{ config, lib, pkgs, ... }: { nixpkgs.overlays = [ (self: super: { samba = super.samba.override { enableLDAP = true; }; sudo = super.sudo.override { withSssd = true; }; }) ]; networking.timeServers = [ "dc1.ad.yuuta.moe" ]; networking.search = "ad.yuuta.moe"; networking.domain = "ad.yuuta.moe"; services.ntp.enable = true; environment.systemPackages = with pkgs; [ python39Packages.dnspython python310Packages.dnspython dig # nsupdate(1) ]; networking.wireguard.interfaces.internal = { mtu = 1340; peers = [ { publicKey = "DLhfohNTrZh45K/IRaJscUfUh3igTv2XAFkDmKrN2kQ="; allowedIPs = [ "10.0.2.0/24" "10.0.1.0/24" ]; endpoint = "23.154.81.12:60011"; persistentKeepalive = 25; } ]; }; krb5.enable = true; krb5.libdefaults = { default_realm = "AD.YUUTA.MOE"; dns_lookup_realm = true; dns_lookup_kdc = true; ticket_lifetime = "24h"; renew_lifetime = "7d"; forwardable = true; rdns = false; default_ccache_name = "KEYRING:persistent:%{uid}"; }; krb5.domain_realm = { ".ad.yuuta.moe" = "AD.YUUTA.MOE"; }; services.sssd.enable = true; # Cherry pick from 48b0aa71646b3600f37dfa258c9fe16d7bb6747f # Fix sssctl environment.etc."sssd/sssd.conf".source = "/var/lib/sssd/sssd.conf"; services.sssd.config = '' [sssd] config_file_version = 2 domains = ad.yuuta.moe services = nss, pam, sudo, autofs [domain/ad.yuuta.moe] cache_credentials = true id_provider = ad auth_provider = ad access_provider = ad sudo_provider = ad default_shell = /run/current-system/sw/bin/bash # override_shell = /usr/bin/fish fallback_homedir = /home/%u ldap_sudo_search_base = ou=sudoers,dc=ad,dc=yuuta,dc=moe krb5_renew_interval = 10h krb5_ccname_template = KEYRING:persistent:%U krb5_store_password_if_offline = true [autofs] ldap_autofs_search_base = ou=AutoFS,ou=Domain Computers,dc=ad,dc=yuuta,dc=moe ''; services.openssh.extraConfig = '' GSSAPIAuthentication yes ''; # services.nscd.enable = false; environment.etc."nsswitch.conf".text = '' # sssd sudoers: files sss automount: files sss ''; services.autofs.enable = true; services.autofs.debug = true; services.autofs.autoMaster = "# Use LDAP"; boot.supportedFilesystems = [ "nfs" ]; # Domain is handled automatically. # services.nfs.idmapd.settings = { # General = { # Domain = "ad.yuuta.moe"; # }; # }; boot.extraModprobeConfig = '' options nfs nfs4_disable_idmapping=0 options nfsd nfs4_disable_idmapping=0 ''; services.samba.enable = true; # services.samba.package = pkgs.samba4Full; services.samba.configText = '' [global] security = ads realm = AD.YUUTA.MOE workgroup = YUUTA log file = /var/log/samba/%m.log kerberos method = secrets and keytab client signing = yes client use spnego = yes ''; services.dnsmasq.enable = true; services.dnsmasq.servers = [ "/ad.yuuta.moe/10.0.1.2" "/in-addr.arpa/10.0.1.2" ]; programs.ssh.extraConfig = '' Host *.ad.yuuta.moe GSSAPIAuthentication yes GSSAPIDelegateCredentials yes ''; security.pam.services.sshd.makeHomeDir = true; security.pam.services.login.makeHomeDir = true; security.pki.certificates = [ '' Yuuta ========= -----BEGIN CERTIFICATE----- MIIJGDCCBwCgAwIBAgIQUO5CWfFhBolDqnnAFe61MzANBgkqhkiG9w0BAQ0FADAR