chore: ipa and sssd modules

2026-02-09 12:29:19 -08:00 · 2024-04-05 15:01:05 -07:00 · 2024-04-05 15:01:05 -07:00 · 95e903697a
commit 95e903697a
parent 0a48d9cf5d
14 changed files with 983 additions and 65 deletions
--- a/nixos/ipa.nix
+++ b/nixos/ipa.nix
@ -1,15 +1,5 @@
-{ inputs, pkgs, config, lib, ... }: let
-  inherit (inputs.self.lib.lib) mkBaseDn;
-  inherit (lib.modules) mkIf mkDefault mkOptionDefault;
-  inherit (lib.strings) toUpper;
-  inherit (config.networking) domain;
-  cfg = config.security.ipa;
-  baseDn = mkBaseDn domain;
-  caPem = pkgs.fetchurl {
-    name = "idp.${domain}.ca.pem";
-    url = "https://freeipa.${domain}/ipa/config/ca.crt";
-    sha256 = "sha256-PKjnjn1jIq9x4BX8+WGkZfj4HQtmnHqmFSALqggo91o=";
-  };
+{ config, lib, ... }: let
+  inherit (lib.modules) mkDefault;
 in {
  # NOTE: requires manual post-install setup...
  # :; kinit admin
@ -18,54 +8,18 @@ in {
  # :; ipa-getkeytab -k /tmp/krb5.keytab -s idp.${domain} -p ${serviceName}/idp.${domain}@${toUpper domain}
  # once the sops secret has been updated with keytab...
  # :; systemctl restart sssd
+
+  imports = [
+    ./krb5.nix
+    ./sssd.nix
+  ];
+
  config = {
-    users.ldap = {
-      base = mkDefault baseDn;
-      server = mkDefault "ldaps://ldap.local.${domain}";
-      samba.domainSID = mkDefault "S-1-5-21-1535650373-1457993706-2355445124";
-      #samba.domainSID = mkDefault "S-1-5-21-208293719-3143191303-229982100"; # HAKUREI
-      userDnSuffix = mkDefault "cn=users,cn=accounts,";
-      groupDnSuffix = mkDefault "cn=groups,cn=accounts,";
-      permissionDnSuffix = mkDefault "cn=permissions,cn=pbac,";
-      privilegeDnSuffix = mkDefault "cn=privileges,cn=pbac,";
-      roleDnSuffix = mkDefault "cn=roles,cn=accounts,";
-      serviceDnSuffix = mkDefault "cn=services,cn=accounts,";
-      hostDnSuffix = mkDefault "cn=computers,cn=accounts,";
-      hostGroupDnSuffix = mkDefault "cn=hostgroups,cn=accounts,";
-      idViewDnSuffix = mkDefault "cn=views,cn=accounts,";
-      sysAccountDnSuffix = mkDefault "cn=sysaccounts,cn=etc,";
-      domainDnSuffix = mkDefault "cn=ad,cn=etc,";
-    };
    security.ipa = {
      enable = mkDefault true;
-      certificate = mkDefault caPem;
-      basedn = mkDefault baseDn;
-      chromiumSupport = mkDefault false;
-      domain = mkDefault domain;
-      realm = mkDefault (toUpper domain);
-      server = mkDefault "idp.${domain}";
-      ifpAllowedUids = [
-        "root"
-      ] ++ config.users.groups.wheel.members;
-      dyndns.enable = mkDefault false;
-    };
-    sops.secrets = {
-      krb5-keytab = mkIf cfg.enable {
-        mode = "0400";
-        path = "/etc/krb5.keytab";
-      };
-    };
-    systemd.services.krb5-host = let
-      krb5-host = pkgs.writeShellScript "krb5-host" ''
-        set -eu
-
-        kinit -k host/${config.networking.fqdn}
-      '';
-    in mkIf cfg.enable {
-      path = [ config.security.krb5.package ];
-      serviceConfig = {
-        Type = mkOptionDefault "oneshot";
-        ExecStart = [ "${krb5-host}" ];
+      overrideConfigs = {
+        krb5 = mkDefault false;
+        sssd = mkDefault false;
      };
    };
  };