chore: ipa and sssd modules

2026-02-09 04:19:19 -08:00 · 2024-04-05 15:01:05 -07:00 · 2024-04-05 15:01:05 -07:00 · 95e903697a
commit 95e903697a
parent 0a48d9cf5d
14 changed files with 983 additions and 65 deletions
--- a/nixos/sssd.nix
+++ b/nixos/sssd.nix
@ -0,0 +1,60 @@
+{ gensokyo-zone, access, config, lib, ... }: let
+  inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
+  inherit (lib.modules) mkIf mkBefore mkAfter mkDefault;
+  inherit (lib.strings) replaceStrings;
+  cfg = config.services.sssd;
+in {
+  imports = [
+    ./krb5.nix
+  ];
+
+  config = {
+    services.sssd = {
+      enable = (mkDefault true);
+      gensokyo-zone = let
+        toService = service: replaceStrings [ "idp." ] [ "${service}." ];
+        toFreeipa = toService "freeipa";
+        toLdap = toService "ldap";
+        lanName = access.getHostnameFor "freeipa" "lan";
+        localName = access.getHostnameFor "freeipa" "local";
+        tailName = access.getHostnameFor "hakurei" "tail";
+        localToo = lanName != localName;
+        servers = mkBefore [
+          lanName
+          (mkIf localToo localName)
+        ];
+        backups = mkAlmostOptionDefault (mkAfter [
+          (toFreeipa lanName)
+          (mkIf config.services.tailscale.enable (toFreeipa tailName))
+        ]);
+      in {
+        krb5.servers = {
+          inherit servers backups;
+        };
+        ldap = {
+          uris = {
+            backups = mkAlmostOptionDefault (mkAfter [
+              (mkIf config.services.tailscale.enable (toLdap tailName))
+            ]);
+          };
+          bind.passwordFile = mkIf (cfg.gensokyo-zone.backend == "ldap") config.sops.secrets.gensokyo-zone-peep-passwords.path;
+        };
+      };
+      environmentFile = mkIf (cfg.gensokyo-zone.enable && cfg.gensokyo-zone.backend == "ldap") (mkAlmostOptionDefault
+        config.sops.secrets.gensokyo-zone-sssd-passwords.path
+      );
+    };
+
+    sops.secrets = let
+      sopsFile = mkDefault ./secrets/krb5.yaml;
+    in mkIf (cfg.enable && cfg.gensokyo-zone.enable) {
+      gensokyo-zone-krb5-peep-password = mkIf (cfg.gensokyo-zone.enable && cfg.gensokyo-zone.backend == "ldap") {
+        inherit sopsFile;
+      };
+      # TODO: this shouldn't be needed, module is incomplete :(
+      gensokyo-zone-sssd-passwords = mkIf (cfg.gensokyo-zone.enable && cfg.gensokyo-zone.backend == "ldap") {
+        inherit sopsFile;
+      };
+    };
+  };
+}