gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 20:39:18 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions
infrastructure/modules/nixos/sssd/genso.nix
arcnmx 6db8e4e304 feat(extern): krb5
2024-04-07 15:29:05 -07:00

194 lines
5.9 KiB
Nix
Raw Blame History

{ gensokyo-zone, pkgs, config, lib, ... }: let
inherit (gensokyo-zone.lib) mkAlmostOptionDefault mapOptionDefaults mapAlmostOptionDefaults mapDefaults;
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkMerge mkAfter mkDefault mkOptionDefault;
inherit (config.security) krb5 ipa;
inherit (config.services) sssd;
genso = krb5.gensokyo-zone;
cfg = sssd.gensokyo-zone;
serverModule = { config, ... }: {
options = with lib.types; {
servers = mkOption {
type = nullOr (listOf str);
default = null;
};
backups = mkOption {
type = listOf str;
default = [ ];
};
serverName = mkOption {
type = str;
internal = true;
};
serverKind = mkOption {
type = enum [ "server" "uri" ];
default = "server";
internal = true;
};
settings = mkOption {
type = attrsOf (listOf str);
};
};
config = let
key = "${config.serverName}_${config.serverKind}";
keyBackups = "${config.serverName}_backup_${config.serverKind}";
in {
settings = {
${key} = mkIf (config.servers != null) (mkOptionDefault config.servers);
${keyBackups} = mkIf (config.backups != [ ]) (mkOptionDefault config.backups);
};
};
};
mkServerType = { modules }: lib.types.submoduleWith {
modules = [ serverModule ] ++ modules;
specialArgs = {
inherit gensokyo-zone pkgs;
nixosConfig = config;
};
};
mkServerOption = { name, kind ? "server" }: let
serverInfoModule = { ... }: {
config = {
serverName = mkOptionDefault name;
serverKind = mkAlmostOptionDefault kind;
};
};
in mkOption {
type = mkServerType {
modules = [ serverInfoModule ];
};
default = { };
};
in {
options.services.sssd.gensokyo-zone = with lib.types; {
enable = mkEnableOption "realm" // {
default = genso.enable;
};
ldap = {
bind = {
passwordFile = mkOption {
type = nullOr str;
default = null;
};
};
uris = mkServerOption { name = "ldap"; kind = "uri"; };
};
krb5 = {
servers = mkServerOption { name = "krb5"; };
};
ipa = {
servers = mkServerOption { name = "ipa"; } // {
default = {
inherit (cfg.krb5.servers) servers backups;
};
};
hostName = mkOption {
type = str;
default = config.networking.fqdn;
};
};
backend = mkOption {
type = enum [ "ldap" "ipa" ];
default = "ipa";
};
};
config = {
services.sssd = let
# or "ipaNTSecurityIdentifier" which isn't set for most groups, maybe check netgroups..?
objectsid = "sambaSID";
backendDomainSettings = {
ldap = mapDefaults {
id_provider = "ldap";
auth_provider = "krb5";
access_provider = "ldap";
ldap_tls_cacert = "/etc/ssl/certs/ca-bundle.crt";
} // mapOptionDefaults {
ldap_access_order = [ "host" ];
ldap_schema = "IPA";
ldap_default_bind_dn = genso.ldap.bind.dn;
ldap_search_base = genso.ldap.baseDn;
ldap_user_search_base = "cn=users,cn=accounts,${genso.ldap.baseDn}";
ldap_group_search_base = "cn=groups,cn=accounts,${genso.ldap.baseDn}";
ldap_user_uuid = "ipaUniqueID";
ldap_user_ssh_public_key = "ipaSshPubKey";
ldap_user_objectsid = objectsid;
ldap_group_uuid = "ipaUniqueID";
ldap_group_objectsid = objectsid;
};
ipa = mapOptionDefaults {
id_provider = "ipa";
auth_provider = "ipa";
access_provider = "ipa";
chpass_provider = "ipa";
dyndns_update = ipa.dyndns.enable;
dyndns_iface = ipa.dyndns.interface;
};
};
domainSettings = mapAlmostOptionDefaults {
ipa_hostname = cfg.ipa.hostName;
} // mapOptionDefaults {
enumerate = true;
ipa_domain = genso.domain;
krb5_realm = genso.realm;
cache_credentials = ipa.cacheCredentials;
krb5_store_password_if_offline = ipa.offlinePasswords;
#min_id = 8000;
#max_id = 8999;
};
in {
gensokyo-zone = {
krb5.servers.servers = mkMerge [
[ genso.host ]
(mkAfter [ "_srv" genso.canonHost ])
];
ldap.uris = {
servers = mkMerge [
(mkAfter [ "_srv" ])
genso.ldap.urls
];
};
};
domains = mkIf cfg.enable {
${genso.domain} = {
ldap = {
authtok = mkIf (cfg.backend == "ldap") {
passwordFile = mkIf (cfg.ldap.bind.passwordFile != null) (mkAlmostOptionDefault cfg.ldap.bind.passwordFile);
};
extraAttrs.user = {
mail = "mail";
sn = "sn";
givenname = "givenname";
telephoneNumber = "telephoneNumber";
lock = "nsaccountlock";
};
};
settings = mkMerge [
domainSettings
backendDomainSettings.${cfg.backend}
(mapAlmostOptionDefaults cfg.ldap.uris.settings)
(mapAlmostOptionDefaults cfg.krb5.servers.settings)
(mkIf (cfg.backend == "ipa") (mapAlmostOptionDefaults cfg.ipa.servers.settings))
];
};
};
services = mkIf cfg.enable {
nss.settings = mapOptionDefaults {
homedir_substring = "/home";
};
pam.settings = mapOptionDefaults {
pam_pwd_expiration_warning = 3;
pam_verbosity = 3;
};
sudo.enable = mkIf (!sssd.services.pam.enable) (mkDefault false);
ssh.enable = mkIf (!sssd.services.pam.enable) (mkDefault false);
ifp = {
enable = mkAlmostOptionDefault true;
settings = mapOptionDefaults {
allowed_uids = ipa.ifpAllowedUids;
};
};
};
};
};
}
Reference in a new issue View git blame Copy permalink