gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(idp): more ldap objects

Browse source
This commit is contained in:
arcnmx 2024-03-28 09:59:03 -07:00
parent 69508d43a3
commit 86ac38cf2c
11 changed files with 503 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

26
modules/nixos/ldap/hosts.nix Normal file
View file

@ -0,0 +1,26 @@
{
config,
lib,
...
}: let
inherit (lib.options) mkOption;
in {
options.users.ldap = with lib.types; {
domainDnSuffix = mkOption {
type = str;
default = "";
};
hostDnSuffix = mkOption {
type = str;
default = "";
};
serviceDnSuffix = mkOption {
type = str;
default = "";
};
sysAccountDnSuffix = mkOption {
type = str;
default = "";
};
};
}

4
modules/nixos/ldap/management.nix
View file

@ -118,7 +118,7 @@
ldapwhoami ldapwhoami
ldapmodify -cf "$MAN_LDAP_ADD" ldapmodify -cf "$MAN_LDAP_ADD" || true
ldapmodify -c -f "$MAN_LDAP_MODIFY" || true ldapmodify -c -f "$MAN_LDAP_MODIFY" || true
@ -147,7 +147,7 @@ in {
LDAPBASE = ldap.base; LDAPBASE = ldap.base;
LDAPURI = "ldaps://ldap.int.${config.networking.domain}"; LDAPURI = "ldaps://ldap.int.${config.networking.domain}";
LDAPSASL_MECH = "GSSAPI"; LDAPSASL_MECH = "GSSAPI";
LDAPSASL_AUTHCID = "dn:krbprincipalname=host/${config.networking.fqdn}@${config.security.ipa.realm},cn=services,cn=accounts,${ldap.base}"; LDAPSASL_AUTHCID = "dn:fqdn=${config.networking.fqdn},${ldap.hostDnSuffix}${ldap.base}";
# LDAPBINDDN? # LDAPBINDDN?
SMB_SYNC_GROUPS = concatStringsSep "," (map (group: group.name) smbSyncGroups); SMB_SYNC_GROUPS = concatStringsSep "," (map (group: group.name) smbSyncGroups);
SMB_SYNC_USERS = concatStringsSep "," (map (user: user.uid) smbSyncUsers); SMB_SYNC_USERS = concatStringsSep "," (map (user: user.uid) smbSyncUsers);

