkEnableOption "LDAP";
idmapDomain = mkOption {
type = str;
default = "*";
passdb = {
enable = mkEnableOption "LDAP authentication" // {
default = true;
};
backend = mkOption {
type = enum [ "ldapsam" "ipasam" ];
default = "ldapsam";
};
};
idmap = {
enable = mkEnableOption "LDAP users" // {
default = true;
};
domain = mkOption {
type = str;
default = "*";
};
};
url = mkOption {
type = str;
@ -36,7 +50,7 @@ in {
type = str;
};
adminDn = mkOption {
type = str;
type = nullOr str;
default = "name=anonymous,${cfg.ldap.baseDn}";
};
adminPasswordPath = mkOption {
@ -44,6 +58,16 @@ in {
default = null;
};
};
kerberos = {
enable = mkEnableOption "krb5";
realm = mkOption {
type = str;
};
keytabPath = mkOption {
type = nullOr path;
default = null;
};
};
usershare = {
enable = mkEnableOption "usershare";
group = mkOption {
@ -87,7 +111,7 @@ in {
};
max = mkOption {
type = int;
default = 10000;
default = 65534;
};
};
readOnly = mkOption {
@ -130,53 +154,69 @@ in {
config = {
services.samba = {
package = mkIf cfg.ldap.enable (mkDefault (pkgs.samba.override {
enableLDAP = true;
}));
package = mkIf cfg.ldap.enable (mkDefault (
if cfg.ldap.passdb.enable && cfg.ldap.passdb.backend == "ipasam" then pkgs.samba-ipa else pkgs.samba-ldap
));
ldap = {
adminPasswordPath = mkIf (hasPrefix "name=anonymous," cfg.ldap.adminDn) (mkDefault (
adminPasswordPath = mkIf (cfg.ldap.adminDn != null && hasPrefix "name=anonymous," cfg.ldap.adminDn) (mkDefault (
pkgs.writeText "smb-ldap-anonymous" "anonymous"
));
};
idmap.domains = mkMerge [
(mkIf cfg.ldap.enable {
(mkIf (cfg.ldap.enable && cfg.ldap.idmap.enable) {
ldap = {
domain = mkDefault cfg.ldap.idmapDomain;
backend = mkOptionDefault "ldap";
domain = mkDefault cfg.ldap.idmap.domain;
settings = {
ldap_url = mkOptionDefault cfg.ldap.url;
};
};
})
];
settings = mkMerge ([
{
"use sendfile" = mkOptionDefault true;
}
(mkIf (cfg.passdb.smbpasswd.path != null) {
"passdb backend" = mkOptionDefault "smbpasswd:${cfg.passdb.smbpasswd.path}";
})
(mkIf cfg.ldap.enable {
"passdb backend" = mkOptionDefault ''ldapsam:"${cfg.ldap.url}"'';
"ldap ssl" = mkIf (hasPrefix "ldaps://" cfg.ldap.url) (mkOptionDefault "off");
"ldap admin dn" = mkOptionDefault "name=anonymous,${cfg.ldap.baseDn}";
"ldap suffix" = mkOptionDefault cfg.ldap.baseDn;
})
(mkIf (cfg.ldap.enable && true) {
"ntlm auth" = mkOptionDefault "disabled";
"encrypt passwords" = mkOptionDefault false;
})
(mkIf cfg.usershare.enable {
"usershare allow guests" = mkOptionDefault true;
"usershare max shares" = mkOptionDefault 16;
"usershare owner only" = mkOptionDefault true;
"usershare template share" = mkOptionDefault cfg.usershare.templateShare;
"usershare path" = mkOptionDefault cfg.usershare.path;
"usershare prefix allow list" = mkOptionDefault [cfg.usershare.path];
})
(mkIf cfg.guest.enable {
"map to guest" = mkOptionDefault "Bad User";
"guest account" = mkOptionDefault cfg.guest.user;
})
{
"use sendfile" = mkOptionDefault true;
}
(mkIf (cfg.passdb.smbpasswd.path != null) {
"passdb backend" = mkOptionDefault "smbpasswd:${cfg.passdb.smbpasswd.path}";
})
(mkIf cfg.ldap.enable {
"ldap ssl" = mkIf (hasPrefix "ldaps://" cfg.ldap.url) (mkOptionDefault "off");
"ldap admin dn" = mkIf (cfg.ldap.adminDn != null) (mkOptionDefault cfg.ldap.adminDn);
"ldap suffix" = mkOptionDefault cfg.ldap.baseDn;
})
(mkIf cfg.kerberos.enable {
"realm" = mkOptionDefault cfg.kerberos.realm;
"kerberos method" = mkOptionDefault (
if cfg.kerberos.keytabPath != null then "dedicated keytab"
else "system keytab"
);
"dedicated keytab file" = mkIf (cfg.kerberos.keytabPath != null) (mkOptionDefault
"FILE:${cfg.kerberos.keytabPath}"
);
"create krb5 conf" = mkOptionDefault false;
})
(mkIf cfg.usershare.enable {
"usershare allow guests" = mkOptionDefault true;
"usershare max shares" = mkOptionDefault 16;
"usershare owner only" = mkOptionDefault true;
"usershare template share" = mkOptionDefault cfg.usershare.templateShare;
"usershare path" = mkOptionDefault cfg.usershare.path;
"usershare prefix allow list" = mkOptionDefault [ cfg.usershare.path ];
})
(mkIf cfg.guest.enable {
"map to guest" = mkOptionDefault "Bad User";
"guest account" = mkOptionDefault cfg.guest.user;
})
] ++ mapAttrsToList (_: idmap: mapAttrs' (key: value: nameValuePair "idmap config ${idmap.domain} : ${key}" (mkOptionDefault value)) idmap.settings) cfg.idmap.domains);
extraConfig = mkMerge (
mapAttrsToList (key: value: ''${key} = ${settingValue value}'') cfg.settings
++ [
(mkIf (cfg.ldap.enable && cfg.ldap.passdb.enable) (mkBefore ''
passdb backend = ${cfg.ldap.passdb.backend}:"${cfg.ldap.url}"
''))
]
++ mapAttrsToList (_: idmap: mapAttrs' (key: value: nameValuePair "idmap config ${idmap.domain} : ${key}" (mkOptionDefault value)) idmap.settings) cfg.idmap.domains);
extraConfig = mkMerge (mapAttrsToList (key: value: ''${key} = ${settingValue value}'') cfg.settings);
);
shares.${cfg.usershare.templateShare} = mkIf cfg.usershare.enable {
"-valid" = false;
};

