mirror of
https://github.com/gensokyo-zone/infrastructure.git
synced 2026-02-09 12:29:19 -08:00
feat(idp): samba ldap attributes
This commit is contained in:
arcnmx
parent
4ad8e34fa4
commit
81bd1a1a15
12 changed files with 670 additions and 3 deletions
|
|
@ -154,6 +154,7 @@ in {
|
|||
${virtualHosts.freeipa'ca.serverName} ${upstreams.freeipa};
|
||||
${nginx.access.ldap.domain} ${upstreams.ldap};
|
||||
${nginx.access.ldap.localDomain} ${upstreams.ldap};
|
||||
${nginx.access.ldap.intDomain} ${upstreams.ldap};
|
||||
${nginx.access.ldap.tailDomain} ${upstreams.ldap};
|
||||
default ${upstreams.nginx};
|
||||
}
|
||||
|
|
@ -244,6 +245,7 @@ in {
|
|||
};
|
||||
freeipa'ldap'local = {
|
||||
serverName = mkDefault ldap.localDomain;
|
||||
serverAliases = [ ldap.intDomain ];
|
||||
ssl.cert.copyFromVhost = "freeipa'ldap";
|
||||
globalRedirect = virtualHosts.freeipa'web'local.serverName;
|
||||
local.enable = true;
|
||||
|
|
|
|||
|
|
@ -35,6 +35,10 @@ in {
|
|||
type = str;
|
||||
default = "ldap.local.${config.networking.domain}";
|
||||
};
|
||||
intDomain = mkOption {
|
||||
type = str;
|
||||
default = "ldap.int.${config.networking.domain}";
|
||||
};
|
||||
tailDomain = mkOption {
|
||||
type = str;
|
||||
default = "ldap.tail.${config.networking.domain}";
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
{ inputs, pkgs, config, lib, ... }: let
|
||||
inherit (inputs.self.lib.lib) mkBaseDn;
|
||||
inherit (lib.modules) mkIf mkBefore mkDefault;
|
||||
inherit (lib.modules) mkIf mkBefore mkDefault mkOptionDefault;
|
||||
inherit (lib.strings) toUpper;
|
||||
inherit (config.networking) domain;
|
||||
cfg = config.security.ipa;
|
||||
|
|
@ -19,6 +19,14 @@ in {
|
|||
# once the sops secret has been updated with keytab...
|
||||
# :; systemctl restart sssd
|
||||
config = {
|
||||
users.ldap = {
|
||||
base = mkDefault baseDn;
|
||||
server = mkDefault "ldaps://ldap.local.${domain}";
|
||||
samba.domainSID = mkDefault "S-1-5-21-1535650373-1457993706-2355445124";
|
||||
#samba.domainSID = mkDefault "S-1-5-21-208293719-3143191303-229982100"; # HAKUREI
|
||||
userDnSuffix = mkDefault "cn=users,cn=accounts,";
|
||||
groupDnSuffix = mkDefault "cn=groups,cn=accounts,";
|
||||
};
|
||||
security.ipa = {
|
||||
enable = mkDefault true;
|
||||
certificate = mkDefault caPem;
|
||||
|
|
@ -41,5 +49,18 @@ in {
|
|||
path = "/etc/krb5.keytab";
|
||||
};
|
||||
};
|
||||
systemd.services.krb5-host = let
|
||||
krb5-host = pkgs.writeShellScript "krb5-host" ''
|
||||
set -eu
|
||||
|
||||
kinit -k host/${config.networking.fqdn}
|
||||
'';
|
||||
in mkIf cfg.enable {
|
||||
path = [ config.security.krb5.package ];
|
||||
serviceConfig = {
|
||||
Type = mkOptionDefault "oneshot";
|
||||
ExecStart = [ "${krb5-host}" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@ in {
|
|||
securityType = mkDefault "user";
|
||||
ldap = {
|
||||
enable = mkDefault true;
|
||||
url = mkDefault "ldaps://ldap.local.${domain}";
|
||||
url = mkDefault "ldaps://ldap.int.${domain}";
|
||||