29
modules/nixos/ldap/object.nix
View file

@ -9,7 +9,7 @@
inherit (lib.modules) mkIf mkOptionDefault; inherit (lib.modules) mkIf mkOptionDefault;
inherit (lib.attrsets) filterAttrs mapAttrsToList nameValuePair; inherit (lib.attrsets) filterAttrs mapAttrsToList nameValuePair;
inherit (lib.lists) optional toList; inherit (lib.lists) optional toList;
inherit (lib.strings) toLower removeSuffix concatMapStrings concatStringsSep optionalString; inherit (lib.strings) hasSuffix removeSuffix concatMapStrings concatStringsSep concatStrings optionalString;
ldap'lib = { ldap'lib = {
specialArgs = { specialArgs = {
nixosConfig = config; nixosConfig = config;
@ -37,7 +37,7 @@
inherit (ldap'lib) specialArgs; inherit (ldap'lib) specialArgs;
}; };
mapObjectSettingsToPair = settings: nameValuePair mapObjectSettingsToPair = settings: nameValuePair
(removeSuffix ",${config.users.ldap.base}" settings.dn) (ldap'lib.withoutBaseDn settings.dn)
(unmerged.mergeAttrs settings.settings); (unmerged.mergeAttrs settings.settings);
mapObjectSettingsToAttr = settings: let mapObjectSettingsToAttr = settings: let
pair = ldap'lib.mapObjectSettingsToPair settings; pair = ldap'lib.mapObjectSettingsToPair settings;
@ -46,12 +46,12 @@
}; };
mkLdapModifyObjectSettingValues = let mkLdapModifyObjectSettingValues = let
mkLdapModifyValues = setting: concatMapStrings (value: '' mkLdapModifyValues = setting: concatMapStrings (value: ''
${setting.key}: ${toString value} ${setting.name}: ${toString value}
'') (toList setting.value); '') (toList setting.value);
in mkLdapModifyValues; in mkLdapModifyValues;
mkLdapModifyObjectSettings = let mkLdapModifyObjectSettings = let
mkLdapModifySetting = setting: '' mkLdapModifySetting = setting: ''
${setting.modifyType}: ${setting.key} ${setting.modifyType}: ${setting.name}
'' + ldap'lib.mkLdapModifyObjectSettingValues setting; '' + ldap'lib.mkLdapModifyObjectSettingValues setting;
in settings: mapAttrsToList (_: mkLdapModifySetting) settings; in settings: mapAttrsToList (_: mkLdapModifySetting) settings;
mkLdapAddObjectSettings = settings: mapAttrsToList (_: ldap'lib.mkLdapModifyObjectSettingValues) settings; mkLdapAddObjectSettings = settings: mapAttrsToList (_: ldap'lib.mkLdapModifyObjectSettingValues) settings;
@ -76,7 +76,8 @@
add = object: let add = object: let
enabledSettings = filterAttrs (_: setting: setting.enable) object.settings; enabledSettings = filterAttrs (_: setting: setting.enable) object.settings;
addSettings = ldap'lib.mkLdapAddObjectSettings enabledSettings; addSettings = ldap'lib.mkLdapAddObjectSettings enabledSettings;
in mkHeader "add" object + concatStringsSep "-\n" addSettings; modifyAfter = "\n" + ldap'lib.mkLdapModifyObject.modify object;
in mkHeader "add" object + concatStrings addSettings + modifyAfter;
delete = object: mkHeader "delete" object; delete = object: mkHeader "delete" object;
modrdn = object: { newrdn, deleteoldrdn, newsuperior }: let modrdn = object: { newrdn, deleteoldrdn, newsuperior }: let
modifySettings = '' modifySettings = ''
@ -93,6 +94,11 @@
''; '';
in mkHeader "moddn" + modifySettings; in mkHeader "moddn" + modifySettings;
}; };
withBaseDn = dn:
if hasSuffix ",${config.users.ldap.base}" dn then dn
else if hasSuffix "," dn || dn == "" then "${dn}${config.users.ldap.base}"
else "${dn},${config.users.ldap.base}";
withoutBaseDn = removeSuffix ",${config.users.ldap.base}";
}; };
ldapPrimitiveType = with lib.types; oneOf [ str int ]; ldapPrimitiveType = with lib.types; oneOf [ str int ];
ldapValueType = with lib.types; oneOf [ ldapPrimitiveType (listOf ldapPrimitiveType) ]; ldapValueType = with lib.types; oneOf [ ldapPrimitiveType (listOf ldapPrimitiveType) ];
@ -101,7 +107,7 @@
enable = mkEnableOption "setting" // { enable = mkEnableOption "setting" // {
default = true; default = true;
}; };
key = mkOption { name = mkOption {
type = str; type = str;
default = name; default = name;
}; };
@ -110,7 +116,7 @@
}; };
modifyType = mkOption { modifyType = mkOption {
type = enum [ "replace" "add" "delete" ]; type = enum [ "replace" "add" "delete" ];
default = if toLower config.key == "objectclass" then "add" else "replace"; default = "replace";
}; };
}; };
}; };
@ -139,7 +145,7 @@
}; };
dn = mkOption { dn = mkOption {
type = str; type = str;
default = "${name},${ldap.base}"; default = ldap.lib.withBaseDn "${name}";
}; };
changeType = mkOption { changeType = mkOption {
type = enum [ "modify" "add" "delete" "modrdn" "moddn" ]; type = enum [ "modify" "add" "delete" "modrdn" "moddn" ];
@ -151,6 +157,7 @@
objectClasses = mkOption { objectClasses = mkOption {
type = listOf str; type = listOf str;
default = [ ]; default = [ ];
description = "additional object classes";
}; };
settings = mkOption { settings = mkOption {
type = attrsOf ldap.lib.objectSettingType; type = attrsOf ldap.lib.objectSettingType;
@ -159,7 +166,11 @@
}; };
config = { config = {
settings = { settings = {
objectClass = mkIf (config.objectClasses != [ ]) (mkOptionDefault config.objectClasses); objectClasses' = mkIf (config.objectClasses != [ ]) (mkOptionDefault {
name = "objectClass";
modifyType = "add";
value = config.objectClasses;
});
}; };
changeText = mkOptionDefault (ldap'lib.mkLdapModifyObject.${config.changeType} config); changeText = mkOptionDefault (ldap'lib.mkLdapModifyObject.${config.changeType} config);
}; };

