feat(idp): samba ldap attributes

nixos/ipa.nix

@@ -1,6 +1,6 @@
 { inputs, pkgs, config, lib, ... }: let
   inherit (inputs.self.lib.lib) mkBaseDn;
-  inherit (lib.modules) mkIf mkBefore mkDefault;
+  inherit (lib.modules) mkIf mkBefore mkDefault mkOptionDefault;
   inherit (lib.strings) toUpper;
   inherit (config.networking) domain;
   cfg = config.security.ipa;
@@ -19,6 +19,14 @@ in {
   # once the sops secret has been updated with keytab...
   # :; systemctl restart sssd
   config = {
+    users.ldap = {
+      base = mkDefault baseDn;
+      server = mkDefault "ldaps://ldap.local.${domain}";
+      samba.domainSID = mkDefault "S-1-5-21-1535650373-1457993706-2355445124";
+      #samba.domainSID = mkDefault "S-1-5-21-208293719-3143191303-229982100"; # HAKUREI
+      userDnSuffix = mkDefault "cn=users,cn=accounts,";
+      groupDnSuffix = mkDefault "cn=groups,cn=accounts,";
+    };
     security.ipa = {
       enable = mkDefault true;
       certificate = mkDefault caPem;
@@ -41,5 +49,18 @@ in {
         path = "/etc/krb5.keytab";
       };
     };
+    systemd.services.krb5-host = let
+      krb5-host = pkgs.writeShellScript "krb5-host" ''
+        set -eu
+
+        kinit -k host/${config.networking.fqdn}
+      '';
+    in mkIf cfg.enable {
+      path = [ config.security.krb5.package ];
+      serviceConfig = {
+        Type = mkOptionDefault "oneshot";
+        ExecStart = [ "${krb5-host}" ];
+      };
+    };
   };
 }