gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(extern): krb5

Browse source
This commit is contained in:
arcnmx 2024-04-05 15:04:09 -07:00
parent 95e903697a
commit 6db8e4e304
13 changed files with 577 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

11
.sops.yaml
View file

@ -1,6 +1,8 @@
keys: keys:
- &kat CD8CE78CB0B3BDD4 # https://inskip.me/pubkey.asc - &kat CD8CE78CB0B3BDD4 # https://inskip.me/pubkey.asc
- &mew 65BD3044771CB6FB - &mew 65BD3044771CB6FB
- &shanghai_osh age1ua5dukhxsmztpwqrcd25zyvdqhww565dn3uj5mqm7evg9khfjfnq66zywn
- &nue_osh age19wwvlh83p4a3t76j8wzcmh2ns9w348ttff5n9h3zwnmxhm3vtgyqg7qh6x
- &hakurei_osh age12ze362pu5mza6ef9akrptr7hfe4auaqul4rkta7kyy2tnrstqensgmujeq - &hakurei_osh age12ze362pu5mza6ef9akrptr7hfe4auaqul4rkta7kyy2tnrstqensgmujeq
- &reimu_osh age176uyyyk7veqnzmm8xzwfhf0u23m6hm02cldlfkldunqe6std0gcq6lg057 - &reimu_osh age176uyyyk7veqnzmm8xzwfhf0u23m6hm02cldlfkldunqe6std0gcq6lg057
- &utsuho_osh age15hmlkd9p5rladsjzpmvrh6u34xvggu9mzdsdxdj3ms43tltxeuhq4g7g9k - &utsuho_osh age15hmlkd9p5rladsjzpmvrh6u34xvggu9mzdsdxdj3ms43tltxeuhq4g7g9k
@ -29,6 +31,15 @@ creation_rules:
- *mediabox_osh - *mediabox_osh
- *litterbox_osh - *litterbox_osh
- *keycloak_osh - *keycloak_osh
- path_regex: 'modules/extern/secrets/.+\.yaml$'
shamir_threshold: 1
key_groups:
- pgp: &pgp_common
- *kat
- *mew
age: &extern_common
- *shanghai_osh
- *nue_osh
- path_regex: 'systems/hakurei/secrets\.yaml$' - path_regex: 'systems/hakurei/secrets\.yaml$'
shamir_threshold: 1 shamir_threshold: 1
key_groups: key_groups:

5
modules/extern/misc/ipa.nix vendored Normal file
View file

@ -0,0 +1,5 @@
{ ... }: {
imports = [
../../nixos/ipa.nix
];
}

5
modules/extern/misc/netgroups.nix vendored Normal file
View file

@ -0,0 +1,5 @@
{ ... }: {
imports = [
../../nixos/network/netgroups.nix
];
}

5
modules/extern/misc/sssd.nix vendored Normal file
View file

@ -0,0 +1,5 @@
{ ... }: {
imports = [
../../nixos/sssd/sssd.nix
];
}

46
modules/extern/nixos/access.nix vendored Normal file
View file

@ -0,0 +1,46 @@
{
config,
lib,
gensokyo-zone,
...
}: let
inherit (lib.options) mkOption mkEnableOption;
cfg = config.gensokyo-zone.access;
accessModule = {
gensokyo-zone,
nixosConfig,
config,
...
}: {
options = with lib.types; {
tail = {
enable = mkEnableOption "tailscale access";
enabled = mkOption {
type = bool;
readOnly = true;
};
};
local.enable = mkEnableOption "local access";
};
config = {
tail.enabled = config.tail.enable && nixosConfig.services.tailscale.enable;
};
};
in {
options.gensokyo-zone.access = mkOption {
type = lib.types.submoduleWith {
modules = [accessModule];
specialArgs = {
inherit gensokyo-zone;
nixosConfig = config;
};
};
default = { };
};
config = {
lib.gensokyo-zone.access = {
inherit cfg accessModule;
};
};
}

