From 86ac38cf2c2f23b0aadf8a0c8c3d7b7616f79e80 Mon Sep 17 00:00:00 2001 From: arcnmx Date: Thu, 28 Mar 2024 09:59:03 -0700 Subject: [PATCH] feat(idp): more ldap objects --- modules/nixos/ldap/hosts.nix | 26 ++++ modules/nixos/ldap/management.nix | 4 +- modules/nixos/ldap/object.nix | 29 ++-- modules/nixos/ldap/permissions.nix | 159 ++++++++++++++++++++ modules/nixos/ldap/users.nix | 6 +- nixos/ipa.nix | 7 + nixos/ldap/permissions.nix | 100 +++++++++++++ nixos/ldap/samba.nix | 182 +++++++++++++++++++++++ nixos/{users/ldap.nix => ldap/users.nix} | 3 + systems/hakurei/nixos.nix | 2 - systems/reimu/nixos.nix | 1 + 11 files changed, 503 insertions(+), 16 deletions(-) create mode 100644 modules/nixos/ldap/hosts.nix create mode 100644 modules/nixos/ldap/permissions.nix create mode 100644 nixos/ldap/permissions.nix create mode 100644 nixos/ldap/samba.nix rename nixos/{users/ldap.nix => ldap/users.nix} (96%) diff --git a/modules/nixos/ldap/hosts.nix b/modules/nixos/ldap/hosts.nix new file mode 100644 index 00000000..c76fcf48 --- /dev/null +++ b/modules/nixos/ldap/hosts.nix @@ -0,0 +1,26 @@ +{ + config, + lib, + ... +}: let + inherit (lib.options) mkOption; +in { + options.users.ldap = with lib.types; { + domainDnSuffix = mkOption { + type = str; + default = ""; + }; + hostDnSuffix = mkOption { + type = str; + default = ""; + }; + serviceDnSuffix = mkOption { + type = str; + default = ""; + }; + sysAccountDnSuffix = mkOption { + type = str; + default = ""; + }; + }; +} diff --git a/modules/nixos/ldap/management.nix b/modules/nixos/ldap/management.nix index 6b920261..89d52c5d 100644 --- a/modules/nixos/ldap/management.nix +++ b/modules/nixos/ldap/management.nix @@ -118,7 +118,7 @@ ldapwhoami - ldapmodify -cf "$MAN_LDAP_ADD" + ldapmodify -cf "$MAN_LDAP_ADD" || true ldapmodify -c -f "$MAN_LDAP_MODIFY" || true @@ -147,7 +147,7 @@ in { LDAPBASE = ldap.base; LDAPURI = "ldaps://ldap.int.${config.networking.domain}"; LDAPSASL_MECH = "GSSAPI"; - LDAPSASL_AUTHCID = "dn:krbprincipalname=host/${config.networking.fqdn}@${config.security.ipa.realm},cn=services,cn=accounts,${ldap.base}"; + LDAPSASL_AUTHCID = "dn:fqdn=${config.networking.fqdn},${ldap.hostDnSuffix}${ldap.base}"; # LDAPBINDDN? SMB_SYNC_GROUPS = concatStringsSep "," (map (group: group.name) smbSyncGroups); SMB_SYNC_USERS = concatStringsSep "," (map (user: user.uid) smbSyncUsers); diff --git a/modules/nixos/ldap/object.nix b/modules/nixos/ldap/object.nix index 6b374350..0d4323f0 100644 --- a/modules/nixos/ldap/object.nix +++ b/modules/nixos/ldap/object.nix @@ -9,7 +9,7 @@ inherit (lib.modules) mkIf mkOptionDefault; inherit (lib.attrsets) filterAttrs mapAttrsToList nameValuePair; inherit (lib.lists) optional toList; - inherit (lib.strings) toLower removeSuffix concatMapStrings concatStringsSep optionalString; + inherit (lib.strings) hasSuffix removeSuffix concatMapStrings concatStringsSep concatStrings optionalString; ldap'lib = { specialArgs = { nixosConfig = config; @@ -37,7 +37,7 @@ inherit (ldap'lib) specialArgs; }; mapObjectSettingsToPair = settings: nameValuePair - (removeSuffix ",${config.users.ldap.base}" settings.dn) + (ldap'lib.withoutBaseDn settings.dn) (unmerged.mergeAttrs settings.settings); mapObjectSettingsToAttr = settings: let pair = ldap'lib.mapObjectSettingsToPair settings; @@ -46,12 +46,12 @@ }; mkLdapModifyObjectSettingValues = let mkLdapModifyValues = setting: concatMapStrings (value: '' - ${setting.key}: ${toString value} + ${setting.name}: ${toString value} '') (toList setting.value); in mkLdapModifyValues; mkLdapModifyObjectSettings = let mkLdapModifySetting = setting: '' - ${setting.modifyType}: ${setting.key} + ${setting.modifyType}: ${setting.name} '' + ldap'lib.mkLdapModifyObjectSettingValues setting; in settings: mapAttrsToList (_: mkLdapModifySetting) settings; mkLdapAddObjectSettings = settings: mapAttrsToList (_: ldap'lib.mkLdapModifyObjectSettingValues) settings; @@ -76,7 +76,8 @@ add = object: let enabledSettings = filterAttrs (_: setting: setting.enable) object.settings; addSettings = ldap'lib.mkLdapAddObjectSettings enabledSettings; - in mkHeader "add" object + concatStringsSep "-\n" addSettings; + modifyAfter = "\n" + ldap'lib.mkLdapModifyObject.modify object; + in mkHeader "add" object + concatStrings addSettings + modifyAfter; delete = object: mkHeader "delete" object; modrdn = object: { newrdn, deleteoldrdn, newsuperior }: let modifySettings = '' @@ -93,6 +94,11 @@ ''; in mkHeader "moddn" + modifySettings; }; + withBaseDn = dn: + if hasSuffix ",${config.users.ldap.base}" dn then dn + else if hasSuffix "," dn || dn == "" then "${dn}${config.users.ldap.base}" + else "${dn},${config.users.ldap.base}"; + withoutBaseDn = removeSuffix ",${config.users.ldap.base}"; }; ldapPrimitiveType = with lib.types; oneOf [ str int ]; ldapValueType = with lib.types; oneOf [ ldapPrimitiveType (listOf ldapPrimitiveType) ]; @@ -101,7 +107,7 @@ enable = mkEnableOption "setting" // { default = true; }; - key = mkOption { + name = mkOption { type = str; default = name; }; @@ -110,7 +116,7 @@ }; modifyType = mkOption { type = enum [ "replace" "add" "delete" ]; - default = if toLower config.key == "objectclass" then "add" else "replace"; + default = "replace"; }; }; }; @@ -139,7 +145,7 @@ }; dn = mkOption { type = str; - default = "${name},${ldap.base}"; + default = ldap.lib.withBaseDn "${name}"; }; changeType = mkOption { type = enum [ "modify" "add" "delete" "modrdn" "moddn" ]; @@ -151,6 +157,7 @@ objectClasses = mkOption { type = listOf str; default = [ ]; + description = "additional object classes"; }; settings = mkOption { type = attrsOf ldap.lib.objectSettingType; @@ -159,7 +166,11 @@ }; config = { settings = { - objectClass = mkIf (config.objectClasses != [ ]) (mkOptionDefault config.objectClasses); + objectClasses' = mkIf (config.objectClasses != [ ]) (mkOptionDefault { + name = "objectClass"; + modifyType = "add"; + value = config.objectClasses; + }); }; changeText = mkOptionDefault (ldap'lib.mkLdapModifyObject.