159
modules/nixos/ldap/permissions.nix Normal file
View file

@ -0,0 +1,159 @@
{
config,
lib,
inputs,
...
}: let
inherit (inputs.self.lib.lib) mkAlmostOptionDefault mapOptionDefaults mapListToAttrs;
inherit (lib.options) mkOption;
inherit (lib.modules) mkIf mkMerge mkOptionDefault;
inherit (lib.attrsets) attrNames mapAttrs mapAttrsToList;
inherit (lib.lists) filter;
cfg = config.users.ldap;
ldap'lib = config.lib.ldap;
permissionModule = {config, name, ldap, ...}: let
targetConf = {
user = {
location = ldap.userDnSuffix;
targetFilter = "(objectclass=posixaccount)";
};
user-group = {
location = ldap.groupDnSuffix;
targetFilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))";
};
permission = {
location = ldap.permissionDnSuffix;
targetFilter = "(objectclass=ipapermission)";
};
privilege = {
location = ldap.privilegeDnSuffix;
targetFilter = "(objectclass=groupofnames)";
};
role = {
location = ldap.roleDnSuffix;
targetFilter = "(objectclass=groupofnames)";
};
samba-domain = {
location = "";
target = "sambaDomainName=*,${ldap.base}";
targetFilter = "(objectclass=sambadomain)";
};
domain = {
location = ldap.domainDnSuffix;
targetFilter = "(objectclass=ipantdomainattrs)";
#target = "cn=*";
};
host = {
location = ldap.hostDnSuffix;
# TODO: targetFilter
target = "fqdn=*";
};
service = {
location = ldap.serviceDnSuffix;
# TODO: targetFilter
target = "krbprincipalname=*";
};
sysaccount = {
location = ldap.sysAccountDnSuffix;
# TODO: targetFilter
target = "uid=*";
};
};
in {
options = with lib.types; {
cn = mkOption {
type = str;
default = name;
};
bindType = mkOption {
type = enum [ "anonymous" "permission" "all" ];
default = "permission";
};
rights = mkOption {
type = oneOf [
(listOf (enum [ "read" "search" "compare" "write" "add" "delete" ]))
(enum [ "all" ])
];
default = [ "read" "search" "compare" ];
};
targetType = mkOption {
type = nullOr (enum (attrNames targetConf));
default = null;
};
location = mkOption {
type = str;
};
target = mkOption {
type = nullOr str;
default = null;
};
targetFilter = mkOption {
type = nullOr str;
};
attrs = mkOption {
type = listOf str;
};
members = mkOption {
type = listOf str;
};
object = mkOption {
type = ldap.lib.objectSettingsType;
};
};
config = let
conf.members = mkIf (config.bindType != "permission") (mkOptionDefault [ ]);
conf.targetFilter = mkIf (config.target != null) (mkOptionDefault null);
conf.object = {
dn = mkOptionDefault (ldap.lib.withBaseDn "cn=${config.cn},${ldap.permissionDnSuffix}");
settings = {
changeType = mkAlmostOptionDefault "add";
settings = mapOptionDefaults {
cn = config.cn;
objectClass = [ "top" "groupofnames" "ipapermission" "ipapermissionv2" ];
ipaPermissionType = [ "SYSTEM" "V2" ];
ipaPermIncludedAttr = config.attrs;
ipaPermBindRuleType = config.bindType;
ipaPermRight = config.rights;
ipaPermLocation = ldap.lib.withBaseDn config.location;
} // {
member = mkIf (config.members != [ ]) (mkOptionDefault (map ldap.lib.withBaseDn config.members));
ipaPermTargetFilter = mkIf (config.targetFilter != null) (mkOptionDefault config.targetFilter);
ipaPermTarget = mkIf (config.target != null) (mkOptionDefault config.target);
};
};
};
target = {
location = mkIf (config.targetType != null) (mkAlmostOptionDefault targetConf.${config.targetType}.location);
targetFilter = mkIf (config.targetType != null) (mkAlmostOptionDefault targetConf.${config.targetType}.targetFilter or null);
target = mkIf (config.targetType != null) (mkAlmostOptionDefault targetConf.${config.targetType}.target or null);
};
in mkMerge [ conf target ];
};
in {
options.users.ldap = with lib.types; {
management = {
permissions = mkOption {
type = attrsOf (submoduleWith {
modules = [ permissionModule ];
inherit (config.lib.ldap) specialArgs;
});
default = { };
};
};
permissionDnSuffix = mkOption {
type = str;
};
privilegeDnSuffix = mkOption {
type = str;
};
roleDnSuffix = mkOption {
type = str;
};
};
config.users.ldap = {
management.objects = let
permissionObjects = mapAttrsToList (_: user: user.object) cfg.management.permissions;
enabledObjects = filter (object: object.enable) (permissionObjects);
in mapListToAttrs ldap'lib.mapObjectSettingsToPair enabledObjects;
};
}