1
nixos/base/nixpkgs.nix
View file

@ -2,6 +2,7 @@
nixpkgs = {
overlays = [
inputs.arcexprs.overlays.default
(import ../../overlays/samba.nix)
];
config = {
allowUnfree = true;

51
nixos/ipa.nix Normal file
View file

@ -0,0 +1,51 @@
{ inputs, pkgs, config, lib, ... }: let
inherit (inputs.self.lib.lib) mkBaseDn;
inherit (lib.modules) mkIf mkForce mkDefault;
inherit (lib.strings) toUpper splitString concatMapStringsSep;
inherit (config.networking) domain;
cfg = config.security.ipa;
baseDn = mkBaseDn domain;
caPem = pkgs.fetchurl {
name = "idp.${domain}.ca.pem";
url = "https://freeipa.${domain}/ipa/config/ca.crt";
sha256 = "sha256-PKjnjn1jIq9x4BX8+WGkZfj4HQtmnHqmFSALqggo91o=";
};
in {
# NOTE: requires manual post-install setup...
# :; kinit admin
# :; ipa-join --hostname=${config.networking.fqdn} -k /tmp/krb5.keytab -s idp.${domain}
# then to authorize it for a specific service...
# :; ipa-getkeytab -k /tmp/krb5.keytab -s idp.${domain} -p ${serviceName}/idp.${domain}@${toUpper domain}
# once the sops secret has been updated with keytab...
# :; systemctl restart sssd
config = {
security.ipa = {
enable = mkDefault true;
certificate = mkDefault caPem;
basedn = mkDefault baseDn;
chromiumSupport = mkDefault false;
domain = mkDefault domain;
realm = mkDefault (toUpper domain);
server = mkDefault "idp.${domain}";
ifpAllowedUids = [
"root"
] ++ config.users.groups.wheel.members;
dyndns.enable = mkDefault false;
};
networking.extraHosts = mkIf cfg.enable ''
10.1.1.46 idp.${domain}
'';
systemd.services.auth-rpcgss-module = mkIf (cfg.enable && !config.boot.modprobeConfig.enable) {
serviceConfig.ExecStart = mkForce [
""
"${pkgs.coreutils}/bin/true"
];
};
sops.secrets = {
krb5-keytab = mkIf cfg.enable {
mode = "0400";
path = "/etc/krb5.keytab";
};
};
};
}

33
nixos/kyuuto/nfs.nix
View file

@ -9,15 +9,40 @@
inherit (config) kyuuto;
in {
services.nfs.server.exports = let
mapPerm = perm: map (addr: "${addr}(${perm})");
mapPerm = perm: map (addr: "${addr}(${concatStringsSep "," perm})");
toPerms = concatStringsSep " ";
localAddrs = cidrForNetwork.loopback.all ++ cidrForNetwork.local.all;
tailAddrs = optionals config.services.tailscale.enable cidrForNetwork.tail.all;
allAddrs = localAddrs ++ tailAddrs;
globalAddrs = [
"@peeps"
];
common = [
"no_subtree_check"
];
sec = [
"sec=${concatStringsSep ":" [ "krb5i" "krb5" "krb5p" ]}"
# TODO: no_root_squash..?
];
anon = [
"sec=sys"
"all_squash"
"anonuid=${toString config.users.users.guest.uid}"
"anongid=${toString config.users.groups.${config.users.users.guest.group}.gid}"
];
# TODO: this can be simplified by specifying `sec=` multiple times, with restrictive options following sec=sys,all_squash,ro,etc
kyuutoOpts = common;
kyuutoPerms =
mapPerm "ro" localAddrs
++ mapPerm "rw" tailAddrs;
transferPerms = mapPerm "rw" allAddrs;
mapPerm (kyuutoOpts ++ [ "rw" ] ++ sec) globalAddrs
++ mapPerm (kyuutoOpts ++ [ "ro" ] ++ anon) localAddrs
# XXX: remove me once kerberos is set up!
++ mapPerm (kyuutoOpts ++ [ "rw" "sec=sys" ]) tailAddrs
;
transferOpts = common ++ [ "rw" "async" ];
transferPerms =
mapPerm (transferOpts ++ sec) globalAddrs
++ mapPerm (transferOpts ++ anon) allAddrs
;
in ''
${kyuuto.mountDir} ${toPerms kyuutoPerms}
${kyuuto.transferDir} ${toPerms transferPerms}

