mirror of
https://github.com/gensokyo-zone/infrastructure.git
synced 2026-02-09 20:39:18 -08:00
91 lines
3.2 KiB
Nix
91 lines
3.2 KiB
Nix
{ inputs, pkgs, config, access, lib, ... }: let
|
|
inherit (inputs.self.lib.lib) mkAlmostOptionDefault mapAlmostOptionDefaults;
|
|
inherit (lib.modules) mkIf mkMerge mkBefore mkDefault mkOptionDefault;
|
|
inherit (lib.strings) replaceStrings;
|
|
inherit (config.security) ipa;
|
|
cfg = config.security.krb5;
|
|
enabled = cfg.enable || ipa.enable;
|
|
domain = cfg.gensokyo-zone.domain;
|
|
in {
|
|
config = {
|
|
security.krb5 = {
|
|
enable = mkIf (!ipa.enable) (mkDefault true);
|
|
settings = {
|
|
libdefaults = mapAlmostOptionDefaults {
|
|
dns_lookup_kdc = false;
|
|
rdns = false;
|
|
};
|
|
};
|
|
gensokyo-zone = let
|
|
toLdap = replaceStrings [ "idp." ] [ "ldap." ];
|
|
system = access.systemForService "kerberos";
|
|
lanName = access.getHostnameFor system.name "lan";
|
|
localName = access.getHostnameFor system.name "local";
|
|
ldapLan = toLdap lanName;
|
|
ldapLocal = toLdap localName;
|
|
in {
|
|
enable = mkDefault true;
|
|
host = mkAlmostOptionDefault lanName;
|
|
ldap = {
|
|
urls = mkMerge [
|
|
(mkOptionDefault (mkBefore [ "ldaps://${ldapLan}" ]))
|
|
(mkIf (ldapLan != ldapLocal) (mkOptionDefault (mkBefore [ "ldaps://${ldapLan}" ])))
|
|
];
|
|
bind.passwordFile = mkIf (cfg.gensokyo-zone.db.backend == "kldap") config.sops.secrets.gensokyo-zone-krb5-passwords.path;
|
|
};
|
|
};
|
|
};
|
|
users.ldap = {
|
|
base = mkDefault cfg.gensokyo-zone.ldap.baseDn;
|
|
server = mkDefault "ldaps://ldap.local.${domain}";
|
|
samba.domainSID = mkDefault "S-1-5-21-1535650373-1457993706-2355445124";
|
|
#samba.domainSID = mkDefault "S-1-5-21-208293719-3143191303-229982100"; # HAKUREI
|
|
userDnSuffix = mkDefault "cn=users,cn=accounts,";
|
|
groupDnSuffix = mkDefault "cn=groups,cn=accounts,";
|
|
permissionDnSuffix = mkDefault "cn=permissions,cn=pbac,";
|
|
privilegeDnSuffix = mkDefault "cn=privileges,cn=pbac,";
|
|
roleDnSuffix = mkDefault "cn=roles,cn=accounts,";
|
|
serviceDnSuffix = mkDefault "cn=services,cn=accounts,";
|
|
hostDnSuffix = mkDefault "cn=computers,cn=accounts,";
|
|
hostGroupDnSuffix = mkDefault "cn=hostgroups,cn=accounts,";
|
|
idViewDnSuffix = mkDefault "cn=views,cn=accounts,";
|
|
sysAccountDnSuffix = mkDefault "cn=sysaccounts,cn=etc,";
|
|
domainDnSuffix = mkDefault "cn=ad,cn=etc,";
|
|
};
|
|
networking.timeServers = [ "2.fedora.pool.ntp.org" ];
|
|
security.ipa = {
|
|
chromiumSupport = mkDefault false;
|
|
};
|
|
services.sssd = {
|
|
domains.${domain}.settings = {
|
|
enumerate = true;
|
|
};
|
|
};
|
|
|
|
systemd.services.krb5-host = let
|
|
krb5-host = pkgs.writeShellScript "krb5-host" ''
|
|
set -eu
|
|
|
|
kinit -k host/${config.networking.fqdn}
|
|
'';
|
|
in mkIf enabled {
|
|
path = [ config.security.krb5.package ];
|
|
serviceConfig = {
|
|
Type = mkOptionDefault "oneshot";
|
|
ExecStart = [ "${krb5-host}" ];
|
|
};
|
|
};
|
|
|
|
sops.secrets = let
|
|
sopsFile = mkDefault ./secrets/krb5.yaml;
|
|
in mkIf enabled {
|
|
krb5-keytab = {
|
|
mode = "0400";
|
|
path = "/etc/krb5.keytab";
|
|
};
|
|
gensokyo-zone-krb5-passwords = mkIf (cfg.gensokyo-zone.db.backend == "kldap") {
|
|
inherit sopsFile;
|
|
};
|
|
};
|
|
};
|
|
}
|