6
modules/nixos/ldap/users.nix
View file

@ -6,7 +6,7 @@
}: let }: let
inherit (inputs.self.lib.lib) mkAlmostOptionDefault mapListToAttrs; inherit (inputs.self.lib.lib) mkAlmostOptionDefault mapListToAttrs;
inherit (lib.options) mkOption mkEnableOption; inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkDefault mkOptionDefault; inherit (lib.modules) mkIf mkOptionDefault;
inherit (lib.attrsets) mapAttrs mapAttrsToList; inherit (lib.attrsets) mapAttrs mapAttrsToList;
inherit (lib.lists) filter; inherit (lib.lists) filter;
inherit (lib.strings) concatStrings; inherit (lib.strings) concatStrings;
@ -80,7 +80,7 @@
}; };
object = { object = {
enable = mkAlmostOptionDefault config.samba.enable; enable = mkAlmostOptionDefault config.samba.enable;
dn = mkOptionDefault "uid=${config.uid},${ldap.userDnSuffix}${ldap.base}"; dn = mkOptionDefault (ldap.lib.withBaseDn "uid=${config.uid},${ldap.userDnSuffix}");
settings = { settings = {
objectClasses = mkIf config.samba.enable [ "sambaSamAccount" ]; objectClasses = mkIf config.samba.enable [ "sambaSamAccount" ];
settings = mkIf config.samba.enable { settings = mkIf config.samba.enable {
@ -139,7 +139,7 @@
}; };
object = { object = {
enable = mkAlmostOptionDefault config.samba.enable; enable = mkAlmostOptionDefault config.samba.enable;
dn = mkOptionDefault "cn=${config.name},${ldap.groupDnSuffix}${ldap.base}"; dn = mkOptionDefault (ldap.lib.withBaseDn "cn=${config.name},${ldap.groupDnSuffix}");
settings = { settings = {
objectClasses = mkIf config.samba.enable [ "sambaGroupMapping" ]; objectClasses = mkIf config.samba.enable [ "sambaGroupMapping" ];
settings = mkIf config.samba.enable { settings = mkIf config.samba.enable {

