From 6db8e4e304735404e9792a7b31e3e6ab51ce4445 Mon Sep 17 00:00:00 2001 From: arcnmx Date: Fri, 5 Apr 2024 15:04:09 -0700 Subject: [PATCH] feat(extern): krb5 --- .sops.yaml | 11 + modules/extern/misc/ipa.nix | 5 + modules/extern/misc/netgroups.nix | 5 + modules/extern/misc/sssd.nix | 5 + modules/extern/nixos/access.nix | 46 ++++ modules/extern/nixos/krb5.nix | 371 ++++++++++++++++++++++++++++++ modules/extern/nixos/kyuuto.nix | 55 +++-- modules/extern/secrets/krb5.yaml | 68 ++++++ modules/nixos/sssd/genso.nix | 10 +- nixos/base/nixpkgs.nix | 1 + overlays/default.nix | 1 + overlays/krb5.nix | 5 + systems/extern-test/nixos.nix | 15 ++ 13 files changed, 577 insertions(+), 21 deletions(-) create mode 100644 modules/extern/misc/ipa.nix create mode 100644 modules/extern/misc/netgroups.nix create mode 100644 modules/extern/misc/sssd.nix create mode 100644 modules/extern/nixos/access.nix create mode 100644 modules/extern/nixos/krb5.nix create mode 100644 modules/extern/secrets/krb5.yaml create mode 100644 overlays/krb5.nix diff --git a/.sops.yaml b/.sops.yaml index 09ddb5fc..cb1dbde0 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,6 +1,8 @@ keys: - &kat CD8CE78CB0B3BDD4 # https://inskip.me/pubkey.asc - &mew 65BD3044771CB6FB +- &shanghai_osh age1ua5dukhxsmztpwqrcd25zyvdqhww565dn3uj5mqm7evg9khfjfnq66zywn +- &nue_osh age19wwvlh83p4a3t76j8wzcmh2ns9w348ttff5n9h3zwnmxhm3vtgyqg7qh6x - &hakurei_osh age12ze362pu5mza6ef9akrptr7hfe4auaqul4rkta7kyy2tnrstqensgmujeq - &reimu_osh age176uyyyk7veqnzmm8xzwfhf0u23m6hm02cldlfkldunqe6std0gcq6lg057 - &utsuho_osh age15hmlkd9p5rladsjzpmvrh6u34xvggu9mzdsdxdj3ms43tltxeuhq4g7g9k @@ -29,6 +31,15 @@ creation_rules: - *mediabox_osh - *litterbox_osh - *keycloak_osh +- path_regex: 'modules/extern/secrets/.+\.yaml$' + shamir_threshold: 1 + key_groups: + - pgp: &pgp_common + - *kat + - *mew + age: &extern_common + - *shanghai_osh + - *nue_osh - path_regex: 'systems/hakurei/secrets\.yaml$' shamir_threshold: 1 key_groups: diff --git a/modules/extern/misc/ipa.nix b/modules/extern/misc/ipa.nix new file mode 100644 index 00000000..cc711e02 --- /dev/null +++ b/modules/extern/misc/ipa.nix @@ -0,0 +1,5 @@ +{ ... }: { + imports = [ + ../../nixos/ipa.nix + ]; +} diff --git a/modules/extern/misc/netgroups.nix b/modules/extern/misc/netgroups.nix new file mode 100644 index 00000000..a95c730d --- /dev/null +++ b/modules/extern/misc/netgroups.nix @@ -0,0 +1,5 @@ +{ ... }: { + imports = [ + ../../nixos/network/netgroups.nix + ]; +} diff --git a/modules/extern/misc/sssd.nix b/modules/extern/misc/sssd.nix new file mode 100644 index 00000000..1e3eae56 --- /dev/null +++ b/modules/extern/misc/sssd.nix @@ -0,0 +1,5 @@ +{ ... }: { + imports = [ + ../../nixos/sssd/sssd.nix + ]; +} diff --git a/modules/extern/nixos/access.nix b/modules/extern/nixos/access.nix new file mode 100644 index 00000000..deecd327 --- /dev/null +++ b/modules/extern/nixos/access.nix @@ -0,0 +1,46 @@ +{ + config, + lib, + gensokyo-zone, + ... +}: let + inherit (lib.options) mkOption