mirror of
https://github.com/buckley310/nixos-config.git
synced 2024-12-21 19:24:15 +00:00
ad-domain: init
This commit is contained in:
parent
9eb64a5b78
commit
b2c86c2919
1 changed files with 78 additions and 0 deletions
78
modules/ad-domain.nix
Normal file
78
modules/ad-domain.nix
Normal file
|
@ -0,0 +1,78 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
cfg = config.sconfig.ad-domain;
|
||||
in
|
||||
{
|
||||
options.sconfig.ad-domain = with lib; with types;
|
||||
{
|
||||
enable = mkEnableOption "Join Domain with SSSD";
|
||||
longname = mkOption {
|
||||
type = str;
|
||||
example = "example.com";
|
||||
};
|
||||
shortname = mkOption {
|
||||
type = str;
|
||||
example = "EXAMPLE";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable
|
||||
{
|
||||
networking.domain = cfg.longname;
|
||||
networking.search = [ (cfg.longname) ];
|
||||
security.pam.services.sshd.makeHomeDir = true;
|
||||
krb5 = {
|
||||
enable = true;
|
||||
libdefaults.default_realm = lib.toUpper cfg.longname;
|
||||
};
|
||||
services.sssd = {
|
||||
enable = true;
|
||||
sshAuthorizedKeysIntegration = true;
|
||||
config = ''
|
||||
[sssd]
|
||||
services = nss, pam, ssh
|
||||
config_file_version = 2
|
||||
domains = ${cfg.longname}
|
||||
[domain/${cfg.longname}]
|
||||
id_provider = ad
|
||||
ldap_sasl_mech = gssapi
|
||||
access_provider = ad
|
||||
override_homedir = /home/%u.%d
|
||||
override_shell = /run/current-system/sw/bin/bash
|
||||
ad_gpo_access_control = permissive
|
||||
ad_gpo_ignore_unreadable = True
|
||||
ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities
|
||||
ldap_user_ssh_public_key = altSecurityIdentities
|
||||
ldap_use_tokengroups = True
|
||||
'';
|
||||
};
|
||||
# Samba is configured, but just for the "net" command, to
|
||||
# join the domain. A better join method probably exists.
|
||||
# `net ads join -U Administrator`
|
||||
environment.systemPackages = [ pkgs.samba4Full ];
|
||||
systemd.services.samba-smbd.enable = lib.mkDefault false;
|
||||
services.samba = {
|
||||
enable = true;
|
||||
enableNmbd = lib.mkDefault false;
|
||||
enableWinbindd = lib.mkDefault false;
|
||||
package = pkgs.samba4Full;
|
||||
securityType = "ads";
|
||||
extraConfig = ''
|
||||
realm = ${lib.toUpper cfg.longname}
|
||||
workgroup = ${lib.toUpper cfg.shortname}
|
||||
idmap uid = 10000-20000
|
||||
idmap gid = 10000-20000
|
||||
template homedir = /home/%u.%d
|
||||
template shell = /run/current-system/sw/bin/bash
|
||||
client use spnego = yes
|
||||
client ntlmv2 auth = yes
|
||||
encrypt passwords = yes
|
||||
restrict anonymous = 2
|
||||
server signing = mandatory
|
||||
client signing = mandatory
|
||||
kerberos method = secrets and keytab
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
Loading…
Reference in a new issue