371
modules/extern/nixos/krb5.nix vendored Normal file
View file

@ -0,0 +1,371 @@
{
config,
options,
lib,
gensokyo-zone,
pkgs,
...
}: let
inherit (gensokyo-zone.lib) mkAlmostOptionDefault mapOptionDefaults mapAlmostOptionDefaults;
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkMerge mkBefore mkAfter mkDefault mkOptionDefault;
inherit (lib.lists) optional;
inherit (lib.strings) toUpper;
inherit (gensokyo-zone.lib) unmerged;
cfg = config.gensokyo-zone.krb5;
krb5Module = {
gensokyo-zone,
nixosConfig,
nixosOptions,
config,
pkgs,
...
}: let
inherit (gensokyo-zone.lib) unmerged mkBaseDn;
inherit (nixosConfig.gensokyo-zone) access;
enabled = {
krb5 = nixosConfig.security.krb5.enable;
ipa = config.ipa.enable && nixosConfig.security.ipa.enable;
sssd = config.sssd.enable && nixosConfig.services.sssd.enable;
};
in {
options = with lib.types; {
enable = mkEnableOption "kerberos settings";
domain = mkOption {
type = str;
default = gensokyo-zone.lib.domain;
};
realm = mkOption {
type = str;
default = toUpper config.domain;
};
ca = {
trust = mkEnableOption "trust CA" // {
default = true;
};
pem = mkOption {
type = path;
};
};
host = mkOption {
type = str;
default = config.ipa.host;
};
ldap = {
host = mkOption {
type = str;
default = "ldap.${config.domain}";
example = "ldap.local.${config.domain}";
};
urls = mkOption {
type = listOf str;
default = [ "ldaps://${config.ldap.host}" ];
};
baseDn = mkOption {
type = str;
default = mkBaseDn config.domain;
};
bind = {
dn = mkOption {
type = str;
default = "uid=peep,cn=sysaccounts,cn=etc,${config.ldap.baseDn}";
};
passwordFile = mkOption {
type = path;
};
passwordFileKrb5 = mkOption {
type = path;
example = lib.literalExpression "\${pkgs.writeText "ldap.kdb5" ''
${config.bind.dn}#{HEX}616e6f6e796d6f7573
''}";
};
passwordFileSssdEnv = mkOption {
type = path;
example = lib.literalExpression "\${pkgs.writeText "ldap.kdb5" ''
${"SSSD_AUTHTOK_" + replaceStrings [ "." ] [ "_" ] (toUpper config.domain)}=verysecretpassword
''}";
};
};
};
db = {
backend = mkOption {
type = enum [ "kldap" "ipa" ];
default = "kldap";
};
};
logLevel = mkOption {
type = str;
default = "NOTICE";
};
authToLocalNames = mkOption {
type = attrsOf str;
default = { };
example = {
"arc@${config.realm}" = "arc";
};
};
sssd = {
enable = mkEnableOption "sssd";
pam.enable = mkEnableOption "PAM";
backend = mkOption {
type = enum [ "ipa" "ldap" ];
default = {
ipa = "ipa";
kldap = "ldap";
}.${config.db.backend};
};
};
ntp = {
enable = mkEnableOption "ntp" // {
default = true;
};
servers = mkOption {
type = listOf str;
example = [ config.ipa.host ];
default = [ "2.fedora.pool.ntp.org" ];
};
};
nfs = {
enable = mkEnableOption "nfs";
debug.enable = mkEnableOption "nfs debug logs";
};
ipa = {
enable = mkEnableOption "IPA";
httpHost = mkOption {
type = str;
default = "freeipa.${config.domain}";
};
host = mkOption {
type = str;
default = "idp.${config.domain}";
};
};
set = {
krb5Settings = mkOption {
type = unmerged.type;