${config.changeType} config); }; diff --git a/modules/nixos/ldap/permissions.nix b/modules/nixos/ldap/permissions.nix new file mode 100644 index 00000000..1a3759c3 --- /dev/null +++ b/modules/nixos/ldap/permissions.nix @@ -0,0 +1,159 @@ +{ + config, + lib, + inputs, + ... +}: let + inherit (inputs.self.lib.lib) mkAlmostOptionDefault mapOptionDefaults mapListToAttrs; + inherit (lib.options) mkOption; + inherit (lib.modules) mkIf mkMerge mkOptionDefault; + inherit (lib.attrsets) attrNames mapAttrs mapAttrsToList; + inherit (lib.lists) filter; + cfg = config.users.ldap; + ldap'lib = config.lib.ldap; + permissionModule = {config, name, ldap, ...}: let + targetConf = { + user = { + location = ldap.userDnSuffix; + targetFilter = "(objectclass=posixaccount)"; + }; + user-group = { + location = ldap.groupDnSuffix; + targetFilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))"; + }; + permission = { + location = ldap.permissionDnSuffix; + targetFilter = "(objectclass=ipapermission)"; + }; + privilege = { + location = ldap.privilegeDnSuffix; + targetFilter = "(objectclass=groupofnames)"; + }; + role = { + location = ldap.roleDnSuffix; + targetFilter = "(objectclass=groupofnames)"; + }; + samba-domain = { + location = ""; + target = "sambaDomainName=*,${ldap.base}"; + targetFilter = "(objectclass=sambadomain)"; + }; + domain = { + location = ldap.domainDnSuffix; + targetFilter = "(objectclass=ipantdomainattrs)"; + #target = "cn=*"; + }; + host = { + location = ldap.hostDnSuffix; + # TODO: targetFilter + target = "fqdn=*"; + }; + service = { + location = ldap.serviceDnSuffix; + # TODO: targetFilter + target = "krbprincipalname=*"; + }; + sysaccount = { + location = ldap.sysAccountDnSuffix; + # TODO: targetFilter + target = "uid=*"; + }; + }; + in { + options = with lib.types; { + cn = mkOption { + type = str; + default = name; + }; + bindType = mkOption { + type = enum [ "anonymous" "permission" "all" ]; + default = "permission"; + }; + rights = mkOption { + type = oneOf [ + (listOf (enum [ "read" "search" "compare" "write" "add" "delete" ])) + (enum [ "all" ]) + ]; + default = [ "read" "search" "compare" ]; + }; + targetType = mkOption { + type = nullOr (enum (attrNames targetConf)); + default = null; + }; + location = mkOption { + type = str; + }; + target = mkOption { + type = nullOr str; + default = null; + }; + targetFilter = mkOption { + type = nullOr str; + }; + attrs = mkOption { + type = listOf str; + }; + members = mkOption { + type = listOf str; + }; + object = mkOption { + type = ldap.lib.objectSettingsType; + }; + }; + config = let + conf.members = mkIf (config.bindType != "permission") (mkOptionDefault [ ]); + conf.targetFilter = mkIf (config.target != null) (mkOptionDefault null); + conf.object = { + dn = mkOptionDefault (ldap.lib.withBaseDn "cn=${config.cn},${ldap.permissionDnSuffix}"); + settings = { + changeType = mkAlmostOptionDefault "add"; + settings = mapOptionDefaults { + cn = config.cn; + objectClass = [ "top" "groupofnames" "ipapermission" "ipapermissionv2" ]; + ipaPermissionType = [ "SYSTEM" "V2" ]; + ipaPermIncludedAttr = config.attrs; + ipaPermBindRuleType = config.bindType; + ipaPermRight = config.rights; + ipaPermLocation = ldap.lib.withBaseDn config.location; + } // { + member = mkIf (config.members != [ ]) (mkOptionDefault (map ldap.lib.withBaseDn config.members)); + ipaPermTargetFilter = mkIf (config.targetFilter != null) (mkOptionDefault config.targetFilter); + ipaPermTarget = mkIf (config.target != null) (mkOptionDefault config.target); + }; + }; + }; + target = { + location = mkIf (config.targetType != null) (mkAlmostOptionDefault targetConf.