2
nixos/kyuuto/opl.nix
View file

@ -38,6 +38,7 @@ in {
settings = mkIf cfg.enable {
"ntlm auth" = mkDefault "ntlmv1-permitted";
"server min protocol" = mkDefault "NT1";
"keepalive" = mkDefault 0;
};
shares.opl = let
inherit (config.networking.access) cidrForNetwork;
@ -57,7 +58,6 @@ in {
"@kyuuto-peeps"
];
"strict sync" = false;
"keepalive" = 0;
"hosts allow" = localAddrs;
};
};

45
nixos/nfs.nix
View file

@ -1,13 +1,15 @@
{
inputs,
config,
lib,
access,
...
}: let
inherit (lib.modules) mkIf mkDefault;
inherit (inputs.self.lib.lib) mkBaseDn;
inherit (lib.modules) mkIf mkForce mkDefault;
inherit (lib.lists) optional;
inherit (lib.strings) concatStringsSep concatMapStringsSep splitString;
inherit (lib.strings) toUpper concatStringsSep concatMapStringsSep splitString;
cfg = config.services.nfs;
inherit (config.networking) domain;
openPorts = [
(mkIf cfg.server.enable 2049)
(mkIf config.services.rpcbind.enable 111)
@ -16,8 +18,7 @@
(mkIf (cfg.server.mountdPort != null) cfg.server.mountdPort)
];
enableLdap = false;
system = access.nixosFor "tei";
inherit (system.services) kanidm;
baseDn = mkBaseDn domain;
in {
services.nfs = {
server = {
@ -27,25 +28,35 @@ in {
mountdPort = mkDefault 4002;
};
idmapd.settings = {
General.Domain = mkDefault config.networking.domain;
Translation.GSS-Methods = concatStringsSep "," (
["static"]
General = {
Domain = mkForce domain;
Local-Realms = concatStringsSep "," [
(toUpper domain)
#(toString config.networking.fqdn)
];
};
Translation.Method = mkForce (concatStringsSep "," (
[ "static" ]
++ optional enableLdap "umich_ldap"
++ ["nsswitch"]
);
++ [ "nsswitch" ]
));
Static = {
};
UMICH_SCHEMA = mkIf enableLdap {
LDAP_server = "ldap.local.${config.networking.domain}";
LDAP_server = "ldap.local.${domain}";
LDAP_use_ssl = true;
LDAP_ca_cert = "/etc/ssl/certs/ca-bundle.crt";
LDAP_base = kanidm.server.ldap.baseDn;
NFSv4_person_objectclass = "account";
NFSv4_group_objectclass = "group";
NFSv4_name_attr = "name";
NFSv4_group_attr = "name";
LDAP_base = baseDn;
LDAP_people_base = "cn=users,cn=accounts,${baseDn}";
LDAP_group_base = "cn=groups,cn=accounts,${baseDn}";
GSS_principal_attr = "krbPrincipalName";
NFSv4_person_objectclass = "posixaccount"; # or "person"?
NFSv4_group_objectclass = "posixgroup";
NFSv4_name_attr = "krbCanonicalName"; # uid? cn? gecos?
NFSv4_group_attr = "cn";
NFSv4_uid_attr = "gidnumber";
NFSv4_gid_attr = "gidnumber";
NFSv4_gid_attr = "uidnumber";
#LDAP_use_memberof_for_groups = true;
LDAP_canonicalize_name = false;
};
};