default = {};
};
sssdSettings = mkOption {
type = unmerged.type;
default = {};
};
ipaSettings = mkOption {
type = unmerged.type;
default = {};
};
nfsSettings = mkOption {
type = unmerged.type;
default = {};
};
};
};
config = {
ca.pem = let
caPem = pkgs.fetchurl {
name = "${config.ipa.host}.ca.pem";
url = "https://${config.ipa.httpHost}/ipa/config/ca.crt";
sha256 = "sha256-PKjnjn1jIq9x4BX8+WGkZfj4HQtmnHqmFSALqggo91o=";
};
in mkOptionDefault caPem;
ldap = {
urls = mkMerge [
(mkIf access.local.enable (mkOptionDefault (mkBefore [
"ldaps://ldap.local.${config.domain}"
])))
(mkIf enabled.ipa (mkOptionDefault (mkBefore [
"ldaps://${config.ipa.host}"
])))
(mkIf access.tail.enabled (mkOptionDefault (mkAfter [
"ldap://ldap.tail.${config.domain}"
])))
];
bind = let
inherit (nixosConfig.sops) secrets;
in mkIf (nixosOptions ? sops.secrets && secrets ? gensokyo-zone-krb5-passwords) {
passwordFileKrb5 = mkOptionDefault nixosConfig.sops.secrets.gensokyo-zone-krb5-passwords.path;
passwordFile = mkOptionDefault nixosConfig.sops.secrets.gensokyo-zone-krb5-peep-password.path;
passwordFileSssdEnv = mkOptionDefault nixosConfig.sops.secrets.gensokyo-zone-sssd-passwords.path;
};
};
db.backend = mkIf enabled.ipa (mkAlmostOptionDefault "ipa");
set = {
krb5Settings = {
enable = mkAlmostOptionDefault true;
gensokyo-zone = {
enable = mkAlmostOptionDefault true;
host = mkAlmostOptionDefault config.host;
canonHost = mkAlmostOptionDefault config.ipa.host;
domain = mkAlmostOptionDefault config.domain;
realm = mkAlmostOptionDefault config.realm;
ca.cert = mkAlmostOptionDefault config.ca.pem;
db.backend = mkAlmostOptionDefault config.db.backend;
ldap = {
baseDn = mkAlmostOptionDefault config.ldap.baseDn;
urls = mkAlmostOptionDefault config.ldap.urls;
bind = mapAlmostOptionDefaults {
dn = config.ldap.bind.dn;
passwordFile = config.ldap.bind.passwordFileKrb5;
};
};
authToLocalNames = mkAlmostOptionDefault config.authToLocalNames;
};
};
sssdSettings = let
servers = optional access.local.enable "idp.local.${config.domain}"
++ [ "_srv" ];
backups = mkMerge [
(mkIf access.tail.enabled (mkAlmostOptionDefault [ "freeipa.tail.${config.domain}" ]))
(mkIf access.local.enable (mkAlmostOptionDefault [ "freeipa.local.${config.domain}" ]))
];
in mkIf config.sssd.enable {
enable = mkAlmostOptionDefault true;
gensokyo-zone = {
backend = mkAlmostOptionDefault config.sssd.backend;
krb5.servers = {
servers = servers ++ [ config.host ];
inherit backups;
};
ipa.servers = {
servers = servers ++ [ config.ipa.host ];
inherit backups;
};
ldap = {
bind.passwordFile = mkAlmostOptionDefault config.ldap.bind.passwordFile;
uris.backups = mkIf access.tail.enabled (mkAlmostOptionDefault (mkAfter [
"ldaps://ldap.tail.${config.domain}"
]));
};
};
environmentFile = mkIf (config.sssd.backend == "ldap") (mkAlmostOptionDefault
config.ldap.bind.passwordFileSssdEnv
);
services = {
ifp.enable = mkAlmostOptionDefault true;
pam.enable = mkIf (!config.sssd.pam.enable) (mkDefault false);
};
};
ipaSettings = mkIf config.ipa.enable (mapAlmostOptionDefaults {
enable = true;
certificate = config.ca.pem;
basedn = config.ldap.baseDn;
domain = config.domain;
realm = config.realm;
server = config.ipa.server;
# TODO: dyndns?
overrideConfigs = {
sssd = mkAlmostOptionDefault false;
krb5 = mkAlmostOptionDefault false;
};
});
nfsSettings = mkIf config.nfs.enable {
${if nixosOptions ? services.nfs.settings then "settings" else null} = mkMerge [
{
gssd = mapOptionDefaults {
#use-machine-creds = false;
avoid-dns = true;
preferred-realm = config.realm;
};
}
(mkIf config.nfs.debug.enable {
mountd.debug = mkOptionDefault "all";
exportfs.debug = mkOptionDefault "all";
exportd.debug = mkOptionDefault "all";
general.idmap-verbosity = mkOptionDefault 3;
idmapd = mapOptionDefaults {
verbosity = 3;
idmap-verbosity = 3;
};
gssd = mapOptionDefaults {
verbosity = 3;
rpc-verbosity = 3;
};
})
];
${if nixosOptions ? services.nfs.settings then null else "extraConfig"} = mkMerge [
''
[gssd]
#use-machine-creds = false
avoid-dns = true
preferred-realm = ${config.realm}
''
(mkIf config.nfs.debug.enable ''
[mountd]
debug = all
[exportfs]
debug = all
[exportd]
debug = all
[general]
idmap-verbosity = 3
[idmapd]
verbosity = 3
idmap-verbosity = 3
[gssd]
verbosity = 3
rpc-verbosity = 3
'')
];
idmapd.settings = mkIf false {
#General.Domain = mkForce config.domain;
#Local-Realms = concatStringsSep "," [ config.realm nixosConfig.networking.domain ];
#Translation.Method = mkForce (concatStringsSep "," [ "static" "nsswitch" ]);
};
};
};
};
};
in {
imports = [
./access.nix
../misc/sssd.nix
../misc/ipa.nix
../misc/netgroups.nix
../../nixos/krb5/genso.nix
../../nixos/sssd/genso.nix
];
options.gensokyo-zone.krb5 = mkOption {
type = lib.types.submoduleWith {
modules = [krb5Module];
specialArgs = {
inherit gensokyo-zone pkgs;
inherit (gensokyo-zone) inputs;
nixosConfig = config;
nixosOptions = options;
};
};
default = { };
};
config = {
security = {
krb5 = mkIf cfg.enable (unmerged.merge cfg.set.krb5Settings);
ipa = mkIf cfg.enable (unmerged.merge cfg.set.ipaSettings);
pki.certificateFiles = mkIf (cfg.enable && cfg.ca.trust && !cfg.ipa.enable) [
cfg.ca.pem
];
};
services.sssd = mkIf cfg.enable (unmerged.merge cfg.set.sssdSettings);
services.nfs = mkIf cfg.enable (unmerged.merge cfg.set.nfsSettings);
services.ntp.enable = mkIf (cfg.enable && cfg.ntp.enable) (mkAlmostOptionDefault true);
networking = {
timeServers = mkIf (cfg.enable && cfg.ntp.enable) cfg.ntp.servers;
};
${if options ? sops.secrets then "sops" else null}.secrets = let
sopsFile = mkDefault ../secrets/krb5.yaml;
in mkIf cfg.enable {
gensokyo-zone-krb5-passwords = mkIf (cfg.db.backend == "kldap") {
inherit sopsFile;
};
gensokyo-zone-krb5-peep-password = mkIf (cfg.sssd.backend == "ldap") {
inherit sopsFile;
};
gensokyo-zone-sssd-passwords = mkIf (cfg.sssd.backend == "ldap") {
inherit sopsFile;
};
};
lib.gensokyo-zone.krb5 = {
inherit cfg krb5Module;
};
};
}

