mirror of
https://github.com/gensokyo-zone/infrastructure.git
synced 2026-02-09 20:39:18 -08:00
215 lines
6.1 KiB
Nix
215 lines
6.1 KiB
Nix
{
|
|
gensokyo-zone,
|
|
pkgs,
|
|
config,
|
|
lib,
|
|
...
|
|
}: let
|
|
inherit (gensokyo-zone.lib) mkAlmostOptionDefault mapOptionDefaults mapAlmostOptionDefaults mapDefaults;
|
|
inherit (lib.options) mkOption mkEnableOption;
|
|
inherit (lib.modules) mkIf mkMerge mkAfter mkDefault mkOptionDefault;
|
|
inherit (config.security) krb5 ipa;
|
|
inherit (config.services) sssd;
|
|
genso = krb5.gensokyo-zone;
|
|
cfg = sssd.gensokyo-zone;
|
|
serverModule = {config, ...}: {
|
|
options = with lib.types; {
|
|
servers = mkOption {
|
|
type = nullOr (listOf str);
|
|
default = null;
|
|
};
|
|
backups = mkOption {
|
|
type = listOf str;
|
|
default = [];
|
|
};
|
|
serverName = mkOption {
|
|
type = str;
|
|
internal = true;
|
|
};
|
|
serverKind = mkOption {
|
|
type = enum ["server" "uri"];
|
|
default = "server";
|
|
internal = true;
|
|
};
|
|
settings = mkOption {
|
|
type = attrsOf (listOf str);
|
|
};
|
|
};
|
|
config = let
|
|
key = "${config.serverName}_${config.serverKind}";
|
|
keyBackups = "${config.serverName}_backup_${config.serverKind}";
|
|
in {
|
|
settings = {
|
|
${key} = mkIf (config.servers != null) (mkOptionDefault config.servers);
|
|
${keyBackups} = mkIf (config.backups != []) (mkOptionDefault config.backups);
|
|
};
|
|
};
|
|
};
|
|
mkServerType = {modules}:
|
|
lib.types.submoduleWith {
|
|
modules = [serverModule] ++ modules;
|
|
specialArgs = {
|
|
inherit gensokyo-zone pkgs;
|
|
nixosConfig = config;
|
|
};
|
|
};
|
|
mkServerOption = {
|
|
name,
|
|
kind ? "server",
|
|
}: let
|
|
serverInfoModule = {...}: {
|
|
config = {
|
|
serverName = mkOptionDefault name;
|
|
serverKind = mkAlmostOptionDefault kind;
|
|
};
|
|
};
|
|
in
|
|
mkOption {
|
|
type = mkServerType {
|
|
modules = [serverInfoModule];
|
|
};
|
|
default = {};
|
|
};
|
|
in {
|
|
options.services.sssd.gensokyo-zone = with lib.types; {
|
|
enable =
|
|
mkEnableOption "realm"
|
|
// {
|
|
default = genso.enable;
|
|
};
|
|
ldap = {
|
|
bind = {
|
|
passwordFile = mkOption {
|
|
type = nullOr str;
|
|
default = null;
|
|
};
|
|
};
|
|
uris = mkServerOption {
|
|
name = "ldap";
|
|
kind = "uri";
|
|
};
|
|
};
|
|
krb5 = {
|
|
servers = mkServerOption {name = "krb5";};
|
|
};
|
|
ipa = {
|
|
servers =
|
|
mkServerOption {name = "ipa";}
|
|
// {
|
|
default = {
|
|
inherit (cfg.krb5.servers) servers backups;
|
|
};
|
|
};
|
|
hostName = mkOption {
|
|
type = str;
|
|
default = config.networking.fqdn;
|
|
};
|
|
};
|
|
backend = mkOption {
|
|
type = enum ["ldap" "ipa"];
|
|
default = "ipa";
|
|
};
|
|
};
|
|
config = {
|
|
services.sssd = let
|
|
# or "ipaNTSecurityIdentifier" which isn't set for most groups, maybe check netgroups..?
|
|
objectsid = "sambaSID";
|
|
backendDomainSettings = {
|
|
ldap =
|
|
mapDefaults {
|
|
id_provider = "ldap";
|
|
auth_provider = "krb5";
|
|
access_provider = "ldap";
|
|
ldap_tls_cacert = "/etc/ssl/certs/ca-bundle.crt";
|
|
}
|
|
// mapOptionDefaults {
|
|
ldap_access_order = ["host"];
|
|
ldap_schema = "IPA";
|
|
ldap_default_bind_dn = genso.ldap.bind.dn;
|
|
ldap_search_base = genso.ldap.baseDn;
|
|
ldap_user_search_base = "cn=users,cn=accounts,${genso.ldap.baseDn}";
|
|
ldap_group_search_base = "cn=groups,cn=accounts,${genso.ldap.baseDn}";
|
|
ldap_user_uuid = "ipaUniqueID";
|
|
ldap_user_ssh_public_key = "ipaSshPubKey";
|
|
ldap_user_objectsid = objectsid;
|
|
ldap_group_uuid = "ipaUniqueID";
|
|
ldap_group_objectsid = objectsid;
|
|
};
|
|
ipa = mapOptionDefaults {
|
|
id_provider = "ipa";
|
|
auth_provider = "ipa";
|
|
access_provider = "ipa";
|
|
chpass_provider = "ipa";
|
|
dyndns_update = ipa.dyndns.enable;
|
|
dyndns_iface = ipa.dyndns.interface;
|
|
};
|
|
};
|
|
domainSettings =
|
|
mapAlmostOptionDefaults {
|
|
ipa_hostname = cfg.ipa.hostName;
|
|
}
|
|
// mapOptionDefaults {
|
|
enumerate = true;
|
|
ipa_domain = genso.domain;
|
|
krb5_realm = genso.realm;
|
|
cache_credentials = ipa.cacheCredentials;
|
|
krb5_store_password_if_offline = ipa.offlinePasswords;
|
|
#min_id = 8000;
|
|
#max_id = 8999;
|
|
};
|
|
in {
|
|
gensokyo-zone = {
|
|
krb5.servers.servers = mkMerge [
|
|
[genso.host]
|
|
(mkAfter ["_srv" genso.canonHost])
|
|
];
|
|
ldap.uris = {
|
|
servers = mkMerge [
|
|
(mkAfter ["_srv"])
|
|
genso.ldap.urls
|
|
];
|
|
};
|
|
};
|
|
domains = mkIf cfg.enable {
|
|
${genso.domain} = {
|
|
ldap = {
|
|
authtok = mkIf (cfg.backend == "ldap") {
|
|
passwordFile = mkIf (cfg.ldap.bind.passwordFile != null) (mkAlmostOptionDefault cfg.ldap.bind.passwordFile);
|
|
};
|
|
extraAttrs.user = {
|
|
mail = "mail";
|
|
sn = "sn";
|
|
givenname = "givenname";
|
|
telephoneNumber = "telephoneNumber";
|
|
lock = "nsaccountlock";
|
|
};
|
|
};
|
|
settings = mkMerge [
|
|
domainSettings
|
|
backendDomainSettings.${cfg.backend}
|
|
(mapAlmostOptionDefaults cfg.ldap.uris.settings)
|
|
(mapAlmostOptionDefaults cfg.krb5.servers.settings)
|
|
(mkIf (cfg.backend == "ipa") (mapAlmostOptionDefaults cfg.ipa.servers.settings))
|
|
];
|
|
};
|
|
};
|
|
services = mkIf cfg.enable {
|
|
nss.settings = mapOptionDefaults {
|
|
homedir_substring = "/home";
|
|
};
|
|
pam.settings = mapOptionDefaults {
|
|
pam_pwd_expiration_warning = 3;
|
|
pam_verbosity = 3;
|
|
};
|
|
sudo.enable = mkIf (!sssd.services.pam.enable) (mkDefault false);
|
|
ssh.enable = mkIf (!sssd.services.pam.enable) (mkDefault false);
|
|
ifp = {
|
|
enable = mkAlmostOptionDefault true;
|
|
settings = mapOptionDefaults {
|
|
allowed_uids = ipa.ifpAllowedUids;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|