61
nixos/samba.nix
View file

@ -1,12 +1,15 @@
{
inputs,
config,
lib,
...
}: let
inherit (lib.modules) mkIf mkDefault;
inherit (inputs.self.lib.lib) mkBaseDn;
inherit (lib.modules) mkIf mkMerge mkDefault;
inherit (lib.lists) any;
inherit (lib.strings) hasInfix concatMapStringsSep splitString;
inherit (lib.strings) toUpper hasInfix;
cfg = config.services.samba;
inherit (config.networking) domain;
hasIpv4 = any (hasInfix ".") config.systemd.network.networks.eth0.address or [];
in {
services.samba = {
@ -15,8 +18,25 @@ in {
enableNmbd = mkDefault hasIpv4;
securityType = mkDefault "user";
ldap = {
url = mkDefault "ldaps://ldap.local.${config.networking.domain}";
baseDn = mkDefault (concatMapStringsSep "," (part: "dc=${part}") (splitString "." config.networking.domain));
enable = mkDefault true;
url = mkDefault "ldaps://ldap.local.${domain}";
baseDn = mkDefault (mkBaseDn domain);
adminDn = mkDefault "uid=samba,cn=sysaccounts,cn=etc,${cfg.ldap.baseDn}";
adminPasswordPath = mkIf cfg.ldap.enable (
mkDefault config.sops.secrets.smb-ldap-password.path
);
passdb = {
# XXX: broken backend :<
#backend = mkIf config.security.ipa.enable (mkDefault "ipasam");
};
idmap = {
enable = mkIf config.services.sssd.enable (mkDefault false);
domain = mkDefault cfg.settings.workgroup;
};
};
kerberos = mkIf (config.security.krb5.enable || config.security.ipa.enable) {
enable = true;
realm = toUpper domain;
};
usershare = {
group = mkDefault "peeps";
@ -25,8 +45,10 @@ in {
enable = mkDefault true;
user = mkDefault "guest";
};
passdb.smbpasswd.path = mkDefault config.sops.secrets.smbpasswd.path;
settings = {
passdb.smbpasswd.path = mkIf (!cfg.ldap.enable || !cfg.ldap.passdb.enable) (
mkDefault config.sops.secrets.smbpasswd.path
);
settings = mkMerge [ {
workgroup = "GENSOKYO";
"local master" = false;
"preferred master" = false;
@ -37,12 +59,22 @@ in {
"remote announce" = mkIf hasIpv4 [
"10.1.1.255/${cfg.settings.workgroup}"
];
};
idmap.domains = mkIf (!cfg.ldap.enable) {
nss = {
} (mkIf cfg.ldap.enable {
"ldapsam:trusted" = true;
"ldapsam:editposix" = false;
"ldap user suffix" = "cn=users,cn=accounts";
"ldap group suffix" = "cn=groups,cn=accounts";
}) ];
idmap.domains = {
nss = mkIf (!cfg.ldap.enable || !cfg.ldap.idmap.enable) {
backend = "nss";
domain = "*";
range.min = 8000;
#range.max = 8256;
};
ldap = mkIf (cfg.ldap.enable && cfg.ldap.idmap.enable) {
range.min = 8000;
#range.min = 8256;
};
};
};
@ -52,8 +84,13 @@ in {
hostname = mkDefault config.networking.hostName;
};
sops.secrets.smbpasswd = {
sopsFile = mkDefault ./secrets/samba.yaml;
#path = "/var/lib/samba/private/smbpasswd";
sops.secrets = {
smbpasswd = mkIf (!cfg.ldap.enable || !cfg.ldap.passdb.enable) {
sopsFile = mkDefault ./secrets/samba.yaml;
#path = "/var/lib/samba/private/smbpasswd";
};
smb-ldap-password = mkIf cfg.ldap.enable {
sopsFile = mkDefault ./secrets/samba.yaml;
};
};
}