55
modules/extern/nixos/kyuuto.nix vendored
View file

@ -15,7 +15,11 @@
... ...
}: let }: let
inherit (gensokyo-zone.lib) unmerged domain; inherit (gensokyo-zone.lib) unmerged domain;
setFilesystemOptions = mkMerge [ inherit (nixosConfig.gensokyo-zone) access;
enabled = {
krb5 = nixosConfig.gensokyo-zone.krb5.enable or false;
};
setFilesystemOptions = [
(mkIf config.nfs.enable config.nfs.fstabOptions) (mkIf config.nfs.enable config.nfs.fstabOptions)
(mkIf config.smb.enable config.smb.fstabOptions) (mkIf config.smb.enable config.smb.fstabOptions)
(mkIf config.automount.enable config.automount.fstabOptions) (mkIf config.automount.enable config.automount.fstabOptions)
@ -23,21 +27,26 @@
in { in {
options = with lib.types; { options = with lib.types; {
enable = mkEnableOption "kyuuto"; enable = mkEnableOption "kyuuto";
media.enable = media = {
mkEnableOption "/mnt/kyuuto-media" enable = mkEnableOption "/mnt/kyuuto-media" // {
// {
default = true; default = true;
}; };
transfer.enable = krb5.enable = mkEnableOption "krb5" // {
mkEnableOption "/mnt/kyuuto-transfer" default = enabled.krb5;
// { };
};
transfer = {
enable = mkEnableOption "/mnt/kyuuto-transfer" // {
default = true; default = true;
}; };
krb5.enable = mkEnableOption "krb5" // {
default = enabled.krb5;
};
};
shared.enable = mkEnableOption "/mnt/kyuuto-shared"; shared.enable = mkEnableOption "/mnt/kyuuto-shared";
domain = mkOption { domain = mkOption {
type = str; type = str;
}; };
local.enable = mkEnableOption "LAN";
automount = { automount = {
enable = enable =
mkEnableOption "systemd automount" mkEnableOption "systemd automount"
@ -75,18 +84,18 @@
config = { config = {
domain = mkMerge [ domain = mkMerge [
(mkOptionDefault ( (mkOptionDefault (
if config.local.enable if access.local.enable
then "local.${domain}" then "local.${domain}"
else domain else domain
)) ))
(mkIf nixosConfig.services.tailscale.enable ( (mkIf access.tail.enabled (
mkDefault mkDefault
"tail.${domain}" "tail.${domain}"
)) ))
]; ];
nfs.fstabOptions = [ nfs.fstabOptions = [
"noauto" "noauto"
"nfsvers=4" #"nfsvers=4"
"soft" "soft"
"retrans=2" "retrans=2"
"timeo=60" "timeo=60"
@ -105,7 +114,7 @@
device = mkMerge [ device = mkMerge [
(mkIf config.nfs.enable "nfs.${config.domain}:/mnt/kyuuto-media") (mkIf config.nfs.enable "nfs.${config.domain}:/mnt/kyuuto-media")
(mkIf config.smb.enable ( (mkIf config.smb.enable (
if config.smb.user != null && config.local.enable if config.smb.user != null && access.local.enable
then ''\\smb.${config.domain}\kyuuto-media'' then ''\\smb.${config.domain}\kyuuto-media''
else if config.smb.user != null else if config.smb.user != null
then ''\\smb.${config.domain}\kyuuto-media-global'' then ''\\smb.${config.domain}\kyuuto-media-global''
@ -116,28 +125,42 @@
(mkIf config.nfs.enable "nfs4") (mkIf config.nfs.enable "nfs4")
(mkIf config.smb.enable "smb3") (mkIf config.smb.enable "smb3")
]; ];
options = setFilesystemOptions; options = mkMerge (setFilesystemOptions ++ [
(mkIf config.media.krb5.enable [
"sec=krb5"
(mkIf config.nfs.enable "nfsvers=4")
])
]);
}; };
"/mnt/kyuuto-transfer" = mkIf config.transfer.enable { "/mnt/kyuuto-transfer" = mkIf config.transfer.enable {
device = mkMerge [ device = mkMerge [
(mkIf config.nfs.enable "nfs.${config.domain}:/mnt/kyuuto-media/transfer") (mkIf config.nfs.enable "nfs.${config.domain}:/mnt/kyuuto-media/transfer")
(mkIf (config.smb.enable && config.local.enable) ''\\smb.${config.domain}\kyuuto-transfer'') (mkIf (config.smb.enable && access.local.enable) ''\\smb.${config.domain}\kyuuto-transfer'')
]; ];
fsType = mkMerge [ fsType = mkMerge [
(mkIf config.nfs.enable "nfs4") (mkIf config.nfs.enable "nfs4")
(mkIf config.smb.enable "smb3") (mkIf config.smb.enable "smb3")
]; ];
options = setFilesystemOptions; options = mkMerge (setFilesystemOptions ++ [
(mkIf config.media.krb5.enable [
(if access.local.enable || access.tail.enabled then "sec=sys:krb5" else "sec=krb5")
#(mkIf config.nfs.enable "nfsvers=3")
])
]);
}; };
"/mnt/kyuuto-shared" = mkIf (config.shared.enable && config.smb.enable) { "/mnt/kyuuto-shared" = mkIf (config.shared.enable && config.smb.enable) {
device = mkIf (config.smb.user != null) ''\\smb.${config.domain}\shared''; device = mkIf (config.smb.user != null) ''\\smb.${config.domain}\shared'';
fsType = "smb3"; fsType = "smb3";
options = setFilesystemOptions; options = mkMerge setFilesystemOptions;
}; };
}; };
}; };
}; };
in { in {
imports = [
./access.nix
];
options.gensokyo-zone.kyuuto = mkOption { options.gensokyo-zone.kyuuto = mkOption {
type = lib.types.submoduleWith { type = lib.types.submoduleWith {
modules = [kyuutoModule]; modules = [kyuutoModule];