mkEnableOption; + cfg = config.gensokyo-zone.access; + accessModule = { + gensokyo-zone, + nixosConfig, + config, + ... + }: { + options = with lib.types; { + tail = { + enable = mkEnableOption "tailscale access"; + enabled = mkOption { + type = bool; + readOnly = true; + }; + }; + local.enable = mkEnableOption "local access"; + }; + config = { + tail.enabled = config.tail.enable && nixosConfig.services.tailscale.enable; + }; + }; +in { + options.gensokyo-zone.access = mkOption { + type = lib.types.submoduleWith { + modules = [accessModule]; + specialArgs = { + inherit gensokyo-zone; + nixosConfig = config; + }; + }; + default = { }; + }; + + config = { + lib.gensokyo-zone.access = { + inherit cfg accessModule; + }; + }; +} diff --git a/modules/extern/nixos/krb5.nix b/modules/extern/nixos/krb5.nix new file mode 100644 index 00000000..c3a2c445 --- /dev/null +++ b/modules/extern/nixos/krb5.nix @@ -0,0 +1,371 @@ +{ + config, + options, + lib, + gensokyo-zone, + pkgs, + ... +}: let + inherit (gensokyo-zone.lib) mkAlmostOptionDefault mapOptionDefaults mapAlmostOptionDefaults; + inherit (lib.options) mkOption mkEnableOption; + inherit (lib.modules) mkIf mkMerge mkBefore mkAfter mkDefault mkOptionDefault; + inherit (lib.lists) optional; + inherit (lib.strings) toUpper; + inherit (gensokyo-zone.lib) unmerged; + cfg = config.gensokyo-zone.krb5; + krb5Module = { + gensokyo-zone, + nixosConfig, + nixosOptions, + config, + pkgs, + ... + }: let + inherit (gensokyo-zone.lib) unmerged mkBaseDn; + inherit (nixosConfig.gensokyo-zone) access; + enabled = { + krb5 = nixosConfig.security.krb5.enable; + ipa = config.ipa.enable && nixosConfig.security.ipa.enable; + sssd = config.sssd.enable && nixosConfig.services.sssd.enable; + }; + in { + options = with lib.types; { + enable = mkEnableOption "kerberos settings"; + domain = mkOption { + type = str; + default = gensokyo-zone.lib.domain; + }; + realm = mkOption { + type = str; + default = toUpper config.domain; + }; + ca = { + trust = mkEnableOption "trust CA" // { + default = true; + }; + pem = mkOption { + type = path; + }; + }; + host = mkOption { + type = str; + default = config.ipa.host; + }; + ldap = { + host = mkOption { + type = str; + default = "ldap.${config.domain}"; + example = "ldap.local.${config.domain}"; + }; + urls = mkOption { + type = listOf str; + default = [ "ldaps://${config.ldap.host}" ]; + }; + baseDn = mkOption { + type = str; + default = mkBaseDn config.domain; + }; + bind = { + dn = mkOption { + type = str; + default = "uid=peep,cn=sysaccounts,cn=etc,${config.ldap.baseDn}"; + }; + passwordFile = mkOption { + type = path; + }; + passwordFileKrb5 = mkOption { + type = path; + example = lib.literalExpression "\${pkgs.writeText "ldap.kdb5" '' + ${config.bind.dn}#{HEX}616e6f6e796d6f7573 + ''}"; + }; + passwordFileSssdEnv = mkOption { + type = path; + example = lib.literalExpression "\${pkgs.writeText "ldap.kdb5" '' + ${"SSSD_AUTHTOK_" + replaceStrings [ "." ] [ "_" ] (toUpper