infrastructure/nixos/sssd.nix

{ gensokyo-zone, access, config, lib, ... }: let
  inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
  inherit (lib.modules) mkIf mkBefore mkAfter mkDefault;
  inherit (lib.lists) tail;
  inherit (lib.strings) splitString concatStringsSep;
  cfg = config.services.sssd;
in {
  imports = [
    ./krb5.nix
  ];

  config = {
    services.sssd = {
      enable = (mkDefault true);
      gensokyo-zone = let
        serviceFragment = service: service;
        toService = service: hostname: let
          segments = splitString "." hostname;
        in concatStringsSep "." ([ (serviceFragment service) ] ++ tail segments);
        toFreeipa = toService "freeipa";
        tailName = access.getHostnameFor "hakurei" "tail";
        mkServers = serviceName: let
          system = access.systemForService serviceName;
          lanName = access.getHostnameFor system.name "lan";
          localName = access.getHostnameFor system.name "local";
          localToo = lanName != localName;
        in {
          servers = mkBefore [
            lanName
            (mkIf localToo localName)
          ];
          backups = mkAlmostOptionDefault (mkAfter [
            (toFreeipa lanName)
            (mkIf config.services.tailscale.enable (toFreeipa tailName))
          ]);
        };
      in {
        krb5.servers = mkServers "kerberos";
        ipa.servers = mkServers "freeipa";
        ldap = {
          uris = {
            backups = mkAlmostOptionDefault (mkAfter [
              (mkIf config.services.tailscale.enable (toService "ldap" tailName))
            ]);
          };
          bind.passwordFile = mkIf (cfg.gensokyo-zone.backend == "ldap") config.sops.secrets.gensokyo-zone-peep-passwords.path;
        };
      };
      environmentFile = mkIf (cfg.gensokyo-zone.enable && cfg.gensokyo-zone.backend == "ldap") (mkAlmostOptionDefault
        config.sops.secrets.gensokyo-zone-sssd-passwords.path
      );
    };

    sops.secrets = let
      sopsFile = mkDefault ./secrets/krb5.yaml;
    in mkIf (cfg.enable && cfg.gensokyo-zone.enable) {
      gensokyo-zone-krb5-peep-password = mkIf (cfg.gensokyo-zone.enable && cfg.gensokyo-zone.backend == "ldap") {
        inherit sopsFile;
      };
      # TODO: this shouldn't be needed, module is incomplete :(
      gensokyo-zone-sssd-passwords = mkIf (cfg.gensokyo-zone.enable && cfg.gensokyo-zone.backend == "ldap") {
        inherit sopsFile;
      };
    };
  };
}