gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 04:19:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(samba): trust ldap.int

Browse source
This commit is contained in:
arcnmx 2025-10-20 09:26:08 -07:00
parent 0ed23aea31
commit 253f6e38a3
4 changed files with 45 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

40
modules/nixos/ipa.nix
View file

@ -31,6 +31,40 @@ in {
default = false;
description = "allow the ipa module to override the ntp configuration";
};
openldap = mkOption {
type = bool;
default = false;
description = "allow the ipa module to override ldap.conf";
};
};
openldap = {
settings = {
uri = mkOption {
type = str;
default = "ldaps://${cfg.server}";
};
base = mkOption {
type = str;
default = cfg.basedn;
};
tls_cacert = mkOption {
type = str;
default = "/etc/ipa/ca.crt";
};
sasl_nocanon = mkOption {
type = bool;
default = true;
};
};
extraConfig = mkOption {
type = lines;
default = ''
SASL_NOCANON ${if cfg.openldap.settings.sasl_nocanon or false then "on" else "off"}
URI ${cfg.openldap.settings.uri}
BASE ${cfg.openldap.settings.base}
TLS_CACERT ${cfg.openldap.settings.tls_cacert}
'';
};
};
};
config.services.sssd = let
@ -144,4 +178,10 @@ in {
mkIf (cfg.enable && !cfg.overrideConfigs.krb5) {
text = mkForce (format.generate "krb5.conf" krb5.settings).text;
};
config.environment.etc."ldap.conf" = let
ldapConf = cfg.openldap.extraConfig;
in
mkIf (cfg.enable && !cfg.overrideConfigs.openldap) {
source = mkForce (pkgs.writeText "ldap.conf" ldapConf);
};
}

1
modules/nixos/ldap/management.nix
View file

@ -129,6 +129,7 @@ in {
# man 5 ldap.conf
LDAPBASE = ldap.base;
LDAPURI = "ldaps://ldap.int.${config.networking.domain}";
LDAPTLS_CACERT = "/etc/ssl/certs/ca-bundle.crt";
};
ldapAuth = mkMerge [
(mkIf config.security.krb5.enable (mapOptionDefaults {