5
nixos/secrets/samba.yaml
View file

@ -1,4 +1,5 @@
smbpasswd: ENC[AES256_GCM,data:W77mPgQ4sgdEsYgL271Kw34oHXYqMgGOM13KhY6XKlMVpIu1iznzuECXEG/6tDpv7J6hCMex8i4FMy85mUb2a/FLscx+vF7ncSATKZSGSKZZgU/kc5qGqM2yJrm7TnvmjSt7YRJfXBACM2h5X6eVKZ+0mtOAoQD72JLyM7aO8W4z4XyQQpudCqnpmNT5s8icHJGjRQubIm/25Znw8y5RME/OrA2/YkuGXeCNT7dEqHl6/KiH94//+XhCKij8lSV3iaE7ZKLiA3bqQJmp2n8Owvd+cDVZ1wWQU0TQGE1aAKysiHg1Yc1io7ek0t9UxyE5ZrOyifiWv6f2jdxbA7dvIihmlP0XWghdo30T9v4GE97cuNRG2rJTZEi3lP9Qy7Y4yS/XWRfSPLQnZ0D5xvuNxbVbXUR8OBcBlLeG6TFKtLPJgRr8oUrxw/03MHT8wxAOrfFPUYofd377DBIXQSv2Jbxg8117yAI1a/fBl8zFBrdkKDQvUjOSTTlCJ6J9goNe0Ra91noh9GMDC4qRzNheC22QVKWYExbtKyW0+OeIrpTfJ/1Ml1Jrb+FRjS0CDOHgHwYOqaPiyp1tlIgqhYEb3gIF7Ru69A1ctNdugaZAgz83Z951T2kpBNYguIoJn09X/MBq7ZKToWrFBi0kgOCnGbJfC9MusXGdJ1275Co6Xiaq2/mOWRwsH0e6HEjzSaFoOMgDe5jtq4+UIhbbS9u1dvn8/mR4mR/MsHDsT3FUWQ+c3C04/zTdJbt91w/f9PEs+Zi4qKwsyG0AtHzVV8/NADU4xAr1GFYBL9crMe/Y1vvPFXzpIlnfQrg+vYXE9vqXTXOgFB8KKUlT,iv:Ciw/zsXUiITP9vZJgvb9hDRgPZ1jSFISK+8Dqb2DeOs=,tag:Hn/k1t7AmM60tc6fOjj35w==,type:str]
smb-ldap-password: ENC[AES256_GCM,data:ny+9oyh7MwRWXkq175vJ9IKWP6tyWAqjNHqlSiYNnYY=,iv:7BAZ05CgR0FZGc6xP/RfeVtK0vh+1PtJnk25wdXNchk=,tag:OmBHpUwgVQtyfRv9wASQYg==,type:str]
sops:
shamir_threshold: 1
kms: []
@ -42,8 +43,8 @@ sops:
VitlT3d6d1FOSzFKTFRIWDU3cmJ2aXMKDN7HPa6pQSZd21cLvfk+sYvLqZm9eN+7
K1v7M9MXLY+nh1YGGbtDbWHh09p8g37tS1OwgGAiETh+z7hWsGHYdw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-02-28T21:51:11Z"
mac: ENC[AES256_GCM,data:nHX08Itwgn4HI98tzq08VOwVG+bZGlBYMUe19SEECo9dRpH9P5eApV1ho8RknPHrTv6m3PBvapaIsTjp7uDVajjXRDKcWCb+5wYN+g0FHTSICohoRvwq0JNqHFszW+CnT5EdMw4V09B94LwDJB2YRABCTwPn2x69p8QU3GLjhrY=,iv:tCYrAcJLV5+OqL3wHNMRA4kxNZo2m73MgUXlCpAGSZg=,tag:6JndAJnSveti0jxqyOAbuw==,type:str]
lastmodified: "2024-03-17T20:04:41Z"
mac: ENC[AES256_GCM,data:hXmwO+HJXophW/ddh1SVp85wELva1ieJeTUPRMjO0mxgiCJWlRNMAPwg6iPvwsuwgzJh3dVa4dHKKRsjDTNEQ7PTOaPYKZWxCdxXlaxPnm+0F8GeB1tnMEScHryJe6718AbuCmxOTPX1TwyJarISlHBaxCZ0D4d1aDGRvC3fiYY=,iv:IKwTuIoJJAADIYMqq4CF/t3Gz6OUxt8BtM6mmdSz9+Q=,tag:w7pG1IPlLO++4g0crobSOA==,type:str]
pgp:
- created_at: "2024-01-30T22:23:56Z"
enc: |-

1
overlays/default.nix
View file

@ -7,6 +7,7 @@
overlays = [
inputs.deploy-rs.overlay
inputs.arcexprs.overlays.default
(import ./samba.nix)
(final: prev: {
jemalloc =
if final.hostPlatform != "aarch64-darwin"

30
overlays/samba.nix Normal file
View file

@ -0,0 +1,30 @@
final: prev: let
inherit (final) lib;
in {
freeipa-ipasam = let
attrs = old: {
pname = "freeipa-ipasam";
patches = old.patches or [ ] ++ [
../packages/freeipa-ipasam.patch
];
configureFlags = lib.filter (f: f != "--disable-server") old.configureFlags;
};
overrides = {
samba = final.samba-ldap;
};
in (final.freeipa.override overrides).overrideAttrs attrs;
samba-ldap = final.samba.override {
enableLDAP = true;
};
samba-ipa = final.samba-ldap.overrideAttrs (old: {
buildInputs = old.buildInputs ++ [
final.freeipa-ipasam
];
postInstall = ''
${old.postInstall or ""}
cp -a ${final.freeipa-ipasam}/lib/samba/pdb/ipasam.so $out/lib/samba/pdb/
'';
});
}

4
packages/default.nix
View file

@ -32,6 +32,9 @@
jq
;
inherit (inputs.deploy-rs.packages.${system}) deploy-rs;
inherit (pkgs) freeipa-ipasam samba-ldap samba-ipa;
nf-deploy = pkgs.writeShellScriptBin "nf-deploy" ''
${exports}
${exportsSsh}
@ -56,6 +59,7 @@
INPUT_INFRA_PVE = reisen + "/bin/pve.sh";
INPUT_INFRA_MKPAM = reisen + "/bin/mkpam.sh";
INPUT_INFRA_CT_CONFIG = reisen + "/bin/ct-config.sh";
INPUT_AUTHRPCGSS_OVERRIDES = reisen + "/net.auth-rpcgss-module.service.overrides";
};
inputVars = set.mapToValues (key: path: ''${key}="$(base64 -w0 < ${path})"'') inputAttrs;
in

28
packages/freeipa-ipasam.patch Normal file
View file

@ -0,0 +1,28 @@
diff --git a/Makefile.am b/Makefile.am
--- a/Makefile.am
+++ b/Makefile.am
@@ -3,8 +3,7 @@ NULL =
ACLOCAL_AMFLAGS = -I m4
if ENABLE_SERVER
- IPASERVER_SUBDIRS = ipaserver ipasphinx
- SERVER_SUBDIRS = daemons init install
+ SERVER_SUBDIRS = daemons
endif
if WITH_IPATESTS
diff --git a/daemons/Makefile.am b/daemons/Makefile.am
--- a/daemons/Makefile.am
+++ b/daemons/Makefile.am
@@ -9,11 +9,7 @@ noinst_HEADERS = ipa-version.h.in
SUBDIRS = \
. \
- dnssec \
- ipa-kdb \
- ipa-slapi-plugins \
ipa-sam \
- ipa-otpd \
$(NULL)
ipa-version.h: ipa-version.h.in $(top_builddir)/$(CONFIG_STATUS)