config.domain)}=verysecretpassword + ''}"; + }; + }; + }; + db = { + backend = mkOption { + type = enum [ "kldap" "ipa" ]; + default = "kldap"; + }; + }; + logLevel = mkOption { + type = str; + default = "NOTICE"; + }; + authToLocalNames = mkOption { + type = attrsOf str; + default = { }; + example = { + "arc@${config.realm}" = "arc"; + }; + }; + sssd = { + enable = mkEnableOption "sssd"; + pam.enable = mkEnableOption "PAM"; + backend = mkOption { + type = enum [ "ipa" "ldap" ]; + default = { + ipa = "ipa"; + kldap = "ldap"; + }.${config.db.backend}; + }; + }; + ntp = { + enable = mkEnableOption "ntp" // { + default = true; + }; + servers = mkOption { + type = listOf str; + example = [ config.ipa.host ]; + default = [ "2.fedora.pool.ntp.org" ]; + }; + }; + nfs = { + enable = mkEnableOption "nfs"; + debug.enable = mkEnableOption "nfs debug logs"; + }; + ipa = { + enable = mkEnableOption "IPA"; + httpHost = mkOption { + type = str; + default = "freeipa.${config.domain}"; + }; + host = mkOption { + type = str; + default = "idp.${config.domain}"; + }; + }; + set = { + krb5Settings = mkOption { + type = unmerged.type; + default = {}; + }; + sssdSettings = mkOption { + type = unmerged.type; + default = {}; + }; + ipaSettings = mkOption { + type = unmerged.type; + default = {}; + }; + nfsSettings = mkOption { + type = unmerged.type; + default = {}; + }; + }; + }; + config = { + ca.pem = let + caPem = pkgs.fetchurl { + name = "${config.ipa.host}.ca.pem"; + url = "https://${config.ipa.httpHost}/ipa/config/ca.crt"; + sha256 = "sha256-PKjnjn1jIq9x4BX8+WGkZfj4HQtmnHqmFSALqggo91o="; + }; + in mkOptionDefault caPem; + ldap = { + urls = mkMerge [ + (mkIf access.local.enable (mkOptionDefault (mkBefore [ + "ldaps://ldap.local.${config.domain}" + ]))) + (mkIf enabled.ipa (mkOptionDefault (mkBefore [ + "ldaps://${config.ipa.host}" + ]))) + (mkIf access.tail.enabled (mkOptionDefault (mkAfter [ + "ldap://ldap.tail.${config.domain}" + ]))) + ]; + bind = let + inherit (nixosConfig.sops) secrets; + in mkIf (nixosOptions ? sops.secrets && secrets ? gensokyo-zone-krb5-passwords) { + passwordFileKrb5 = mkOptionDefault nixosConfig.sops.secrets.gensokyo-zone-krb5-passwords.path; + passwordFile = mkOptionDefault nixosConfig.sops.secrets.gensokyo-zone-krb5-peep-password.path; + passwordFileSssdEnv = mkOptionDefault nixosConfig.sops.secrets.gensokyo-zone-sssd-passwords.path; + }; + }; + db.backend = mkIf enabled.ipa (mkAlmostOptionDefault "ipa"); + set = { + krb5Settings = { + enable = mkAlmostOptionDefault true; + gensokyo-zone = { + enable = mkAlmostOptionDefault true; + host = mkAlmostOptionDefault config.host; + canonHost = mkAlmostOptionDefault config.ipa.host; + domain = mkAlmostOptionDefault config.domain; + realm = mkAlmostOptionDefault config.realm; + ca.cert = mkAlmostOptionDefault config.ca.pem; + db.backend = mkAlmostOptionDefault config.db.backend; + ldap = { + baseDn = mkAlmostOptionDefault config.ldap.baseDn; + urls = mkAlmostOptionDefault config.ldap.urls; + bind = mapAlmostOptionDefaults { + dn = config.ldap.bind.dn; + passwordFile = config.ldap.bind.passwordFileKrb5; + }; + }; + authToLocalNames = mkAlmostOptionDefault config.authToLocalNames; + }; + }; + sssdSettings = let + servers = optional access.local.enable "idp.local.