diff options
Diffstat (limited to 'domain.nix')
-rw-r--r-- | domain.nix | 197 |
1 files changed, 197 insertions, 0 deletions
diff --git a/domain.nix b/domain.nix new file mode 100644 index 0000000..89c4399 --- /dev/null +++ b/domain.nix @@ -0,0 +1,197 @@ +{ config, lib, pkgs, ... }: + +{ + nixpkgs.overlays = [ (self: super: + { + samba = super.samba.override { enableLDAP = true; }; + sudo = super.sudo.override { withSssd = true; }; + }) ]; + + networking.timeServers = [ + "dc1.ad.yuuta.moe" + ]; + + networking.search = "ad.yuuta.moe"; + networking.domain = "ad.yuuta.moe"; + + services.ntp.enable = true; + + environment.systemPackages = with pkgs; [ + python39Packages.dnspython + python310Packages.dnspython + dig # nsupdate(1) + ]; + + networking.wireguard.interfaces.internal = { + mtu = 1340; + peers = [ + { + publicKey = "DLhfohNTrZh45K/IRaJscUfUh3igTv2XAFkDmKrN2kQ="; + allowedIPs = [ "10.0.2.0/24" "10.0.1.0/24" ]; + endpoint = "23.154.81.12:60011"; + persistentKeepalive = 25; + } + ]; + }; + + krb5.enable = true; + krb5.libdefaults = { + default_realm = "AD.YUUTA.MOE"; + dns_lookup_realm = true; + dns_lookup_kdc = true; + ticket_lifetime = "24h"; + renew_lifetime = "7d"; + forwardable = true; + rdns = false; + default_ccache_name = "KEYRING:persistent:%{uid}"; + }; + krb5.domain_realm = { + ".ad.yuuta.moe" = "AD.YUUTA.MOE"; + }; + + services.sssd.enable = true; + # Cherry pick from 48b0aa71646b3600f37dfa258c9fe16d7bb6747f + # Fix sssctl + environment.etc."sssd/sssd.conf".source = "/var/lib/sssd/sssd.conf"; + services.sssd.config = '' +[sssd] +config_file_version = 2 +domains = ad.yuuta.moe +services = nss, pam, sudo, autofs + +[domain/ad.yuuta.moe] +cache_credentials = true + +id_provider = ad +auth_provider = ad +access_provider = ad +sudo_provider = ad + +default_shell = /run/current-system/sw/bin/bash +# override_shell = /usr/bin/fish +fallback_homedir = /home/%u + +ldap_sudo_search_base = ou=sudoers,dc=ad,dc=yuuta,dc=moe + +krb5_renew_interval = 10h +krb5_ccname_template = KEYRING:persistent:%U +krb5_store_password_if_offline = true + +[autofs] +ldap_autofs_search_base = ou=AutoFS,ou=Domain Computers,dc=ad,dc=yuuta,dc=moe +''; + services.openssh.extraConfig = '' +GSSAPIAuthentication yes +''; + + # services.nscd.enable = false; + environment.etc."nsswitch.conf".text = '' +# sssd +sudoers: files sss +automount: files sss +''; + + services.autofs.enable = true; + services.autofs.debug = true; + services.autofs.autoMaster = "# Use LDAP"; + + boot.supportedFilesystems = [ "nfs" ]; + # Domain is handled automatically. + # services.nfs.idmapd.settings = { + # General = { + # Domain = "ad.yuuta.moe"; + # }; + # }; + + boot.extraModprobeConfig = '' +options nfs nfs4_disable_idmapping=0 +options nfsd nfs4_disable_idmapping=0 +''; + + services.samba.enable = true; + # services.samba.package = pkgs.samba4Full; + services.samba.configText = '' +[global] + security = ads + realm = AD.YUUTA.MOE + workgroup = YUUTA + + log file = /var/log/samba/%m.log + + kerberos method = secrets and keytab + + client signing = yes + client use spnego = yes +''; + + services.dnsmasq.enable = true; + services.dnsmasq.servers = [ + "/ad.yuuta.moe/10.0.1.2" + "/in-addr.arpa/10.0.1.2" + ]; + programs.ssh.extraConfig = '' + Host *.ad.yuuta.moe + GSSAPIAuthentication yes + GSSAPIDelegateCredentials yes + ''; + + security.pam.services.sshd.makeHomeDir = true; + security.pam.services.login.makeHomeDir = true; + + security.pki.certificates = [ '' +Yuuta +========= +-----BEGIN CERTIFICATE----- +MIIJGDCCBwCgAwIBAgIQUO5CWfFhBolDqnnAFe61MzANBgkqhkiG9w0BAQ0FADAR +MQ8wDQYDVQQDDAZST09UQ0EwHhcNMjIwNDA0MTk0NjAwWhcNNDIwNDA0MTk1NTU5 +WjARMQ8wDQYDVQQDDAZST09UQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK +AoICAQC67MLXzJ5Xer6PsCuzjoNR+6wdEOIdczlH3RRxtGpjQ4cw0gVhyDpK2Mkd +eewY2Sp5KicKiGPtwBiu72K6fVqfwbsvqVDPfPvIRfaEe+gCqmvybXn10jpdiIMV +UhmW2/Mon8tVDn2MC78QZP4yqkIff0p8sTlgELhH/NK5nC6ffFdO60HWML7RhqOw +GDZyKJbHunHs5X5R+rY/D9Vu1Bwo2hWSzHDjbRDErxARqrf75KE6KpsqqvNdNWnx +cBLEgdvkJPO9aZ1wk52hMPQgv1/INJUpR4ndPHOUU2gX1+mlveWeIvyLt2/KOsdF +ILBvJFqtATFgnNJU+nZxHqHyA3MadGRvYKYkgoif0vVYsTbkYQCxrFNr1QT7H7nP +DqNsF+IBPKmDxnnCL+udVJnXJy/YrUw9jeur+QZCHl42JB1Ft+1u11dUREunMbJZ +A2b9CUEcZLn7HMEDcUe9hvqLp60a1wIFJ3GDagHt/eH7PNaiBejoxAqSsjfVPqBX +8lz+yJ8tzue2O4ietYLdtLElVJN+opjth0By9oyYzNZvAv5hNtjOAaa1FjALXXWP +nLAOl5fAQaTLq1FxYw0dLoVyfGzazIKMVnihWoljzzrQ1HKLyqX0hHF3nSZkl3t9 +xeL8LHZwHXAj7susg5TPnlLPm0VJMgk+MJAYzQQNpBWWf2Oa3QIDAQABo4IEajCC +BGYwCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFA9a2yPE +TwIF+bXh5afzREa7LvazMDUGA1UdHwQuMCwwKqAooCaGJGh0dHA6Ly9ob21lLnl1 +dXRhLm1vZS9jZHAvUm9vdENBLmNybDAQBgkrBgEEAYI3FQEEAwIBADCCA5cGA1Ud +IASCA44wggOKMIIBKgYLKwYBBAGG/lIFAQEwggEZMIHuBggrBgEFBQcCAjCB4R6B +3gBUAGgAaQBzACAAQwBlAHIAdABpAGYAaQBjAGEAdABpAG8AbgAgAEEAdQB0AGgA +bwByAGkAdAB5ACAAaQBzACAAYQBuACAAaQBuAHQAZQByAG4AYQBsACAAcgBlAHMA +bwB1AHIAYwBlAC4AIABDAGUAcgB0AGkAZgBpAGMAYQB0AGUAcwAgAGkAcwBzAHUA +ZQBkACAAYgB5ACAAdABoAGkAcwAgAEMAQQAgAGEAcgBlACAAZgBvAHIAIABpAG4A +dABlAHIAbgBhAGwAIAB1AHMAZQAgAG8AbgBsAHkALjAmBggrBgEFBQcCARYaaHR0 +cHM6Ly9ob21lLnl1dXRhLm1vZS9jcHMwggEqBgsrBgEEAYb+UgUBAjCCARkwge4G +CCsGAQUFBwICMIHhHoHeAFQAaABpAHMAIABDAGUAcgB0AGkAZgBpAGMAYQB0AGkA +bwBuACAAQQB1AHQAaABvAHIAaQB0AHkAIABpAHMAIABhAG4AIABpAG4AdABlAHIA +bgBhAGwAIAByAGUAcwBvAHUAcgBjAGUALgAgAEMAZQByAHQAaQBmAGkAYwBhAHQA +ZQBzACAAaQBzAHMAdQBlAGQAIABiAHkAIAB0AGgAaQBzACAAQwBBACAAYQByAGUA +IABmAG8AcgAgAGkAbgB0AGUAcgBuAGEAbAAgAHUAcwBlACAAbwBuAGwAeQAuMCYG +CCsGAQUFBwIBFhpodHRwczovL2hvbWUueXV1dGEubW9lL2NwczCCASoGCysGAQQB +hv5SBQEDMIIBGTCB7gYIKwYBBQUHAgIwgeEegd4AVABoAGkAcwAgAEMAZQByAHQA +aQBmAGkAYwBhAHQAaQBvAG4AIABBAHUAdABoAG8AcgBpAHQAeQAgAGkAcwAgAGEA +bgAgAGkAbgB0AGUAcgBuAGEAbAAgAHIAZQBzAG8AdQByAGMAZQAuACAAQwBlAHIA +dABpAGYAaQBjAGEAdABlAHMAIABpAHMAcwB1AGUAZAAgAGIAeQAgAHQAaABpAHMA +IABDAEEAIABhAHIAZQAgAGYAbwByACAAaQBuAHQAZQByAG4AYQBsACAAdQBzAGUA +IABvAG4AbAB5AC4wJgYIKwYBBQUHAgEWGmh0dHBzOi8vaG9tZS55dXV0YS5tb2Uv +Y3BzMEMGCCsGAQUFBwEBBDcwNTAzBggrBgEFBQcwAoYnaHR0cDovL2hvbWUueXV1 +dGEubW9lL1B1YmxpYy9Sb290Q0EuY3J0MA0GCSqGSIb3DQEBDQUAA4ICAQBpep0v +TUIgb5gQ58gVM1zsPKgXlp2qLsTsbKkhSopsPmkrM8iCIVmZSthmJ9netyhb5pLG +RYX2wQLnk/6CxI0Ky0ja1Ljk8OmxlZ37pVSCb0A9+sxNdOb6rOjsuBJhxrG4gWoQ +LWTw52axvAspwkMfy3WK/AiU8KfnTI/PnlxevZPk4DqA3r+Cl8EeuRAVjm8vfNjF +41kChxjlzkkNdKi1+e0Ne9V+KBhlkGA7RRe7IZfGiCqZ3qF1gs3JlnupZvUibFVJ +E1i3GJrFglMoG5MPF2Ta3EGwqhJG5cp72IQ6+V3fTVKMu4gS+Xr3EK1y2P4ti8UN +btWp0VRk0n8hH2lJtaWPW0pzYyaCb0TLxsy6b1N2Ky0Md1gGkJizKCxqok+D92un +wOrPStBc/v2/B7RksJCr1QdVVWJNkrDbacgGBAJbrnEfiwvggOuLoW/VmGC9HG05 +UQhG2AyTL/ZG52JFr1HvpPKmoR37Ovh6AUA3InI3fFQ4aITojai/PLeFwKPdAO6B +BqTIRcc3pekpcFTxyV1/aJixdXXeuPK2PGdHjvaeb2oR6R3xW89K1enn71MQ/4gw +vrUSgPWrir+zgQWs0SELJe48QqLez1Gzg5ToWF67YGUMMp03w5FEG00+qsWUBgbV +AN+3FUEMFG+GcubnaIQlcx2rC5r/cJWTaeDZZw== +-----END CERTIFICATE----- +'' ]; +} + |