1
systems/hakurei/nixos.nix
View file

@ -22,6 +22,7 @@ in {
nixos.steam.account-switch
nixos.steam.beatsaber
nixos.tailscale
nixos.ipa
nixos.cloudflared
nixos.ddclient
nixos.acme

5
systems/hakurei/secrets.yaml
View file

@ -2,6 +2,7 @@ tailscale-key: ENC[AES256_GCM,data:HmowloL0TsKM/XFI5GDd6Nl+9uSZcYevB6CObq1Eg5cvy
cloudflared-tunnel-hakurei: ENC[AES256_GCM,data:Pwj8/8RSLrfylwl1Et6SHOJSMWxm+Kn1WpYgZhvWoUQ9GsiuRFf2j0mdu36zid9N+6QC3NK9yv6mMfIgvLJkjXhiYtMidZD4e6a4kQMVbbui+Ohj6wf92Jg5rRdassFHJZSCyZtbaeBXqOzzqF51QrEEWRFxfxt6cvwqZjvSMsbctjltwiD7CehhzQGvDdstZAsVhJC6c+GKDs5pFU3KPTTIHc6b1IzZFijgJZKtNNgKrc4Wqw0=,iv:i2YZq7WMuKiDEHMUJS3QD+SP68Rkpt2fS4X8pkv8s3I=,tag:+0RuoOBf9Vm6aJdCsDfvKg==,type:str]
tf-proxmox-passwd: ENC[AES256_GCM,data:kLLFPr5jILsUt7yecUc1Eb1V9hXEUFBytT7ehcwLv7W9Vfar/BdMQasNecs8S1Ilt7uAjpiXIkNGr5hkktNanIegJw539B43Pnk=,iv:rOy27QkhMM7LrNgYoHgZCwoZHtzUzDrUnhroLSqbKSw=,tag:HkFBkiws/jlQmXP8SpcUYg==,type:str]
tf-proxmox-identity: ENC[AES256_GCM,data:DxcMFL9FqeulnxRZZHn4ByuRBPSI3hrAntvtwONDFIJhm7G9X2YPij9K36Sl7pE9oTHu/BQCFQdypt4LJyLVIg2AuTJusf1UCR1YcECEPnjFkJybM2Ggiuo34rrJOZh3b9SzD64ks4fFgv9S5P1JuOW9LewjH75v0iAZHvskznak0QiVgPy24pnRQwpR7znkjrH5Hmx9UHZ4JDIw7y8rXWBl7/HOV8mAsZOWZVwuhtKt+se/CDlaG2AlVJJmCjpAi5bi0yfhXlWXfjSy6cyhVCgiv4Ua+V4F+JSyZHk+wMEmICROWzmUuu5ZT2iHkh1SS9AutH307JNF8muDVzdZUVxdpQQHEFCu+SNjhEdcgJdmSZ3O04glzPZTBTAl2PLFGKXMKq24bLtBQquoWw2wneu1/Gha6bIpMjxJFmmaLaAoL9OPDysBALsTJxpsH38g12sk3t2Lk2EYCluyp313CTmWDVj0O8DT//Daigvk2eFmc72WCTsY4bucof9mF4/mzDAdDZDKOx7EAYVJmYgRW8HJK/nv4MQEidqy,iv:dUUGP+HspbqutGpcGxrVn8071S+h8nobUlfgUuFz9io=,tag:HhgrC6699p36RFzpSwvf0Q==,type:str]
krb5-keytab: ENC[AES256_GCM,data:53lA9ZRGpQIY22s9xtdRKOI9kn6flNcBlME+0qxH0/DfsN6PMORkHPz34lehf56BZbO1pnIDa8STh5xJGi4xlwtkvkGN77LrLwWgnveenGpCFQ+XNLY1sdl9pbuCppJ1fRq72rGvF/EjOLY25kmRWUSLz9h94yJXsFcIpxrqxywqr579MBHMBjHseNWC/8w6DQLMZLXULrNJTIvP2FICbiUJj27EheBzbbrKtWT269qTsCxp7To7E0uFzPonpFvMDPhKwvnAPVQeFDfThQrHtbWhWrKBgLfq/RO5E7hFWGGrh3ZEs27jxJ3AHuuflI6DEZYGszB1fGRSNHLd5NCvcoSy26WRzpnepneyoZdDsx2SGubDy343vY5tN1/yIngsnL3jK8/4/L+RknhjIgnPNk6foAIphGMhDp6NWMFuTo1MlsuYjl3tnqShmOFt/Sep7JuFN27qN8NwsIIH+rDA49/LSPj2g89QQ/vPHBXjycjg0gKWjofrd73P3C3z5ROdUS2Ge9gF6VerbSRxPaD1O25HQ94x2/qZcpRv3NgzqC5w2Y0HkcnuJGmnOjLwiQ8JoDWY1ZEasafXXz/ffTkMycL3wH+NyLuGlu5FQG8VPfps+O1qz9Pkq11bzkugSZ1PBdOA9ki4RcVdms6ivIQWdjWTsz3Xi/Y0KBnjylY/qGRepBVJ5I1wXb3jcZkm8PCdL40ObxlcIX43bRGW1mqY9zKDkic6FXmwd0LdxO+z9Cd/r33X3yf3wDoCKwhngQVJqjQySGj+E5sJST1SfrrQTRyAbu9ca+hEkgq2o5x9PsJvkGj7+h9fXVWbo9J0NFqFHOtMAcom/HFdkiBhxVeTFoHNVpgKlY3QSR0OANXmvJ5lNZONWq7nOVxAy60fUC1b5ZjuoaRmt5t44HWbNb6HW1kW06Q901ZMFR29qE5F/ciJ3DsT3mJ62hJMdOc3+m1wxY+INarPeZvdbuC3mQekZvbjQJVYXD/8DIg93+LPMvD88vymIVWsdrIzzH9JzHwEcEuLTv0coLXsRoips8dV6c1KjZr1uQz42FuydxdIXFy6pwZ8C2bD7Obla8mUqe6vniX0xHtuuAOxsZzJFIMgZqaPZnMG18J/d1Lw/a2UZw9iFzh6MEirGSviMcIV5sVgYqo27qr55OKxeRDmlb/WQI2qrt50TtYNdItVGlnJKmDBw3+txU5+toqxSdlTMRmQIQZc7y/iXqLskXlwaWQLuAoXKHIQ8JGbvw2sZLzIcy6LIQqLQgQwmB+u4ZwExjuJ/h3EkBK3VzA0P014CphkWrQIpva1k9JUhbGvfM6CO32xEZpWWtThov0bGcNDTa/OB2JuGD+FpiCf3q4w5kXbMdSLpm+FQcEdZAHJbgHOAeq7kGNJ9f6yVsCi5DZiH/F1DUqhrRCJXz2yxVlp8JsQG/8WeTM1+w/jl3e6MtejRa/OQIwOa+c=,iv:210i0Kj0KVXIg8DTDlsJYyuxjAd1ASGvqGlHOhYLLNY=,tag:Eb42niH6t/Dpgw0scblmIg==,type:str]
sops:
shamir_threshold: 1
kms: []
@ -18,8 +19,8 @@ sops:
ZEpzdWJZWGdEaElLZUc1YW5ON0YrM2MKk/dZvaFVzfkMD3poreaDGfJwG5j5fL3L
kuV/3fEHBf5HszR/VTy/bZ2+abN6x3UG5h0l+QaS9ux+mtwFCyYYjg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-26T20:09:45Z"
mac: ENC[AES256_GCM,data:jVC5XpyzRHHB03ijZlN711qE7D6n+YehrkyFZZ9JmRre+oR7H171Be+BYq3QZl5pp0VGlfFRPmGrBlh3nwxL1FYYIzDMWMmkJrce2pdYKgOwQxRqR5bbW6yH8zYbyD2f1gZ9DIo/UPlPvdWFsFHZOKNWo/gPeDeI1MZQCNmQpnY=,iv:vOoGpsG5FJt+leB7sblkvwyDNa+2TvUg1cqWAzMgRks=,tag:hbpdem+/E042g5IiQa+TFw==,type:str]
lastmodified: "2024-03-17T22:21:26Z"
mac: ENC[AES256_GCM,data:q0YqiY24G58KUk6UJ2kqjtERe9AcTSsb2MS3CP8zyPUVrYtP0V8MUyJ0z7ZfbeD0cXlY6UtVLBV+EwXyFCyR2enyP1FufAdR7jQLxDS219JPVipKfOGu12N3F7e91PK4Glh36bVoBNsXjbtWlQMiwZe7sV9e/rnRBe3gks6PCnU=,iv:A7i8+WKZwifRBTwrBnxMDHk6JtvqD7JVZA7TXShKJRM=,tag:dpJ/J/AUHXx4F98PuqEbjw==,type:str]
pgp:
- created_at: "2024-01-19T18:57:37Z"
enc: |-

