{ config, lib, pkgs, ... }: let cfg = config.sconfig.ad-domain; in { options.sconfig.ad-domain = with lib; with types; { enable = mkEnableOption "Join Domain with SSSD"; longname = mkOption { type = str; example = "example.com"; }; shortname = mkOption { type = str; example = "EXAMPLE"; }; }; config = lib.mkIf cfg.enable { networking.domain = cfg.longname; networking.search = [ (cfg.longname) ]; security.pam.services.sshd.makeHomeDir = true; krb5 = { enable = true; libdefaults.default_realm = lib.toUpper cfg.longname; }; services.sssd = { enable = true; sshAuthorizedKeysIntegration = true; config = '' [sssd] services = nss, pam, ssh config_file_version = 2 domains = ${cfg.longname} [domain/${cfg.longname}] id_provider = ad ldap_sasl_mech = gssapi access_provider = ad override_homedir = /home/%u.%d override_shell = /run/current-system/sw/bin/bash ad_gpo_access_control = permissive ad_gpo_ignore_unreadable = True ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities ldap_user_ssh_public_key = altSecurityIdentities ldap_use_tokengroups = True ''; }; # Samba is configured, but just for the "net" command, to # join the domain. A better join method probably exists. # `net ads join -U Administrator` environment.systemPackages = [ pkgs.samba4Full ]; systemd.services.samba-smbd.enable = lib.mkDefault false; services.samba = { enable = true; enableNmbd = lib.mkDefault false; enableWinbindd = lib.mkDefault false; package = pkgs.samba4Full; securityType = "ads"; extraConfig = '' realm = ${lib.toUpper cfg.longname} workgroup = ${lib.toUpper cfg.shortname} idmap uid = 10000-20000 idmap gid = 10000-20000 template homedir = /home/%u.%d template shell = /run/current-system/sw/bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 server signing = mandatory client signing = mandatory kerberos method = secrets and keytab ''; }; }; }