baseDn = mkDefault (mkBaseDn domain);
|
||||
adminDn = mkDefault "uid=samba,cn=sysaccounts,cn=etc,${cfg.ldap.baseDn}";
|
||||
adminPasswordPath = mkIf cfg.ldap.enable (
|
||||
|
|
@ -56,6 +56,7 @@ in {
|
|||
"winbind scan trusted domains" = false;
|
||||
"winbind use default domain" = true;
|
||||
"domain master" = false;
|
||||
"domain logons" = true;
|
||||
"remote announce" = mkIf hasIpv4 [
|
||||
"10.1.1.255/${cfg.settings.workgroup}"
|
||||
];
|
||||
|
|
|
|||
95
nixos/users/ldap.nix
Normal file
95
nixos/users/ldap.nix
Normal file
|
|
@ -0,0 +1,95 @@
|
|||
{config, lib, inputs, ...}: let
|
||||
inherit (inputs.self.lib.lib) userIs mkAlmostOptionDefault;
|
||||
inherit (lib.modules) mkMerge mkDefault;
|
||||
inherit (lib.attrsets) mapAttrs filterAttrs;
|
||||
ldapUsers = filterAttrs (_: userIs "peeps") config.users.users;
|
||||
ldapGroups = filterAttrs (_: group: group.gid != null && group.gid >= 8000 && group.gid < 8256) config.users.groups;
|
||||
management = {
|
||||
users = mapAttrs (name: user: {
|
||||
user.name = mkAlmostOptionDefault name;
|
||||
samba = {
|
||||
enable = mkDefault true;
|
||||
sync.enable = mkDefault true;
|
||||
accountFlags = {
|
||||
noPasswordExpiry = mkDefault true;
|
||||
};
|
||||
};
|
||||
}) ldapUsers;
|
||||
groups = mapAttrs (name: group: {
|
||||
group.name = mkAlmostOptionDefault name;
|
||||
samba.enable = mkDefault true;
|
||||
}) ldapGroups;
|
||||
};
|
||||
in {
|
||||
config.users.ldap = {
|
||||
management = mkMerge [ management {
|
||||
users = {
|
||||
guest.user.enable = true;
|
||||
admin = {
|
||||
user.enable = true;
|
||||
samba.enable = true;
|
||||
};
|
||||
opl = {
|
||||
user.enable = true;
|
||||
samba = {
|
||||
enable = true;
|
||||
#sync.enable = true;
|
||||
accountFlags = {
|
||||
noPasswordExpiry = mkDefault true;
|
||||
normalUser = true;
|
||||
};
|
||||
};
|
||||
object.settings.settings = {
|
||||
sambaNTPassword = "F7C2C5D78C24EACB73550B02BF5888E3";
|
||||
sambaLMPassword = "A5C96CDE7660B20BAAD3B435B51404EE";
|
||||
};
|
||||
};
|
||||
};
|
||||
groups = {
|
||||
nogroup = {
|
||||
group.enable = true;
|
||||
samba.enable = true;
|
||||
};
|
||||
guest = {
|
||||
samba = {
|
||||
enable = true;
|
||||
groupType = 4;
|
||||
sid = "S-1-5-32-546";
|
||||
};
|
||||
};
|
||||
admin = {
|
||||
group.enable = true;
|
||||
samba.enable = true;
|
||||
};
|
||||
kyuuto-peeps = {
|
||||
group.enable = true;
|
||||
samba.enable = true;
|
||||
};
|
||||
kyuuto = {
|
||||
group.enable = true;
|
||||
samba.enable = true;
|
||||
};
|
||||
peeps = {
|
||||
group.enable = true;
|
||||
samba.enable = true;
|
||||
};
|
||||
admins = {
|
||||
samba = {
|
||||
enable = true;
|
||||
#sync.enable = true;
|
||||
groupType = 4;
|
||||
sid = "S-1-5-32-544";
|
||||
};
|
||||
};
|
||||
smb = {
|
||||
name = "Default SMB Group";
|
||||
samba = {
|
||||
#sync.enable = true;
|
||||
groupType = 4;
|
||||
sid = "S-1-5-32-545";
|
||||
};
|
||||
};
|
||||
};
|
||||
} ];
|
||||
};
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue