feat(exports): service access

2026-02-09 04:19:19 -08:00 · 2024-02-19 17:34:39 -08:00 · 2024-02-19 17:34:39 -08:00 · 871b1c5b2d
commit 871b1c5b2d
parent 91918b8061
69 changed files with 1317 additions and 509 deletions
--- a/nixos/sssd.nix
+++ b/nixos/sssd.nix
@ -1,7 +1,8 @@
 { gensokyo-zone, access, config, lib, ... }: let
  inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
  inherit (lib.modules) mkIf mkBefore mkAfter mkDefault;
-  inherit (lib.strings) replaceStrings;
+  inherit (lib.lists) tail;
+  inherit (lib.strings) splitString concatStringsSep;
  cfg = config.services.sssd;
 in {
  imports = [
@ -12,29 +13,34 @@ in {
    services.sssd = {
      enable = (mkDefault true);
      gensokyo-zone = let
-        toService = service: replaceStrings [ "idp." ] [ "${service}." ];
+        serviceFragment = service: service;
+        toService = service: hostname: let
+          segments = splitString "." hostname;
+        in concatStringsSep "." ([ (serviceFragment service) ] ++ tail segments);
        toFreeipa = toService "freeipa";
-        toLdap = toService "ldap";
-        lanName = access.getHostnameFor "freeipa" "lan";
-        localName = access.getHostnameFor "freeipa" "local";
        tailName = access.getHostnameFor "hakurei" "tail";
-        localToo = lanName != localName;
-        servers = mkBefore [
-          lanName
-          (mkIf localToo localName)
-        ];
-        backups = mkAlmostOptionDefault (mkAfter [
-          (toFreeipa lanName)
-          (mkIf config.services.tailscale.enable (toFreeipa tailName))
-        ]);
-      in {
-        krb5.servers = {
-          inherit servers backups;
+        mkServers = serviceName: let
+          system = access.systemForService serviceName;
+          lanName = access.getHostnameFor system.name "lan";
+          localName = access.getHostnameFor system.name "local";
+          localToo = lanName != localName;
+        in {
+          servers = mkBefore [
+            lanName
+            (mkIf localToo localName)
+          ];
+          backups = mkAlmostOptionDefault (mkAfter [
+            (toFreeipa lanName)
+            (mkIf config.services.tailscale.enable (toFreeipa tailName))
+          ]);
        };
+      in {
+        krb5.servers = mkServers "kerberos";
+        ipa.servers = mkServers "freeipa";
        ldap = {
          uris = {
            backups = mkAlmostOptionDefault (mkAfter [
-              (mkIf config.services.tailscale.enable (toLdap tailName))
+              (mkIf config.services.tailscale.enable (toService "ldap" tailName))
            ]);
          };
          bind.passwordFile = mkIf (cfg.gensokyo-zone.backend == "ldap") config.sops.secrets.gensokyo-zone-peep-passwords.path;