gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 20:39:18 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions
infrastructure/nixos/ipa.nix
arcnmx 6c88d99ae6 refactor(dnsmasq): system host info
2024-03-29 15:24:43 -07:00

70 lines
2.5 KiB
Nix
Raw Blame History

{ inputs, pkgs, config, lib, ... }: let
inherit (inputs.self.lib.lib) mkBaseDn;
inherit (lib.modules) mkIf mkDefault mkOptionDefault;
inherit (lib.strings) toUpper;
inherit (config.networking) domain;
cfg = config.security.ipa;
baseDn = mkBaseDn domain;
caPem = pkgs.fetchurl {
name = "idp.${domain}.ca.pem";
url = "https://freeipa.${domain}/ipa/config/ca.crt";
sha256 = "sha256-PKjnjn1jIq9x4BX8+WGkZfj4HQtmnHqmFSALqggo91o=";
};
in {
# NOTE: requires manual post-install setup...
# :; kinit admin
# :; ipa-join --hostname=${config.networking.fqdn} -k /tmp/krb5.keytab -s idp.${domain}
# then to authorize it for a specific service...
# :; ipa-getkeytab -k /tmp/krb5.keytab -s idp.${domain} -p ${serviceName}/idp.${domain}@${toUpper domain}
# once the sops secret has been updated with keytab...
# :; systemctl restart sssd
config = {
users.ldap = {
base = mkDefault baseDn;
server = mkDefault "ldaps://ldap.local.${domain}";
samba.domainSID = mkDefault "S-1-5-21-1535650373-1457993706-2355445124";
#samba.domainSID = mkDefault "S-1-5-21-208293719-3143191303-229982100"; # HAKUREI
userDnSuffix = mkDefault "cn=users,cn=accounts,";
groupDnSuffix = mkDefault "cn=groups,cn=accounts,";
permissionDnSuffix = mkDefault "cn=permissions,cn=pbac,";
privilegeDnSuffix = mkDefault "cn=privileges,cn=pbac,";
roleDnSuffix = mkDefault "cn=roles,cn=accounts,";
serviceDnSuffix = mkDefault "cn=services,cn=accounts,";
hostDnSuffix = mkDefault "cn=computers,cn=accounts,";
sysAccountDnSuffix = mkDefault "cn=sysaccounts,cn=etc,";
domainDnSuffix = mkDefault "cn=ad,cn=etc,";
};
security.ipa = {
enable = mkDefault true;
certificate = mkDefault caPem;
basedn = mkDefault baseDn;
chromiumSupport = mkDefault false;
domain = mkDefault domain;
realm = mkDefault (toUpper domain);
server = mkDefault "idp.${domain}";
ifpAllowedUids = [
"root"
] ++ config.users.groups.wheel.members;
dyndns.enable = mkDefault false;
};
sops.secrets = {
krb5-keytab = mkIf cfg.enable {
mode = "0400";
path = "/etc/krb5.keytab";
};
};
systemd.services.krb5-host = let
krb5-host = pkgs.writeShellScript "krb5-host" ''
set -eu
kinit -k host/${config.networking.fqdn}
'';
in mkIf cfg.enable {
path = [ config.security.krb5.package ];
serviceConfig = {
Type = mkOptionDefault "oneshot";
ExecStart = [ "${krb5-host}" ];
};
};
};
}
Reference in a new issue View git blame Copy permalink