68
modules/extern/secrets/krb5.yaml vendored Normal file
View file

@ -0,0 +1,68 @@
gensokyo-zone-krb5-passwords: ENC[AES256_GCM,data:59sSVI2bZGotSymwZCv/eTxLOMUI4e+yJb8IbMJaMq1ZM2OZjLfYQ2lTghRgJU33r0lpg8tTlWI8JY+6ZqRl33wWzRqKUlS5T5M2lXKtD+8Cs5K5tVOva2kLBMz9fhL9wIFHb4wo0JY7giR0TZl5W5ztgU7DBQ0FkrO9,iv:CSZnTsSQOsHaAv6zFXCnotUF2zYtWnYxwc6Y/i4XG54=,tag:hlu7hJVIs2GV7gy4n48cMw==,type:str]
gensokyo-zone-sssd-passwords: ENC[AES256_GCM,data:CVIsArY97xbxVKozCNcdz9RgXF4NS3IFQTW6cdiv9CfQrMLcbnIXsWDTB5xe3LIMFXcXJR2ah00ZsJDm,iv:BQ76MfF6wBfU1Y7Pfud2Ld7ZyFNmxnDqJ2fKhjQoD9A=,tag:BhgRO65qaR2pV4S0q03cJg==,type:str]
gensokyo-zone-krb5-peep-password: ENC[AES256_GCM,data:6d8A5zZRdMzPZp5Hex54xm7/YJUtuQ9nWWJO+Fxa3Yo=,iv:LD1yBPfmxbxAwlTP3O+2muTb7/EbVSwAjrs6t5s+kos=,tag:ic2W/ITl6sb9O0Mii5AXUA==,type:str]
sops:
shamir_threshold: 1
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1ua5dukhxsmztpwqrcd25zyvdqhww565dn3uj5mqm7evg9khfjfnq66zywn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQ3hiZFRSWlAwc2Y1ekFr
MDVhZFBBeVJkYTdzS29hSkFFTVRLNDllV2dRCmtLZjN2SmZ4M3duOU1yMmVLUGZT
eGJDamk4UlMrWDNCNzhwMlltQ3cwdHMKLS0tIG5DSGxQSmlmSkcwcGUwOU91TERD
SkJ2eWZGNEcwNThSMFAwVm9TazAycmMKJ2eFKHIjQZ9Tyx7OYL1PWUOrp0AtkoPc
3dvPspyBxNKJIM+8i2g6562zDKKufq/q0dILgs90UG0HinM3BRq4fg==
-----END AGE ENCRYPTED FILE-----
- recipient: age19wwvlh83p4a3t76j8wzcmh2ns9w348ttff5n9h3zwnmxhm3vtgyqg7qh6x
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnMGJTMld5aXlLaTI1NTBp
WjlyQWJ6Z1NRQlRLM0JaNkdaeDVVZ0JUbGpNCjY5QlU1N1BySmVDNlV4RmV0bTVX
R2hSVHRiNlNOZzNlbnBuK3Y5RlEwaDQKLS0tIFVqSWovN0F4QkNIOVBtZTlmc2Yy
OThVOVdkQ0I5U1YrN0prYnR5Mmptd0kKSP/JvDw+bjg2SSQk0gK2EIbyF/b4QSrY
kDKbUVYqH4EM6uw3hnvKKdwl91WyyH1zm0BOtyNzCgmxjCZ4wI5TYw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-06T20:44:34Z"