${config.domain}" + ++ [ "_srv" ]; + backups = mkMerge [ + (mkIf access.tail.enabled (mkAlmostOptionDefault [ "freeipa.tail.${config.domain}" ])) + (mkIf access.local.enable (mkAlmostOptionDefault [ "freeipa.local.${config.domain}" ])) + ]; + in mkIf config.sssd.enable { + enable = mkAlmostOptionDefault true; + gensokyo-zone = { + backend = mkAlmostOptionDefault config.sssd.backend; + krb5.servers = { + servers = servers ++ [ config.host ]; + inherit backups; + }; + ipa.servers = { + servers = servers ++ [ config.ipa.host ]; + inherit backups; + }; + ldap = { + bind.passwordFile = mkAlmostOptionDefault config.ldap.bind.passwordFile; + uris.backups = mkIf access.tail.enabled (mkAlmostOptionDefault (mkAfter [ + "ldaps://ldap.tail.${config.domain}" + ])); + }; + }; + environmentFile = mkIf (config.sssd.backend == "ldap") (mkAlmostOptionDefault + config.ldap.bind.passwordFileSssdEnv + ); + services = { + ifp.enable = mkAlmostOptionDefault true; + pam.enable = mkIf (!config.sssd.pam.enable) (mkDefault false); + }; + }; + ipaSettings = mkIf config.ipa.enable (mapAlmostOptionDefaults { + enable = true; + certificate = config.ca.pem; + basedn = config.ldap.baseDn; + domain = config.domain; + realm = config.realm; + server = config.ipa.server; + # TODO: dyndns? + overrideConfigs = { + sssd = mkAlmostOptionDefault false; + krb5 = mkAlmostOptionDefault false; + }; + }); + nfsSettings = mkIf config.nfs.enable { + ${if nixosOptions ? services.nfs.settings then "settings" else null} = mkMerge [ + { + gssd = mapOptionDefaults { + #use-machine-creds = false; + avoid-dns = true; + preferred-realm = config.realm; + }; + } + (mkIf config.nfs.debug.enable { + mountd.debug = mkOptionDefault "all"; + exportfs.debug = mkOptionDefault "all"; + exportd.debug = mkOptionDefault "all"; + general.idmap-verbosity = mkOptionDefault 3; + idmapd = mapOptionDefaults { + verbosity = 3; + idmap-verbosity = 3; + }; + gssd = mapOptionDefaults { + verbosity = 3; + rpc-verbosity = 3; + }; + }) + ]; + ${if nixosOptions ? services.nfs.settings then null else "extraConfig"} = mkMerge [ + '' + [gssd] + #use-machine-creds = false + avoid-dns = true + preferred-realm = ${config.realm} + '' + (mkIf config.nfs.debug.enable '' + [mountd] + debug = all + [exportfs] + debug = all + [exportd] + debug = all + [general] + idmap-verbosity = 3 + [idmapd] + verbosity = 3 + idmap-verbosity = 3 + [gssd] + verbosity = 3 + rpc-verbosity = 3 + '') + ]; + idmapd.settings = mkIf false { + #General.Domain = mkForce config.domain; + #Local-Realms = concatStringsSep "," [ config.realm nixosConfig.networking.domain ]; + #Translation.Method = mkForce (concatStringsSep "," [ "static" "nsswitch" ]); + }; + }; + }; + }; + }; +in { + imports = [ + ./access.nix + ../misc/sssd.nix + ../misc/ipa.nix + ../misc/netgroups.nix + ../../nixos/krb5/genso.nix + ../../nixos/sssd/genso.nix + ]; + + options.gensokyo-zone.krb5 = mkOption { + type = lib.types.submoduleWith { + modules = [krb5Module]; + specialArgs = { + inherit gensokyo-zone pkgs; + inherit (gensokyo-zone) inputs; + nixosConfig = config; + nixosOptions = options; + }; + }; + default = { }; + }; + + config = { + security = { + krb5 = mkIf cfg.enable (unmerged.merge cfg.set.krb5Settings); + ipa = mkIf cfg.enable (unmerged.merge cfg.set.ipaSettings); + pki.certificateFiles = mkIf (cfg.enable && cfg.ca.trust && !cfg.ipa.enable) [ + cfg.ca.pem + ]; + }; + services.sssd = mkIf cfg.enable (unmerged.merge cfg.set.sssdSettings); + services.nfs = mkIf cfg.enable (unmerged.merge cfg.set.nfsSettings); + services.ntp.enable = mkIf (cfg.enable && cfg.ntp.enable) (mkAlmostOptionDefault true); + networking = { + timeServers = mkIf (cfg.enable && cfg.ntp.enable) cfg.ntp.servers; + }; + ${if options ? sops.secrets then "sops" else null}.secrets = let + sopsFile = mkDefault ../secrets/krb5.yaml; + in mkIf cfg.enable { + gensokyo-zone-krb5-passwords = mkIf (cfg.db.backend == "kldap") { + inherit sopsFile; + }; + gensokyo-zone-krb5-peep-password = mkIf (cfg.sssd.backend == "ldap") { + inherit sopsFile; + }; + gensokyo-zone-sssd-passwords = mkIf (cfg.sssd.backend == "ldap") { + inherit sopsFile; + }; + }; + lib.gensokyo-zone.krb5 = { + inherit cfg krb5Module; + }; + }; +} diff --git a/modules/extern/nixos/kyuuto.nix b/modules/extern/nixos/kyuuto.nix index 8ce90320..beb29487 100644 --- a/modules/extern/nixos/kyuuto.nix +++ b/modules/extern/nixos/kyuuto.nix @@ -15,7 +15,11 @@ ... }: let inherit (gensokyo-zone.lib) unmerged domain; - setFilesystemOptions = mkMerge [ + inherit (nixosConfig.gensokyo-zone) access; + enabled = { + krb5 = nixosConfig.gensokyo-zone.krb5.enable or false; + }; + setFilesystemOptions = [ (mkIf config.nfs.enable config.nfs.fstabOptions) (mkIf config.smb.enable config.smb.fstabOptions) (mkIf config.automount.enable config.automount.fstabOptions) @@ -23,21 +27,26 @@ in { options = with lib.types; { enable = mkEnableOption "kyuuto"; - media.enable = - mkEnableOption "/mnt/kyuuto-media" - // { + media = { + enable = mkEnableOption "/mnt/kyuuto-media" // { default = true; }; - transfer.enable = - mkEnableOption "/mnt/kyuuto-transfer" - // { + krb5.enable = mkEnableOption "krb5" // { + default = enabled.krb5; + }; + }; + transfer = { + enable = mkEnableOption "/mnt/kyuuto-transfer" // { default = true; }; + krb5.enable = mkEnableOption "krb5" // { + default = enabled.krb5; + }; + }; shared.enable = mkEnableOption "/mnt/kyuuto-shared"; domain = mkOption { type = str; }; - local.enable = mkEnableOption "LAN"; automount = { enable = mkEnableOption "systemd automount" @@ -75,18 +84,18 @@ config = { domain = mkMerge [ (mkOptionDefault ( - if config.local.enable + if access.local.enable then "local.