7
nixos/ipa.nix
View file

@ -26,6 +26,13 @@ in {
#samba.domainSID = mkDefault "S-1-5-21-208293719-3143191303-229982100"; # HAKUREI #samba.domainSID = mkDefault "S-1-5-21-208293719-3143191303-229982100"; # HAKUREI
userDnSuffix = mkDefault "cn=users,cn=accounts,"; userDnSuffix = mkDefault "cn=users,cn=accounts,";
groupDnSuffix = mkDefault "cn=groups,cn=accounts,"; groupDnSuffix = mkDefault "cn=groups,cn=accounts,";
permissionDnSuffix = mkDefault "cn=permissions,cn=pbac,";
privilegeDnSuffix = mkDefault "cn=privileges,cn=pbac,";
roleDnSuffix = mkDefault "cn=roles,cn=accounts,";
serviceDnSuffix = mkDefault "cn=services,cn=accounts,";
hostDnSuffix = mkDefault "cn=computers,cn=accounts,";
sysAccountDnSuffix = mkDefault "cn=sysaccounts,cn=etc,";
domainDnSuffix = mkDefault "cn=ad,cn=etc,";
}; };
security.ipa = { security.ipa = {
enable = mkDefault true; enable = mkDefault true;

100
nixos/ldap/permissions.nix Normal file
View file

@ -0,0 +1,100 @@
{config, lib, ...}: let
inherit (lib.modules) mkDefault;
inherit (config.users) ldap;
inherit (ldap.management) permissions;
adminPriv = "cn=Custom Management Admin,${ldap.privilegeDnSuffix}";
in {
config.users.ldap.management = {
enable = mkDefault true;
permissions = {
"Custom Anonymous User Read" = {
bindType = "anonymous";
targetType = "user";
attrs = [ "gidnumber" "homedirectory" "ipantsecurityidentifier" "loginshell" "manager" "objectclass" "title" "uid" "uidnumber" ];
};
"Custom Permission Admin" = {
location = ldap.permissionDnSuffix;
target = "cn=*";
rights = "all";
members = [ adminPriv ];
attrs = [
"member" "cn" "o" "ou" "owner" "description" "objectclass" "seealso" "businesscategory"
"ipapermtarget" "ipapermright" "ipapermincludedattr" "ipapermbindruletype" "ipapermexcludedattr" "ipapermtargetto" "ipapermissiontype" "ipapermlocation" "ipapermdefaultattr" "ipapermtargetfrom" "ipapermtargetfilter"
];
};
"Custom Privilege Admin" = {
location = ldap.privilegeDnSuffix;
target = "cn=*";
rights = "all";
members = [ adminPriv ];
attrs = [
"member" "memberof" "cn" "o" "ou" "owner" "description" "objectclass" "seealso" "businesscategory"
];
};
"Custom Role Admin" = {
location = ldap.roleDnSuffix;
target = "cn=*";
rights = "all";
members = [ adminPriv ];
attrs = [
"member" "memberof" "cn" "o" "ou" "owner" "description" "objectclass" "seealso" "businesscategory"
];
};
"Custom Role Modify" = {
targetType = "role";
rights = [ "write" ];
members = [ adminPriv ];
attrs = permissions."Custom Role Admin".attrs;
};
"Custom Host Permission" = {
targetType = "host";
rights = [ "write" ];
members = [ adminPriv ];
attrs = [
"memberof"
];
};
"Custom SysAccount Permission" = {
targetType = "sysaccount";
rights = [ "write" ];
members = [ adminPriv ];
attrs = [
"memberof"
];
};
"Custom Service Permission" = {
targetType = "service";
rights = [ "write" ];
members = [ adminPriv ];
attrs = [
"memberof"
];
};
};
objects = {
${adminPriv} = {
changeType = "add";
settings = {
objectClass = [ "top" "nestedgroup" "groupofnames" ];
member = map config.lib.ldap.withBaseDn [
"cn=Security Architect,${ldap.roleDnSuffix}"
];
};
};
# change default public access
"cn=System: Read User Compat Tree,${ldap.permissionDnSuffix}" = {
settings.ipaPermBindRuleType = "all";
};
"cn=System: Read User Views Compat Tree,${ldap.permissionDnSuffix}" = {
settings.ipaPermBindRuleType = "all";
};
"cn=System: Read User Standard Attributes,${ldap.permissionDnSuffix}" = {
settings.ipaPermBindRuleType = "all";
};
# allow reimu to actually make these changes...
"cn=Security Architect,${ldap.roleDnSuffix}" = {
settings.member = [ "fqdn=reimu.${config.networking.domain},${ldap.hostDnSuffix}${ldap.base}" ];
};
};
};
}