mac: ENC[AES256_GCM,data:DFQ5W8Nqp1TKlqSx4oKnkCNZE+ziWk0s+TBx5veemtsvCHcdy4Dtv00x1ROT7ZnKTRbQJ8EBXuztUhZPDlnoNMGpDt/1400VWGoDg7BBr+x/NF+CSC9DtjvnjjLd1Wl8UebVWoGywRYddCbMoqtPvm0wVIy3SEI/WlDGlroRJRE=,iv:fJ+fVoMlR5DPz3iTPsdmWBLl3owlCI0BYmNfc9+7WH8=,tag:7rDV7kZK1uso7cgRooV//w==,type:str]
pgp:
- created_at: "2024-04-06T17:38:14Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA82M54yws73UAQ//WvYYZXtRwXR9GM2SJ/k+EnElquVY9GM4BvEa/JDxAX6p
eQDOeaI7xmzCJtQ2w5yH/9yPcxuMAi60e82T1ljDKjZl731pAWKTHX43EU0CSO9N
rST9dtSeG+Tf54JP+HAQ9IS/CFuQFaa7KGQLfodvkSFkt143o+WjQjDYF+THzNjx
5b/V7MBmgYoDodyBeeXkQUhCfml5YLHJ0iBLhS1Xy1KGSYxdOkl/nZXd5zpj5fSe
i4P+RGS9EOvBIjACgPFGZ9X5eUhOL3COZ9Wyi+lAZ7tZqEFfrzDGI8FqT3nSflPK
g2ZKxJTBSPrtRLD1xcggWOq5Yejh+JsYuDEow4nj3vqGrivavUiwJn+hunhaZLJX
zHSnWSTSPAdtgUUM0F7N3LdhvP+zpMjiU0vq7UCNY6OdgUbjd1DO6mojAIt+AMlm
ZlPhqhuu+FavfK15UOKoBaps18INA5VCt2TqWVVxMGk5F0BHW/mq44yTeOwDtD7Q
WZgPwOjeg2qydqOO2XJgS7lAuA2mkOjXVtcPes/HBnUDdGUWzmVXsD0dxXBqXcBU
yrJctTNS0nJGUc7UyPX2480JL+68OqfvVtilACESnB3SwJ24Euy1OzfA3tx5iHp3
6GYatPBcS8GRHWBAzDznjjqkc7JPK4qvseuUYNQO3RMlkAOfEr0ONsAQtUkJSMzS
XAFC3rDeVEw/jRyMyrP1Nz3BiElZXmLk6AHrcCcglRqwIPGhbwoO9Wlnta9CscXY
gqP694TxAIGeWwxoDRY6xRE37h12thPDiPGDzGTkBIuc4x5BxzoOPuaXQmlc
=NcIp
-----END PGP MESSAGE-----
fp: CD8CE78CB0B3BDD4
- created_at: "2024-04-06T17:38:14Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQEMA2W9MER3HLb7AQf+LzjSKdSQROup2RE7quznXApdflWyJ1yeit4xAWJkXLFj
thmaOqH/oJe7tEP03LQMrNHJnwAwc0rhbStEQHR60HGpHEPlSnWdZgG2dxrtxeTw
dd3hrKUzt+SmDpvbxzqwvwS34bmflDs/xnPpVcubIFHuUSjILvyS817hgkHS+FKM
eNJNY5UnOKGCSX7zb9B0DmSk7DknlhjyaGsCMQcTRqTugzwfosKQRODrulRpw4S8
O/trlc43g9qazsArkosvNWKj/zvUUC2fEVWuP7dM6KRD8kk/CYotBjwIycSPMiXs
uOBe3UQ0ez7vd59GdUkf61A3eNc3U7towIeyLXpWotJcAY8YADhHJBG7Uhkpme2y
wjHHZNP7//8jAsQj17QAwhnh4ibeP73q5A9IR2AKPmJgbI5seNaTgEyDYOH6Xu86
THvp1wtor0XZHHpGyqlYbxUdLCJPed5cLH6nG8I=
=IX81
-----END PGP MESSAGE-----
fp: 65BD3044771CB6FB
unencrypted_suffix: _unencrypted
version: 3.8.1