${config.targetType}.location); + targetFilter = mkIf (config.targetType != null) (mkAlmostOptionDefault targetConf.${config.targetType}.targetFilter or null); + target = mkIf (config.targetType != null) (mkAlmostOptionDefault targetConf.${config.targetType}.target or null); + }; + in mkMerge [ conf target ]; + }; +in { + options.users.ldap = with lib.types; { + management = { + permissions = mkOption { + type = attrsOf (submoduleWith { + modules = [ permissionModule ]; + inherit (config.lib.ldap) specialArgs; + }); + default = { }; + }; + }; + permissionDnSuffix = mkOption { + type = str; + }; + privilegeDnSuffix = mkOption { + type = str; + }; + roleDnSuffix = mkOption { + type = str; + }; + }; + config.users.ldap = { + management.objects = let + permissionObjects = mapAttrsToList (_: user: user.object) cfg.management.permissions; + enabledObjects = filter (object: object.enable) (permissionObjects); + in mapListToAttrs ldap'lib.mapObjectSettingsToPair enabledObjects; + }; +} diff --git a/modules/nixos/ldap/users.nix b/modules/nixos/ldap/users.nix index 08d3d53e..db14b6ed 100644 --- a/modules/nixos/ldap/users.nix +++ b/modules/nixos/ldap/users.nix @@ -6,7 +6,7 @@ }: let inherit (inputs.self.lib.lib) mkAlmostOptionDefault mapListToAttrs; inherit (lib.options) mkOption mkEnableOption; - inherit (lib.modules) mkIf mkDefault mkOptionDefault; + inherit (lib.modules) mkIf mkOptionDefault; inherit (lib.attrsets) mapAttrs mapAttrsToList; inherit (lib.lists) filter; inherit (lib.strings) concatStrings; @@ -80,7 +80,7 @@ }; object = { enable = mkAlmostOptionDefault config.samba.enable; - dn = mkOptionDefault "uid=${config.uid},${ldap.userDnSuffix}${ldap.base}"; + dn = mkOptionDefault (ldap.lib.withBaseDn "uid=${config.uid},${ldap.userDnSuffix}"); settings = { objectClasses = mkIf config.samba.enable [ "sambaSamAccount" ]; settings = mkIf config.samba.enable { @@ -139,7 +139,7 @@ }; object = { enable = mkAlmostOptionDefault config.samba.enable; - dn = mkOptionDefault "cn=${config.name},${ldap.groupDnSuffix}${ldap.base}"; + dn = mkOptionDefault (ldap.lib.withBaseDn "cn=${config.name},${ldap.groupDnSuffix}"); settings = { objectClasses = mkIf config.samba.enable [ "sambaGroupMapping" ]; settings = mkIf config.samba.enable { diff --git a/nixos/ipa.nix b/nixos/ipa.nix index 9ea3cfd8..4c8288c7 100644 --- a/nixos/ipa.nix +++ b/nixos/ipa.nix @@ -26,6 +26,13 @@ in { #samba.domainSID = mkDefault "S-1-5-21-208293719-3143191303-229982100"; # HAKUREI userDnSuffix = mkDefault "cn=users,cn=accounts,"; groupDnSuffix = mkDefault "cn=groups,cn=accounts,"; + permissionDnSuffix = mkDefault "cn=permissions,cn=pbac,"; + privilegeDnSuffix = mkDefault "cn=privileges,cn=pbac,"; + roleDnSuffix = mkDefault "cn=roles,cn=accounts,"; + serviceDnSuffix = mkDefault "cn=services,cn=accounts,"; + hostDnSuffix = mkDefault "cn=computers,cn=accounts,"; + sysAccountDnSuffix = mkDefault "cn=sysaccounts,cn=etc,"; + domainDnSuffix = mkDefault "cn=ad,cn=etc,"; }; security.ipa = { enable = mkDefault true; diff --git a/nixos/ldap/permissions.nix b/nixos/ldap/permissions.nix new file mode 100644 index 00000000..7f24d516 --- /dev/null +++ b/nixos/ldap/permissions.nix @@ -0,0 +1,100 @@ +{config, lib, ...