182
nixos/ldap/samba.nix Normal file
View file

@ -0,0 +1,182 @@
{config, lib, ...}: let
inherit (lib.modules) mkDefault;
inherit (config.users) ldap;
inherit (ldap.management) permissions;
adminPriv = "cn=Custom Management Admin,${ldap.privilegeDnSuffix}";
smbPriv = "cn=Samba smbd,${ldap.privilegeDnSuffix}";
smbRole = "cn=Samba smbd,${ldap.roleDnSuffix}";
smbAccountAttrs = [ "sambasid" "sambapwdlastset" "sambaacctflags" "sambapasswordhistory" "sambantpassword" ];
smbGroupAttrs = [ "sambasid" "sambagrouptype" ];
smbDomainAttrs = [ "sambasid" "sambaRefuseMachinePwdChange" "sambaMinPwdLength" "sambaAlgorithmicRidBase" "sambaPwdHistoryLength" "sambaDomainName" "sambaMinPwdAge" "sambaMaxPwdAge" "sambaLockoutThreshold" "sambaForceLogoff" "sambaLogonToChgPwd" "sambaLockoutObservationWindow" "sambaNextUserRid" "sambaLockoutDuration" ];
in {
config.users.ldap.management = {
enable = mkDefault true;
permissions = {
"Custom Samba User Read" = {
targetType = "user";
attrs = [ "ipanthash" "ipanthomedirectory" "ipanthomedirectorydrive" "ipantlogonscript" "ipantprofilepath" "ipantsecurityidentifier" ] ++ smbAccountAttrs;
members = [ smbPriv ];
};
"Custom Samba User Modify" = {
targetType = "user";
rights = [ "write" ];
attrs = smbAccountAttrs;
members = permissions."Custom Samba User Admin".members;
};
"Custom Samba User Admin" = {
targetType = "user";
rights = [ "write" "add" ];
attrs = [ "objectclass" ];
members = [ adminPriv ];
};
"Custom Samba Group Read" = {
targetType = "user-group";
attrs = [ "ipantsecurityidentifier" "gidnumber" ] ++ smbGroupAttrs;
members = [ smbPriv ];
};
"Custom Samba Group Modify" = {
targetType = "user-group";
rights = [ "write" ];
attrs = smbGroupAttrs;
members = permissions."Custom Samba Group Admin".members;
};
"Custom Samba Group Admin" = {
targetType = "user-group";
rights = [ "write" "add" ];
attrs = [ "objectclass" ];
members = [ adminPriv ];
};
"Custom Samba Domain Read" = {
targetType = "samba-domain";
attrs = [ "objectClass" ] ++ smbDomainAttrs;
members = [ smbPriv ];
};
"Custom Samba Domain Modify" = {
targetType = "samba-domain";
rights = [ "write" ];
attrs = smbDomainAttrs;
members = permissions."Custom Samba Domain Admin".members;
};
"Custom Samba Domain Admin" = {
targetType = "domain";
rights = [ "write" "add" ];
attrs = [ "objectclass" ];
members = [ adminPriv ];
};
"Custom Samba Realm Read" = {
targetType = "domain";
attrs = [ "objectClass" "ipaNTSecurityIdentifier" "ipaNTFlatName" "ipaNTDomainGUID" "ipaNTFallbackPrimaryGroup" ] ++ smbDomainAttrs;
members = [ smbPriv ];
};
"Custom Samba Realm Modify" = {
targetType = "domain";
rights = [ "write" ];