1
systems/reimu/nixos.nix
View file

@ -9,6 +9,7 @@
nixos.steam.account-switch
nixos.steam.beatsaber
nixos.tailscale
nixos.ipa
nixos.nfs
];

5
systems/reimu/secrets.yaml
View file

@ -1,4 +1,5 @@
tailscale-key: ENC[AES256_GCM,data:X1oDglyEjyFyeBgkV52IAcvS7krEeUfuJYhp/GN0cLH7She/RLdScbMcGBLwkDdtgoBkSK/HEjk=,iv:7eJg2IMVxZX7O3rzqeai3gjbAMLu3ScU49rrQPxnl0s=,tag:L2EgzeAvr4PLxaTBe9vObg==,type:str]
krb5-keytab: ENC[AES256_GCM,data:3Dx4YkMFnxpg7HzylRbqe1KdfYgqBNvKYU7tb1lZQ1uwghdSn4U3ZztOE8SO5t2wGaIPHhOwv6eR0MWZnjU3vjWAPrrNlrc3mK3WLw+Gvbe/hfiLSKDvqzDcaYfBSFNvG9LFai5o8fGfPnAS/5AUY8iBY+NaPflsK+HV5MfadXg5J6EYduGSo82C6eWmLJcsBMieI3CLg/OCPI5rfo1ibbVJR2ma2EyiUl9KujqCJL3Nb5DH87YCFuiBScMkQP+GRL5Rf1p3otF14HsK9sVvJjkF7NgGvM/OUHv5u9eq7gBiWJSoGBE3Vsl5odep5x0r259nZy9oAQenhmJ9layVI40c4UI5B4m5nwKvUYeXnINX09dtBZy1+7iOBdjFwzP+cCbliW8GbtqwWDVYuuqSTosQPBtUWFBKPwn9HcSmVowN9VsuAjdOIFao6xNcTmUT4EJc4FTcbtsOXzynILYmb8n0S1nsT6h20i5hC7ltiwUOFOxOwl0Q/I1wQDFZH4HeGYNeqE/Icy2z1jnkj5g4XK+WFzNSJmdKzFE9fOnO5gwSkqoy72ohqz9giyKvEtAhBDBjuUcHnVmnNHWEGhFUCy2GP3f9KaowD6isJ9ICIa1mrHsol8agjpCvUTNLz/8LV6235vk/RZ96QoI8Hue/5M5p+0Qe8bRLfYmKQ7WPB6ywWr2NJFvgep+95XmVJvhzUXa6Zdj7RSWa+AVuK+lhWBpCO5Yo5s/3XF+1OLEGc6sErbjXOD5ofUmQYXfvh+P6IjtrUYoq96EZzQqC4pYx63q+E2zLIX3Ua6XFtoISs3qvduRVu0CROfBY3rMzbEEgwwR55fyoKomIs6ihxl1XyK0kvyRTWtQ6oky3HDmWee1AYXo598K6HeZnxDbyC/ov5sdccFgcG7aGhCn036AThJajZHHyC3Vg/47iqREpV84vqpoAj5c=,iv:xzjH/RaRSHx39TkQW3Ns7pLf6/ogeFHWqNvfkgOgsEA=,tag:IvmpHdZi04cdYFaXh3YTIg==,type:str]
sops:
shamir_threshold: 1
kms: []
@ -15,8 +16,8 @@ sops:
UERXZU1FaTNGU09mTm91M05MNitvQzgKhaWavZCVVMA+MqdX4LDsywN9ySSskH0X
2K+YRI34/3oY0Mv2s6OEIa+laYf2XRImSh6BN1F4b/AezQa1LCTTaw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-30T23:58:54Z"
mac: ENC[AES256_GCM,data:ih1RwcmiaD4yQnSoxo+uoJFZCEQp5xs1+O976EeLIUxkhcbpJ3//jhch591TyQbCf6IHBkjrmTbsQdEX6607n4KV6RLYW1822Fc34d76QdJMAJOxRD8oYpf9+iUN8VmfkO2PqPFvxub/iOmt38AkV+1cK+8LYaTXPT+yY6fJ2h4=,iv:Yb7MAsyH980A8hAifhzk+jtOoVsAapsH+mD1h7oWjKI=,tag:IcVWkobQWg2zwrXP7kRAyA==,type:str]
lastmodified: "2024-03-16T20:48:49Z"
mac: ENC[AES256_GCM,data:si2YKYqOtaNm1xOlcK698jeK5XWnRIFW6OTyUxv2TxlmgoqximGVl7a/dv/CePQSA1m7pPBZFCAMGV9lmMtMGMM9ipxlaFIkHDRHcBndriy+a9Cijdc/Q5OybYOh6FA+Jktqn7afuF8IrWETWK7wO1E3lg1QmNQrW04gzzwNXLU=,iv:rGNEBBuZIT4asB3JsEF0AImxjgpbhCNeRjIeB1RFpyk=,tag:eKwBpWNVXGmU63gAg+TQ3g==,type:str]
pgp:
- created_at: "2024-01-30T23:58:18Z"
enc: |-

2
systems/reisen/net.auth-rpcgss-module.service.overrides Normal file
View file

@ -0,0 +1,2 @@
[Unit]
ConditionPathExists=

7
systems/reisen/setup.sh
View file

@ -157,3 +157,10 @@ mkshared plex 100193 100193 0755
mkshared postgresql 100071 100071 0750
mkshared unifi 100990 100990 0755
mkshared zigbee2mqtt 100317 100317 0700
ln -sf /lib/systemd/system/auth-rpcgss-module.service /etc/systemd/system/
mkdir -p /etc/systemd/system/auth-rpcgss-module.service.d
ln -sf /etc/systemd/system/auth-rpcgss-module.service /etc/systemd/system/multi-user.target.wants/
base64 -d > /etc/systemd/system/auth-rpcgss-module.service.d/overrides.conf <<EOF
$INPUT_AUTHRPCGSS_OVERRIDES
EOF