}: let + inherit (lib.modules) mkDefault; + inherit (config.users) ldap; + inherit (ldap.management) permissions; + adminPriv = "cn=Custom Management Admin,${ldap.privilegeDnSuffix}"; +in { + config.users.ldap.management = { + enable = mkDefault true; + permissions = { + "Custom Anonymous User Read" = { + bindType = "anonymous"; + targetType = "user"; + attrs = [ "gidnumber" "homedirectory" "ipantsecurityidentifier" "loginshell" "manager" "objectclass" "title" "uid" "uidnumber" ]; + }; + "Custom Permission Admin" = { + location = ldap.permissionDnSuffix; + target = "cn=*"; + rights = "all"; + members = [ adminPriv ]; + attrs = [ + "member" "cn" "o" "ou" "owner" "description" "objectclass" "seealso" "businesscategory" + "ipapermtarget" "ipapermright" "ipapermincludedattr" "ipapermbindruletype" "ipapermexcludedattr" "ipapermtargetto" "ipapermissiontype" "ipapermlocation" "ipapermdefaultattr" "ipapermtargetfrom" "ipapermtargetfilter" + ]; + }; + "Custom Privilege Admin" = { + location = ldap.privilegeDnSuffix; + target = "cn=*"; + rights = "all"; + members = [ adminPriv ]; + attrs = [ + "member" "memberof" "cn" "o" "ou" "owner" "description" "objectclass" "seealso" "businesscategory" + ]; + }; + "Custom Role Admin" = { + location = ldap.roleDnSuffix; + target = "cn=*"; + rights = "all"; + members = [ adminPriv ]; + attrs = [ + "member" "memberof" "cn" "o" "ou" "owner" "description" "objectclass" "seealso" "businesscategory" + ]; + }; + "Custom Role Modify" = { + targetType = "role"; + rights = [ "write" ]; + members = [ adminPriv ]; + attrs = permissions."Custom Role Admin".attrs; + }; + "Custom Host Permission" = { + targetType = "host"; + rights = [ "write" ]; + members = [ adminPriv ]; + attrs = [ + "memberof" + ]; + }; + "Custom SysAccount Permission" = { + targetType = "sysaccount"; + rights = [ "write" ]; + members = [ adminPriv ]; + attrs = [ + "memberof" + ]; + }; + "Custom Service Permission" = { + targetType = "service"; + rights = [ "write" ]; + members = [ adminPriv ]; + attrs = [ + "memberof" + ]; + }; + }; + objects = { + ${adminPriv} = { + changeType = "add"; + settings = { + objectClass = [ "top" "nestedgroup" "groupofnames" ]; + member = map config.lib.ldap.withBaseDn [ + "cn=Security Architect,${ldap.roleDnSuffix}" + ]; + }; + }; + # change default public access + "cn=System: Read User Compat Tree,${ldap.permissionDnSuffix}" = { + settings.ipaPermBindRuleType = "all"; + }; + "cn=System: Read User Views Compat Tree,${ldap.permissionDnSuffix}" = { + settings.ipaPermBindRuleType = "all"; + }; + "cn=System: Read User Standard Attributes,${ldap.permissionDnSuffix}" = { + settings.ipaPermBindRuleType = "all"; + }; + # allow reimu to actually make these changes... + "cn=Security Architect,${ldap.roleDnSuffix}" = { + settings.member = [ "fqdn=reimu.