nixos-config/modules/ad-domain.nix
2024-12-09 21:15:07 -05:00

80 lines
2.2 KiB
Nix

{
config,
lib,
pkgs,
...
}:
let
cfg = config.sconfig.ad-domain;
in
{
options.sconfig.ad-domain =
with lib;
with types;
{
enable = mkEnableOption "Join Domain with SSSD";
longname = mkOption {
type = str;
example = "example.com";
};
shortname = mkOption {
type = str;
example = "EXAMPLE";
};
};
config = lib.mkIf cfg.enable {
networking.domain = cfg.longname;
networking.search = [ (cfg.longname) ];
security.pam.services.sshd.makeHomeDir = true;
security.krb5 = {
# These settings have been updated for NixOS 24.05.
# Breaking changes happenned since 23.11.
enable = true;
settings.libdefaults.default_realm = lib.toUpper cfg.longname;
};
services.sssd = {
enable = true;
sshAuthorizedKeysIntegration = true;
config = ''
[sssd]
services = nss, pam, ssh
config_file_version = 2
domains = ${cfg.longname}
[domain/${cfg.longname}]
id_provider = ad
ldap_sasl_mech = gssapi
access_provider = ad
override_homedir = /home/%u.%d
override_shell = /run/current-system/sw/bin/bash
ad_gpo_access_control = permissive
ad_gpo_ignore_unreadable = True
ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities
ldap_user_ssh_public_key = altSecurityIdentities
ldap_use_tokengroups = True
'';
};
# Samba is configured, but just for the "net" command, to
# join the domain. A better join method probably exists.
# `net ads join -U Administrator`
environment.systemPackages = [ pkgs.samba4Full ];
systemd.services.samba-smbd.enable = lib.mkDefault false;
services.samba = {
enable = true;
nmbd.enable = lib.mkDefault false;
winbindd.enable = lib.mkDefault false;
package = pkgs.samba4Full;
settings.global = {
"security" = "ads";
"realm" = lib.toUpper cfg.longname;
"workgroup" = lib.toUpper cfg.shortname;
"client use spnego" = "yes";
"restrict anonymous" = 2;
"server signing" = "mandatory";
"client signing" = "mandatory";
"kerberos method" = "secrets and keytab";
};
};
};
}