mirror of
https://github.com/buckley310/nixos-config.git
synced 2024-12-21 19:24:15 +00:00
ad-domain: init
This commit is contained in:
parent
9eb64a5b78
commit
b2c86c2919
1 changed files with 78 additions and 0 deletions
78
modules/ad-domain.nix
Normal file
78
modules/ad-domain.nix
Normal file
|
@ -0,0 +1,78 @@
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
cfg = config.sconfig.ad-domain;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.sconfig.ad-domain = with lib; with types;
|
||||||
|
{
|
||||||
|
enable = mkEnableOption "Join Domain with SSSD";
|
||||||
|
longname = mkOption {
|
||||||
|
type = str;
|
||||||
|
example = "example.com";
|
||||||
|
};
|
||||||
|
shortname = mkOption {
|
||||||
|
type = str;
|
||||||
|
example = "EXAMPLE";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = lib.mkIf cfg.enable
|
||||||
|
{
|
||||||
|
networking.domain = cfg.longname;
|
||||||
|
networking.search = [ (cfg.longname) ];
|
||||||
|
security.pam.services.sshd.makeHomeDir = true;
|
||||||
|
krb5 = {
|
||||||
|
enable = true;
|
||||||
|
libdefaults.default_realm = lib.toUpper cfg.longname;
|
||||||
|
};
|
||||||
|
services.sssd = {
|
||||||
|
enable = true;
|
||||||
|
sshAuthorizedKeysIntegration = true;
|
||||||
|
config = ''
|
||||||
|
[sssd]
|
||||||
|
services = nss, pam, ssh
|
||||||
|
config_file_version = 2
|
||||||
|
domains = ${cfg.longname}
|
||||||
|
[domain/${cfg.longname}]
|
||||||
|
id_provider = ad
|
||||||
|
ldap_sasl_mech = gssapi
|
||||||
|
access_provider = ad
|
||||||
|
override_homedir = /home/%u.%d
|
||||||
|
override_shell = /run/current-system/sw/bin/bash
|
||||||
|
ad_gpo_access_control = permissive
|
||||||
|
ad_gpo_ignore_unreadable = True
|
||||||
|
ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities
|
||||||
|
ldap_user_ssh_public_key = altSecurityIdentities
|
||||||
|
ldap_use_tokengroups = True
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
# Samba is configured, but just for the "net" command, to
|
||||||
|
# join the domain. A better join method probably exists.
|
||||||
|
# `net ads join -U Administrator`
|
||||||
|
environment.systemPackages = [ pkgs.samba4Full ];
|
||||||
|
systemd.services.samba-smbd.enable = lib.mkDefault false;
|
||||||
|
services.samba = {
|
||||||
|
enable = true;
|
||||||
|
enableNmbd = lib.mkDefault false;
|
||||||
|
enableWinbindd = lib.mkDefault false;
|
||||||
|
package = pkgs.samba4Full;
|
||||||
|
securityType = "ads";
|
||||||
|
extraConfig = ''
|
||||||
|
realm = ${lib.toUpper cfg.longname}
|
||||||
|
workgroup = ${lib.toUpper cfg.shortname}
|
||||||
|
idmap uid = 10000-20000
|
||||||
|
idmap gid = 10000-20000
|
||||||
|
template homedir = /home/%u.%d
|
||||||
|
template shell = /run/current-system/sw/bin/bash
|
||||||
|
client use spnego = yes
|
||||||
|
client ntlmv2 auth = yes
|
||||||
|
encrypt passwords = yes
|
||||||
|
restrict anonymous = 2
|
||||||
|
server signing = mandatory
|
||||||
|
client signing = mandatory
|
||||||
|
kerberos method = secrets and keytab
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in a new issue