attrs = smbDomainAttrs;
members = permissions."Custom Samba Realm Admin".members;
};
"Custom Samba Realm Admin" = {
targetType = "user-group";
rights = [ "write" "add" ];
attrs = [ "objectclass" ];
members = [ adminPriv ];
};
};
users = {
guest.user.enable = true;
admin = {
user.enable = true;
samba.enable = true;
};
opl = {
user.enable = true;
samba = {
enable = true;
#sync.enable = true;
accountFlags = {
noPasswordExpiry = mkDefault true;
normalUser = true;
};
};
object.settings.settings = {
sambaNTPassword = "F7C2C5D78C24EACB73550B02BF5888E3";
sambaLMPassword = "A5C96CDE7660B20BAAD3B435B51404EE";
};
};
};
groups = {
nogroup = {
group.enable = true;
samba.enable = true;
};
guest = {
samba = {
enable = true;
groupType = 4;
sid = "S-1-5-32-546";
};
};
admin = {
group.enable = true;
samba.enable = true;
};
kyuuto-peeps = {
group.enable = true;
samba.enable = true;
};
kyuuto = {
group.enable = true;
samba.enable = true;
};
peeps = {
group.enable = true;
samba.enable = true;
};
admins = {
samba = {
enable = true;
#sync.enable = true;
groupType = 4;
sid = "S-1-5-32-544";
};
};
smb = {
name = "Default SMB Group";
samba = {
enable = true;
#sync.enable = true;
groupType = 4;
sid = "S-1-5-32-545";
};
};
};
objects = {
${smbPriv} = {
changeType = "add";
settings = {
objectClass = [ "top" "nestedgroup" "groupofnames" ];
member = map config.lib.ldap.withBaseDn [
"cn=Security Architect,${ldap.roleDnSuffix}"
"uid=samba,${ldap.sysAccountDnSuffix}"
smbRole
];
};
};
${smbRole} = {
changeType = "add";
settings = {
objectClass = [ "top" "nestedgroup" "groupofnames" ];
member = map config.lib.ldap.withBaseDn [
"krbprincipalname=cifs/hakurei.${config.networking.domain}@${config.security.ipa.realm},${ldap.serviceDnSuffix}"
];
};
};
"cn=${config.networking.domain},${ldap.domainDnSuffix}" = {
objectClasses = [ "sambaDomain" ];
settings = {
sambaSID = ldap.samba.domainSID;
sambaDomainName = "GENSOKYO";
};
};
};
};
}

3
nixos/users/ldap.nix → nixos/ldap/users.nix
View file

@ -91,6 +91,9 @@ in {
}; };
}; };
}; };
objects = {
# TODO: ipa hostname krb5 aliases should be populated here!!!
};
} ]; } ];
}; };
} }

2
systems/hakurei/nixos.nix
View file

@ -52,8 +52,6 @@ in {
./reisen-ssh.nix ./reisen-ssh.nix
]; ];
users.ldap.management.enable = true;
sops.secrets.cloudflared-tunnel-hakurei = { sops.secrets.cloudflared-tunnel-hakurei = {
owner = config.services.cloudflared.user; owner = config.services.cloudflared.user;
}; };

1
systems/reimu/nixos.nix
View file

@ -10,6 +10,7 @@
nixos.steam.beatsaber nixos.steam.beatsaber
nixos.tailscale nixos.tailscale
nixos.ipa nixos.ipa
nixos.ldap
nixos.nfs nixos.nfs
]; ];