ad-domain: init

2024-11-09 18:47:02 +00:00 · 2022-01-04 10:13:46 -05:00 · 2022-01-04 10:13:46 -05:00 · b2c86c2919
commit b2c86c2919
parent 9eb64a5b78
1 changed files with 78 additions and 0 deletions
--- a/modules/ad-domain.nix
+++ b/modules/ad-domain.nix
@ -0,0 +1,78 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.sconfig.ad-domain;
+in
+{
+  options.sconfig.ad-domain = with lib; with types;
+    {
+      enable = mkEnableOption "Join Domain with SSSD";
+      longname = mkOption {
+        type = str;
+        example = "example.com";
+      };
+      shortname = mkOption {
+        type = str;
+        example = "EXAMPLE";
+      };
+    };
+
+  config = lib.mkIf cfg.enable
+    {
+      networking.domain = cfg.longname;
+      networking.search = [ (cfg.longname) ];
+      security.pam.services.sshd.makeHomeDir = true;
+      krb5 = {
+        enable = true;
+        libdefaults.default_realm = lib.toUpper cfg.longname;
+      };
+      services.sssd = {
+        enable = true;
+        sshAuthorizedKeysIntegration = true;
+        config = ''
+          [sssd]
+          services = nss, pam, ssh
+          config_file_version = 2
+          domains = ${cfg.longname}
+          [domain/${cfg.longname}]
+          id_provider = ad
+          ldap_sasl_mech = gssapi
+          access_provider = ad
+          override_homedir = /home/%u.%d
+          override_shell = /run/current-system/sw/bin/bash
+          ad_gpo_access_control = permissive
+          ad_gpo_ignore_unreadable = True
+          ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities
+          ldap_user_ssh_public_key = altSecurityIdentities
+          ldap_use_tokengroups = True
+        '';
+      };
+      # Samba is configured, but just for the "net" command, to
+      # join the domain. A better join method probably exists.
+      # `net ads join -U Administrator`
+      environment.systemPackages = [ pkgs.samba4Full ];
+      systemd.services.samba-smbd.enable = lib.mkDefault false;
+      services.samba = {
+        enable = true;
+        enableNmbd = lib.mkDefault false;
+        enableWinbindd = lib.mkDefault false;
+        package = pkgs.samba4Full;
+        securityType = "ads";
+        extraConfig = ''
+          realm = ${lib.toUpper cfg.longname}
+          workgroup = ${lib.toUpper cfg.shortname}
+          idmap uid = 10000-20000
+          idmap gid = 10000-20000
+          template homedir = /home/%u.%d
+          template shell = /run/current-system/sw/bin/bash
+          client use spnego = yes
+          client ntlmv2 auth = yes
+          encrypt passwords = yes
+          restrict anonymous = 2
+          server signing = mandatory
+          client signing = mandatory
+          kerberos method = secrets and keytab
+        '';
+      };
+    };
+}