${domain}" else domain )) - (mkIf nixosConfig.services.tailscale.enable ( + (mkIf access.tail.enabled ( mkDefault "tail.${domain}" )) ]; nfs.fstabOptions = [ "noauto" - "nfsvers=4" + #"nfsvers=4" "soft" "retrans=2" "timeo=60" @@ -105,7 +114,7 @@ device = mkMerge [ (mkIf config.nfs.enable "nfs.${config.domain}:/mnt/kyuuto-media") (mkIf config.smb.enable ( - if config.smb.user != null && config.local.enable + if config.smb.user != null && access.local.enable then ''\\smb.${config.domain}\kyuuto-media'' else if config.smb.user != null then ''\\smb.${config.domain}\kyuuto-media-global'' @@ -116,28 +125,42 @@ (mkIf config.nfs.enable "nfs4") (mkIf config.smb.enable "smb3") ]; - options = setFilesystemOptions; + options = mkMerge (setFilesystemOptions ++ [ + (mkIf config.media.krb5.enable [ + "sec=krb5" + (mkIf config.nfs.enable "nfsvers=4") + ]) + ]); }; "/mnt/kyuuto-transfer" = mkIf config.transfer.enable { device = mkMerge [ (mkIf config.nfs.enable "nfs.${config.domain}:/mnt/kyuuto-media/transfer") - (mkIf (config.smb.enable && config.local.enable) ''\\smb.${config.domain}\kyuuto-transfer'') + (mkIf (config.smb.enable && access.local.enable) ''\\smb.${config.domain}\kyuuto-transfer'') ]; fsType = mkMerge [ (mkIf config.nfs.enable "nfs4") (mkIf config.smb.enable "smb3") ]; - options = setFilesystemOptions; + options = mkMerge (setFilesystemOptions ++ [ + (mkIf config.media.krb5.enable [ + (if access.local.enable || access.tail.enabled then "sec=sys:krb5" else "sec=krb5") + #(mkIf config.nfs.enable "nfsvers=3") + ]) + ]); }; "/mnt/kyuuto-shared" = mkIf (config.shared.enable && config.smb.enable) { device = mkIf (config.smb.user != null) ''\\smb.${config.domain}\shared''; fsType = "smb3"; - options = setFilesystemOptions; + options = mkMerge setFilesystemOptions; }; }; }; }; in { + imports = [ + ./access.nix + ]; + options.gensokyo-zone.kyuuto = mkOption { type = lib.types.submoduleWith { modules = [kyuutoModule]; diff --git a/modules/extern/secrets/krb5.yaml b/modules/extern/secrets/krb5.yaml new file mode 100644 index 00000000..dfe87904 --- /dev/null +++ b/modules/extern/secrets/krb5.yaml @@ -0,0 +1,68 @@ +gensokyo-zone-krb5-passwords: ENC[AES256_GCM,data:59sSVI2bZGotSymwZCv/eTxLOMUI4e+yJb8IbMJaMq1ZM2OZjLfYQ2lTghRgJU33r0lpg8tTlWI8JY+6ZqRl33wWzRqKUlS5T5M2lXKtD+8Cs5K5tVOva2kLBMz9fhL9wIFHb4wo0JY7giR0TZl5W5ztgU7DBQ0FkrO9,iv:CSZnTsSQOsHaAv6zFXCnotUF2zYtWnYxwc6Y/i4XG54=,tag:hlu7hJVIs2GV7gy4n48cMw==,type:str] +gensokyo-zone-sssd-passwords: ENC[AES256_GCM,data:CVIsArY97xbxVKozCNcdz9RgXF4NS3IFQTW6cdiv9CfQrMLcbnIXsWDTB5xe3LIMFXcXJR2ah00ZsJDm,iv:BQ76MfF6wBfU1Y7Pfud2Ld7ZyFNmxnDqJ2fKhjQoD9A=,tag:BhgRO65qaR2pV4S0q03cJg==,type:str] +gensokyo-zone-krb5-peep-password: ENC[AES256_GCM,data:6d8A5zZRdMzPZp5Hex54xm7/YJUtuQ9nWWJO+Fxa3Yo=,iv:LD1yBPfmxbxAwlTP3O+2muTb7/EbVSwAjrs6t5s+kos=,tag:ic2W/ITl6sb9O0Mii5AXUA==,type:str] +sops: + shamir_threshold: 1 + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1ua5dukhxsmztpwqrcd25zyvdqhww565dn3uj5mqm7evg9khfjfnq66zywn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQ3hiZFRSWlAwc2Y1ekFr + MDVhZFBBeVJkYTdzS29hSkFFTVRLNDllV2dRCmtLZjN2SmZ4M3duOU1yMmVLUGZT + eGJDamk4UlMrWDNCNzhwMlltQ3cwdHMKLS0tIG5DSGxQSmlmSkcwcGUwOU91TERD + SkJ2eWZGNEcwNThSMFAwVm9TazAycmMKJ2eFKHIjQZ9Tyx7OYL1PWUOrp0AtkoPc + 3dvPspyBxNKJIM+8i2g6562zDKKufq/q0dILgs90UG0HinM3BRq4fg== + -----END AGE ENCRYPTED FILE----- + - recipient: age19wwvlh83p4a3t76j8wzcmh2ns9w348ttff5n9h3zwnmxhm3vtgyqg7qh6x + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnMGJTMld5aXlLaTI1NTBp + WjlyQWJ6Z1NRQlRLM0JaNkdaeDVVZ0JUbGpNCjY5QlU1N1BySmVDNlV4RmV0bTVX + R2hSVHRiNlNOZzNlbnBuK3Y5RlEwaDQKLS0tIFVqSWovN0F4QkNIOVBtZTlmc2Yy + OThVOVdkQ0I5U1YrN0prYnR5Mmptd0kKSP/JvDw+bjg2SSQk0gK2EIbyF/b4QSrY + kDKbUVYqH4EM6uw3hnvKKdwl91WyyH1zm0BOtyNzCgmxjCZ4wI5TYw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-06T20:44:34Z" + mac: ENC[AES256_GCM,data:DFQ5W8Nqp1TKlqSx4oKnkCNZE+ziWk0s+TBx5veemtsvCHcdy4Dtv00x1ROT7ZnKTRbQJ8EBXuztUhZPDlnoNMGpDt/1400VWGoDg7BBr+x/NF+CSC9DtjvnjjLd1Wl8UebVWoGywRYddCbMoqtPvm0wVIy3SEI/WlDGlroRJRE=,iv:fJ+fVoMlR5DPz3iTPsdmWBLl3owlCI0BYmNfc9+7WH8=,tag:7rDV7kZK1uso7cgRooV//w==,type:str] + pgp: + - created_at: "2024-04-06T17:38:14Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA82M54yws73UAQ//WvYYZXtRwXR9GM2SJ/k+EnElquVY9GM4BvEa/JDxAX6p + eQDOeaI7xmzCJtQ2w5yH/9yPcxuMAi60e82T1ljDKjZl731pAWKTHX43EU0CSO9N + rST9dtSeG+Tf54JP+HAQ9IS/CFuQFaa7KGQLfodvkSFkt143o+WjQjDYF+THzNjx + 5b/V7MBmgYoDodyBeeXkQUhCfml5YLHJ0iBLhS1Xy1KGSYxdOkl/nZXd5zpj5fSe + i4P+RGS9EOvBIjACgPFGZ9X5eUhOL3COZ9Wyi+lAZ7tZqEFfrzDGI8FqT3nSflPK + g2ZKxJTBSPrtRLD1xcggWOq5Yejh+JsYuDEow4nj3vqGrivavUiwJn+hunhaZLJX + zHSnWSTSPAdtgUUM0F7N3LdhvP+zpMjiU0vq7UCNY6OdgUbjd1DO6mojAIt+AMlm + ZlPhqhuu+FavfK15UOKoBaps18INA5VCt2TqWVVxMGk5F0BHW/mq44yTeOwDtD7Q + WZgPwOjeg2qydqOO2XJgS7lAuA2mkOjXVtcPes/HBnUDdGUWzmVXsD0dxXBqXcBU + yrJctTNS0nJGUc7UyPX2480JL+68OqfvVtilACESnB3SwJ24Euy1OzfA3tx5iHp3 + 6GYatPBcS8GRHWBAzDznjjqkc7JPK4qvseuUYNQO3RMlkAOfEr0ONsAQtUkJSMzS + XAFC3rDeVEw/jRyMyrP1Nz3BiElZXmLk6AHrcCcglRqwIPGhbwoO9Wlnta9CscXY + gqP694TxAIGeWwxoDRY6xRE37h12thPDiPGDzGTkBIuc4x5BxzoOPuaXQmlc + =NcIp + -----END PGP MESSAGE----- + fp: CD8CE78CB0B3BDD4 + - created_at: "2024-04-06T17:38:14Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQEMA2W9MER3HLb7AQf+LzjSKdSQROup2RE7quznXApdflWyJ1yeit4xAWJkXLFj + thmaOqH/oJe7tEP03LQMrNHJnwAwc0rhbStEQHR60HGpHEPlSnWdZgG2dxrtxeTw + dd3hrKUzt+SmDpvbxzqwvwS34bmflDs/xnPpVcubIFHuUSjILvyS817hgkHS+FKM + eNJNY5UnOKGCSX7zb9B0DmSk7DknlhjyaGsCMQcTRqTugzwfosKQRODrulRpw4S8 + O/trlc43g9qazsArkosvNWKj/zvUUC2fEVWuP7dM6KRD8kk/CYotBjwIycSPMiXs + uOBe3UQ0ez7vd59GdUkf61A3eNc3U7towIeyLXpWotJcAY8YADhHJBG7Uhkpme2y + wjHHZNP7//8jAsQj17QAwhnh4ibeP73q5A9IR2AKPmJgbI5seNaTgEyDYOH6Xu86 + THvp1wtor0XZHHpGyqlYbxUdLCJPed5cLH6nG8I= + =IX81 + -----END PGP MESSAGE----- + fp: 65BD3044771CB6FB + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/modules/nixos/sssd/genso.nix b/modules/nixos/sssd/genso.nix index d7221159..6e5da5e3 100644 --- a/modules/nixos/sssd/genso.nix +++ b/modules/nixos/sssd/genso.nix @@ -1,5 +1,5 @@ { gensokyo-zone, pkgs, config, lib, ... }: let - inherit (gensokyo-zone.lib) mkAlmostOptionDefault mapOptionDefaults mapAlmostOptionDefaults; + inherit (gensokyo-zone.lib) mkAlmostOptionDefault mapOptionDefaults mapAlmostOptionDefaults mapDefaults; inherit (lib.options) mkOption mkEnableOption; inherit (lib.modules) mkIf mkMerge mkAfter mkDefault mkOptionDefault; inherit (config.security) krb5 ipa; @@ -97,9 +97,9 @@ in { # or "ipaNTSecurityIdentifier" which isn't set for most groups, maybe check netgroups..? objectsid = "sambaSID"; backendDomainSettings = { - ldap = mapAlmostOptionDefaults { - id_provider = mkDefault "ldap"; - auth_provider = mkDefault "krb5"; + ldap = mapDefaults { + id_provider = "ldap"; + auth_provider = "krb5"; access_provider = "ldap"; ldap_tls_cacert = "/etc/ssl/certs/ca-bundle.crt"; } // mapOptionDefaults { @@ -108,7 +108,7 @@ in { ldap_default_bind_dn = genso.ldap.bind.dn; ldap_search_base = genso.ldap.baseDn; ldap_user_search_base = "cn=users,cn=accounts,${genso.ldap.baseDn}"; - ldap_group_search_base = "cn=groups,cn=accounts,${config.ldap.baseDn}"; + ldap_group_search_base = "cn=groups,cn=accounts,${genso.ldap.baseDn}"; ldap_user_uuid = "ipaUniqueID"; ldap_user_ssh_public_key = "ipaSshPubKey"; ldap_user_objectsid = objectsid; diff --git a/nixos/base/nixpkgs.nix b/nixos/base/nixpkgs.nix index bb2f9f24..4a93ca20 100644 --- a/nixos/base/nixpkgs.nix +++ b/nixos/base/nixpkgs.nix @@ -5,6 +5,7 @@ (import ../../overlays/barcodebuddy.nix) (import ../../overlays/samba.nix) (import ../../overlays/nginx.nix) + (import ../../overlays/krb5.nix) ]; config = { allowUnfree = true; diff --git a/overlays/default.nix b/overlays/default.nix index 0f7d7451..761f9614 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -10,6 +10,7 @@ (import ./barcodebuddy.nix) (import ./samba.nix) (import ./nginx.nix) + (import ./krb5.nix) (final: prev: { jemalloc = if final.hostPlatform != "aarch64-darwin" diff --git a/overlays/krb5.nix b/overlays/krb5.nix new file mode 100644 index 00000000..dc0c6f65 --- /dev/null +++ b/overlays/krb5.nix @@ -0,0 +1,5 @@ +final: prev: { + krb5-ldap = final.krb5.override { + withLdap = true; + }; +} diff --git a/systems/extern-test/nixos.nix b/systems/extern-test/nixos.nix index 526d8017..773a5503 100644 --- a/systems/extern-test/nixos.nix +++ b/systems/extern-test/nixos.nix @@ -6,10 +6,15 @@ in { imports = [ nixosModules.default + extern'test'inputs.sops-nix.nixosModules.sops ]; config = { gensokyo-zone = { + access = { + #tail.enable = true; + #local.enable = true; + }; nix = { enable = true; builder.enable = true; @@ -18,11 +23,21 @@ in { enable = true; shared.enable = true; }; + krb5 = { + enable = true; + sssd.enable = true; + nfs.enable = true; + }; # TODO: users? }; # this isn't a real machine... boot.isContainer = true; system.stateVersion = "23.11"; + networking.domain = "testing.123"; + + sops = { + age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; + }; }; }