${config.networking.domain},${ldap.hostDnSuffix}${ldap.base}" ]; + }; + }; + }; +} diff --git a/nixos/ldap/samba.nix b/nixos/ldap/samba.nix new file mode 100644 index 00000000..1c24a47f --- /dev/null +++ b/nixos/ldap/samba.nix @@ -0,0 +1,182 @@ +{config, lib, ...}: let + inherit (lib.modules) mkDefault; + inherit (config.users) ldap; + inherit (ldap.management) permissions; + adminPriv = "cn=Custom Management Admin,${ldap.privilegeDnSuffix}"; + smbPriv = "cn=Samba smbd,${ldap.privilegeDnSuffix}"; + smbRole = "cn=Samba smbd,${ldap.roleDnSuffix}"; + smbAccountAttrs = [ "sambasid" "sambapwdlastset" "sambaacctflags" "sambapasswordhistory" "sambantpassword" ]; + smbGroupAttrs = [ "sambasid" "sambagrouptype" ]; + smbDomainAttrs = [ "sambasid" "sambaRefuseMachinePwdChange" "sambaMinPwdLength" "sambaAlgorithmicRidBase" "sambaPwdHistoryLength" "sambaDomainName" "sambaMinPwdAge" "sambaMaxPwdAge" "sambaLockoutThreshold" "sambaForceLogoff" "sambaLogonToChgPwd" "sambaLockoutObservationWindow" "sambaNextUserRid" "sambaLockoutDuration" ]; +in { + config.users.ldap.management = { + enable = mkDefault true; + permissions = { + "Custom Samba User Read" = { + targetType = "user"; + attrs = [ "ipanthash" "ipanthomedirectory" "ipanthomedirectorydrive" "ipantlogonscript" "ipantprofilepath" "ipantsecurityidentifier" ] ++ smbAccountAttrs; + members = [ smbPriv ]; + }; + "Custom Samba User Modify" = { + targetType = "user"; + rights = [ "write" ]; + attrs = smbAccountAttrs; + members = permissions."Custom Samba User Admin".members; + }; + "Custom Samba User Admin" = { + targetType = "user"; + rights = [ "write" "add" ]; + attrs = [ "objectclass" ]; + members = [ adminPriv ]; + }; + "Custom Samba Group Read" = { + targetType = "user-group"; + attrs = [ "ipantsecurityidentifier" "gidnumber" ] ++ smbGroupAttrs; + members = [ smbPriv ]; + }; + "Custom Samba Group Modify" = { + targetType = "user-group"; + rights = [ "write" ]; + attrs = smbGroupAttrs; + members = permissions."Custom Samba Group Admin".members; + }; + "Custom Samba Group Admin" = { + targetType = "user-group"; + rights = [ "write" "add" ]; + attrs = [ "objectclass" ]; + members = [ adminPriv ]; + }; + "Custom Samba Domain Read" = { + targetType = "samba-domain"; + attrs = [ "objectClass" ] ++ smbDomainAttrs; + members = [ smbPriv ]; + }; + "Custom Samba Domain Modify" = { + targetType = "samba-domain"; + rights = [ "write" ]; + attrs = smbDomainAttrs; + members = permissions."Custom Samba Domain Admin".members; + }; + "Custom Samba Domain Admin" = { + targetType = "domain"; + rights = [ "write" "add" ]; + attrs = [ "objectclass" ]; + members = [ adminPriv ]; + }; + "Custom Samba Realm Read" = { + targetType = "domain"; + attrs = [ "objectClass" "ipaNTSecurityIdentifier" "ipaNTFlatName" "ipaNTDomainGUID" "ipaNTFallbackPrimaryGroup" ] ++ smbDomainAttrs; + members = [ smbPriv ]; + }; + "Custom Samba Realm Modify" = { + targetType = "domain"; + rights = [ "write" ]; + attrs = smbDomainAttrs; + members = permissions."Custom Samba Realm Admin".members; + }; + "Custom Samba Realm Admin" = { + targetType = "user-group"; + rights = [ "write" "add" ]; + attrs = [ "objectclass" ]; + members = [ adminPriv ]; + }; + }; + users = { + guest.user.enable = true; + admin = { + user.enable = true; + samba.enable = true; + }; + opl = { + user.enable = true; + samba = { + enable = true; + #sync.enable = true; + accountFlags = { + noPasswordExpiry = mkDefault true; + normalUser = true; + }; + }; + object.settings.settings = { + sambaNTPassword = "F7C2C5D78C24EACB73550B02BF5888E3"; + sambaLMPassword = "A5C96CDE7660B20BAAD3B435B51404EE"; + }; + }; + }; + groups = { + nogroup = { + group.enable = true; + samba.enable = true; + }; + guest = { + samba = { + enable = true; + groupType = 4; + sid = "S-1-5-32-546"; + }; + }; + admin = { + group.enable = true; + samba.enable = true; + }; + kyuuto-peeps = { + group.enable = true; + samba.enable = true; + }; + kyuuto = { + group.enable = true; + samba.enable = true; + }; + peeps = { + group.enable = true; + samba.enable = true; + }; + admins = { + samba = { + enable = true; + #sync.enable = true; + groupType = 4; + sid = "S-1-5-32-544"; + }; + }; + smb = { + name = "Default SMB Group"; + samba = { + enable = true; + #sync.enable = true; + groupType = 4; + sid = "S-1-5-32-545"; + }; + }; + }; + objects = { + ${smbPriv} = { + changeType = "add"; + settings = { + objectClass = [ "top" "nestedgroup" "groupofnames" ]; + member = map config.lib.ldap.withBaseDn [ + "cn=Security Architect,${ldap.roleDnSuffix}" + "uid=samba,${ldap.sysAccountDnSuffix}" + smbRole + ]; + }; + }; + ${smbRole} = { + changeType = "add"; + settings = { + objectClass = [ "top" "nestedgroup" "groupofnames" ]; + member = map config.lib.ldap.withBaseDn [ + "krbprincipalname=cifs/hakurei.${config.networking.domain}@${config.security.ipa.realm},${ldap.serviceDnSuffix}" + ]; + }; + }; + "cn=${config.networking.domain},${ldap.domainDnSuffix}" = { + objectClasses = [ "sambaDomain" ]; + settings = { + sambaSID = ldap.samba.domainSID; + sambaDomainName = "GENSOKYO"; + }; + }; + }; + }; +} diff --git a/nixos/users/ldap.nix b/nixos/ldap/users.nix similarity index 96% rename from nixos/users/ldap.nix rename to nixos/ldap/users.nix index 63f9b5f6..5fe8c17c 100644 --- a/nixos/users/ldap.nix +++ b/nixos/ldap/users.nix @@ -91,6 +91,9 @@ in { }; }; }; + objects = { + # TODO: ipa hostname krb5 aliases should be populated here!!! + }; } ]; }; } diff --git a/systems/hakurei/nixos.nix b/systems/hakurei/nixos.nix index a925d438..8bdbe41d 100644 --- a/systems/hakurei/nixos.nix +++ b/systems/hakurei/nixos.nix @@ -52,8 +52,6 @@ in { ./reisen-ssh.nix ]; - users.ldap.management.enable = true; - sops.secrets.cloudflared-tunnel-hakurei = { owner = config.services.cloudflared.user; }; diff --git a/systems/reimu/nixos.nix b/systems/reimu/nixos.nix index 92165e40..ef34550d 100644 --- a/systems/reimu/nixos.nix +++ b/systems/reimu/nixos.nix @@ -10,6 +10,7 @@ nixos.steam.beatsaber nixos.tailscale nixos.ipa + nixos.ldap nixos.nfs ];