10
modules/nixos/sssd/genso.nix
View file

@ -1,5 +1,5 @@
{ gensokyo-zone, pkgs, config, lib, ... }: let { gensokyo-zone, pkgs, config, lib, ... }: let
inherit (gensokyo-zone.lib) mkAlmostOptionDefault mapOptionDefaults mapAlmostOptionDefaults; inherit (gensokyo-zone.lib) mkAlmostOptionDefault mapOptionDefaults mapAlmostOptionDefaults mapDefaults;
inherit (lib.options) mkOption mkEnableOption; inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkMerge mkAfter mkDefault mkOptionDefault; inherit (lib.modules) mkIf mkMerge mkAfter mkDefault mkOptionDefault;
inherit (config.security) krb5 ipa; inherit (config.security) krb5 ipa;
@ -97,9 +97,9 @@ in {
# or "ipaNTSecurityIdentifier" which isn't set for most groups, maybe check netgroups..? # or "ipaNTSecurityIdentifier" which isn't set for most groups, maybe check netgroups..?
objectsid = "sambaSID"; objectsid = "sambaSID";
backendDomainSettings = { backendDomainSettings = {
ldap = mapAlmostOptionDefaults { ldap = mapDefaults {
id_provider = mkDefault "ldap"; id_provider = "ldap";
auth_provider = mkDefault "krb5"; auth_provider = "krb5";
access_provider = "ldap"; access_provider = "ldap";
ldap_tls_cacert = "/etc/ssl/certs/ca-bundle.crt"; ldap_tls_cacert = "/etc/ssl/certs/ca-bundle.crt";
} // mapOptionDefaults { } // mapOptionDefaults {
@ -108,7 +108,7 @@ in {
ldap_default_bind_dn = genso.ldap.bind.dn; ldap_default_bind_dn = genso.ldap.bind.dn;
ldap_search_base = genso.ldap.baseDn; ldap_search_base = genso.ldap.baseDn;
ldap_user_search_base = "cn=users,cn=accounts,${genso.ldap.baseDn}"; ldap_user_search_base = "cn=users,cn=accounts,${genso.ldap.baseDn}";
ldap_group_search_base = "cn=groups,cn=accounts,${config.ldap.baseDn}"; ldap_group_search_base = "cn=groups,cn=accounts,${genso.ldap.baseDn}";
ldap_user_uuid = "ipaUniqueID"; ldap_user_uuid = "ipaUniqueID";
ldap_user_ssh_public_key = "ipaSshPubKey"; ldap_user_ssh_public_key = "ipaSshPubKey";
ldap_user_objectsid = objectsid; ldap_user_objectsid = objectsid;

1
nixos/base/nixpkgs.nix
View file

@ -5,6 +5,7 @@
(import ../../overlays/barcodebuddy.nix) (import ../../overlays/barcodebuddy.nix)
(import ../../overlays/samba.nix) (import ../../overlays/samba.nix)
(import ../../overlays/nginx.nix) (import ../../overlays/nginx.nix)
(import ../../overlays/krb5.nix)
]; ];
config = { config = {
allowUnfree = true; allowUnfree = true;

1
overlays/default.nix
View file

@ -10,6 +10,7 @@
(import ./barcodebuddy.nix) (import ./barcodebuddy.nix)
(import ./samba.nix) (import ./samba.nix)
(import ./nginx.nix) (import ./nginx.nix)
(import ./krb5.nix)
(final: prev: { (final: prev: {
jemalloc = jemalloc =
if final.hostPlatform != "aarch64-darwin" if final.hostPlatform != "aarch64-darwin"

5
overlays/krb5.nix Normal file
View file

@ -0,0 +1,5 @@
final: prev: {
krb5-ldap = final.krb5.override {
withLdap = true;
};
}

15
systems/extern-test/nixos.nix
View file

@ -6,10 +6,15 @@
in { in {
imports = [ imports = [
nixosModules.default nixosModules.default
extern'test'inputs.sops-nix.nixosModules.sops
]; ];
config = { config = {
gensokyo-zone = { gensokyo-zone = {
access = {
#tail.enable = true;
#local.enable = true;
};
nix = { nix = {
enable = true; enable = true;
builder.enable = true; builder.enable = true;
@ -18,11 +23,21 @@ in {
enable = true; enable = true;
shared.enable = true; shared.enable = true;
}; };
krb5 = {
enable = true;
sssd.enable = true;
nfs.enable = true;
};
# TODO: users? # TODO: users?
}; };
# this isn't a real machine... # this isn't a real machine...
boot.isContainer = true; boot.isContainer = true;
system.stateVersion = "23.11"; system.stateVersion = "23.11";
networking.domain = "testing.123";
sops = {
age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
};
}; };
} }