MQ8wDQYDVQQDDAZST09UQ0EwHhcNMjIwNDA0MTk0NjAwWhcNNDIwNDA0MTk1NTU5 WjARMQ8wDQYDVQQDDAZST09UQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK AoICAQC67MLXzJ5Xer6PsCuzjoNR+6wdEOIdczlH3RRxtGpjQ4cw0gVhyDpK2Mkd eewY2Sp5KicKiGPtwBiu72K6fVqfwbsvqVDPfPvIRfaEe+gCqmvybXn10jpdiIMV UhmW2/Mon8tVDn2MC78QZP4yqkIff0p8sTlgELhH/NK5nC6ffFdO60HWML7RhqOw GDZyKJbHunHs5X5R+rY/D9Vu1Bwo2hWSzHDjbRDErxARqrf75KE6KpsqqvNdNWnx cBLEgdvkJPO9aZ1wk52hMPQgv1/INJUpR4ndPHOUU2gX1+mlveWeIvyLt2/KOsdF ILBvJFqtATFgnNJU+nZxHqHyA3MadGRvYKYkgoif0vVYsTbkYQCxrFNr1QT7H7nP DqNsF+IBPKmDxnnCL+udVJnXJy/YrUw9jeur+QZCHl42JB1Ft+1u11dUREunMbJZ A2b9CUEcZLn7HMEDcUe9hvqLp60a1wIFJ3GDagHt/eH7PNaiBejoxAqSsjfVPqBX 8lz+yJ8tzue2O4ietYLdtLElVJN+opjth0By9oyYzNZvAv5hNtjOAaa1FjALXXWP nLAOl5fAQaTLq1FxYw0dLoVyfGzazIKMVnihWoljzzrQ1HKLyqX0hHF3nSZkl3t9 xeL8LHZwHXAj7susg5TPnlLPm0VJMgk+MJAYzQQNpBWWf2Oa3QIDAQABo4IEajCC BGYwCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFA9a2yPE TwIF+bXh5afzREa7LvazMDUGA1UdHwQuMCwwKqAooCaGJGh0dHA6Ly9ob21lLnl1 dXRhLm1vZS9jZHAvUm9vdENBLmNybDAQBgkrBgEEAYI3FQEEAwIBADCCA5cGA1Ud IASCA44wggOKMIIBKgYLKwYBBAGG/lIFAQEwggEZMIHuBggrBgEFBQcCAjCB4R6B 3gBUAGgAaQBzACAAQwBlAHIAdABpAGYAaQBjAGEAdABpAG8AbgAgAEEAdQB0AGgA bwByAGkAdAB5ACAAaQBzACAAYQBuACAAaQBuAHQAZQByAG4AYQBsACAAcgBlAHMA bwB1AHIAYwBlAC4AIABDAGUAcgB0AGkAZgBpAGMAYQB0AGUAcwAgAGkAcwBzAHUA ZQBkACAAYgB5ACAAdABoAGkAcwAgAEMAQQAgAGEAcgBlACAAZgBvAHIAIABpAG4A dABlAHIAbgBhAGwAIAB1AHMAZQAgAG8AbgBsAHkALjAmBggrBgEFBQcCARYaaHR0 cHM6Ly9ob21lLnl1dXRhLm1vZS9jcHMwggEqBgsrBgEEAYb+UgUBAjCCARkwge4G CCsGAQUFBwICMIHhHoHeAFQAaABpAHMAIABDAGUAcgB0AGkAZgBpAGMAYQB0AGkA bwBuACAAQQB1AHQAaABvAHIAaQB0AHkAIABpAHMAIABhAG4AIABpAG4AdABlAHIA bgBhAGwAIAByAGUAcwBvAHUAcgBjAGUALgAgAEMAZQByAHQAaQBmAGkAYwBhAHQA ZQBzACAAaQBzAHMAdQBlAGQAIABiAHkAIAB0AGgAaQBzACAAQwBBACAAYQByAGUA IABmAG8AcgAgAGkAbgB0AGUAcgBuAGEAbAAgAHUAcwBlACAAbwBuAGwAeQAuMCYG CCsGAQUFBwIBFhpodHRwczovL2hvbWUueXV1dGEubW9lL2NwczCCASoGCysGAQQB hv5SBQEDMIIBGTCB7gYIKwYBBQUHAgIwgeEegd4AVABoAGkAcwAgAEMAZQByAHQA aQBmAGkAYwBhAHQAaQBvAG4AIABBAHUAdABoAG8AcgBpAHQAeQAgAGkAcwAgAGEA bgAgAGkAbgB0AGUAcgBuAGEAbAAgAHIAZQBzAG8AdQByAGMAZQAuACAAQwBlAHIA dABpAGYAaQBjAGEAdABlAHMAIABpAHMAcwB1AGUAZAAgAGIAeQAgAHQAaABpAHMA IABDAEEAIABhAHIAZQAgAGYAbwByACAAaQBuAHQAZQByAG4AYQBsACAAdQBzAGUA IABvAG4AbAB5AC4wJgYIKwYBBQUHAgEWGmh0dHBzOi8vaG9tZS55dXV0YS5tb2Uv Y3BzMEMGCCsGAQUFBwEBBDcwNTAzBggrBgEFBQcwAoYnaHR0cDovL2hvbWUueXV1 dGEubW9lL1B1YmxpYy9Sb290Q0EuY3J0MA0GCSqGSIb3DQEBDQUAA4ICAQBpep0v TUIgb5gQ58gVM1zsPKgXlp2qLsTsbKkhSopsPmkrM8iCIVmZSthmJ9netyhb5pLG RYX2wQLnk/6CxI0Ky0ja1Ljk8OmxlZ37pVSCb0A9+sxNdOb6rOjsuBJhxrG4gWoQ LWTw52axvAspwkMfy3WK/AiU8KfnTI/PnlxevZPk4DqA3r+Cl8EeuRAVjm8vfNjF 41kChxjlzkkNdKi1+e0Ne9V+KBhlkGA7RRe7IZfGiCqZ3qF1gs3JlnupZvUibFVJ E1i3GJrFglMoG5MPF2Ta3EGwqhJG5cp72IQ6+V3fTVKMu4gS+Xr3EK1y2P4ti8UN btWp0VRk0n8hH2lJtaWPW0pzYyaCb0TLxsy6b1N2Ky0Md1gGkJizKCxqok+D92un wOrPStBc/v2/B7RksJCr1QdVVWJNkrDbacgGBAJbrnEfiwvggOuLoW/VmGC9HG05 UQhG2AyTL/ZG52JFr1HvpPKmoR37Ovh6AUA3InI3fFQ4aITojai/PLeFwKPdAO6B BqTIRcc3pekpcFTxyV1/aJixdXXeuPK2PGdHjvaeb2oR6R3xW89K1enn71MQ/4gw vrUSgPWrir+zgQWs0SELJe48QqLez1Gzg5ToWF67YGUMMp03w5FEG00+qsWUBgbV AN+3FUEMFG+GcubnaIQlcx2rC5r/cJWTaeDZZw== -----END CERTIFICATE----- '' ]; }