summaryrefslogtreecommitdiff
path: root/domain.nix
blob: 89c4399db58649af4c423982c480b1ad7ec830ef (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197

{ config, lib, pkgs, ... }:

{
  nixpkgs.overlays = [ (self: super:
    {
      samba = super.samba.override { enableLDAP = true; };
      sudo = super.sudo.override { withSssd = true; };
    }) ];

  networking.timeServers = [
    "dc1.ad.yuuta.moe"
  ];

  networking.search = "ad.yuuta.moe";
  networking.domain = "ad.yuuta.moe";

  services.ntp.enable = true;

  environment.systemPackages = with pkgs; [
    python39Packages.dnspython
    python310Packages.dnspython
    dig # nsupdate(1)
  ];

  networking.wireguard.interfaces.internal = {
    mtu = 1340;
    peers = [
    {
      publicKey = "DLhfohNTrZh45K/IRaJscUfUh3igTv2XAFkDmKrN2kQ=";
      allowedIPs = [ "10.0.2.0/24" "10.0.1.0/24" ];
      endpoint = "23.154.81.12:60011";
      persistentKeepalive = 25;
    }
    ];
  };

  krb5.enable = true;
  krb5.libdefaults = {
    default_realm = "AD.YUUTA.MOE";
    dns_lookup_realm = true;
    dns_lookup_kdc = true;
    ticket_lifetime = "24h";
    renew_lifetime = "7d";
    forwardable = true;
    rdns = false;
    default_ccache_name = "KEYRING:persistent:%{uid}";
  };
  krb5.domain_realm = {
    ".ad.yuuta.moe" = "AD.YUUTA.MOE";
  };

  services.sssd.enable = true;
  # Cherry pick from 48b0aa71646b3600f37dfa258c9fe16d7bb6747f
  # Fix sssctl
  environment.etc."sssd/sssd.conf".source = "/var/lib/sssd/sssd.conf";
  services.sssd.config = ''
[sssd]
config_file_version = 2
domains = ad.yuuta.moe
services = nss, pam, sudo, autofs

[domain/ad.yuuta.moe]
cache_credentials = true

id_provider = ad
auth_provider = ad
access_provider = ad
sudo_provider = ad

default_shell = /run/current-system/sw/bin/bash
# override_shell = /usr/bin/fish
fallback_homedir = /home/%u

ldap_sudo_search_base = ou=sudoers,dc=ad,dc=yuuta,dc=moe

krb5_renew_interval = 10h
krb5_ccname_template = KEYRING:persistent:%U
krb5_store_password_if_offline = true

[autofs]
ldap_autofs_search_base = ou=AutoFS,ou=Domain Computers,dc=ad,dc=yuuta,dc=moe
'';
  services.openssh.extraConfig = ''
GSSAPIAuthentication yes
'';

  # services.nscd.enable = false;
  environment.etc."nsswitch.conf".text = ''
# sssd
sudoers: files sss
automount: files sss
'';

  services.autofs.enable = true;
  services.autofs.debug = true;
  services.autofs.autoMaster = "# Use LDAP";

  boot.supportedFilesystems = [ "nfs" ];
  # Domain is handled automatically.
  # services.nfs.idmapd.settings = {
  #   General = {
  #     Domain = "ad.yuuta.moe";
  #   };
  # };

  boot.extraModprobeConfig = ''
options nfs nfs4_disable_idmapping=0
options nfsd nfs4_disable_idmapping=0
'';

  services.samba.enable = true;
  # services.samba.package = pkgs.samba4Full;
  services.samba.configText = ''
[global]
  security = ads
  realm = AD.YUUTA.MOE
  workgroup = YUUTA

  log file = /var/log/samba/%m.log

  kerberos method = secrets and keytab

  client signing = yes
  client use spnego = yes
'';

  services.dnsmasq.enable = true;
  services.dnsmasq.servers = [
    "/ad.yuuta.moe/10.0.1.2"
    "/in-addr.arpa/10.0.1.2"
  ];
  programs.ssh.extraConfig = ''
    Host *.ad.yuuta.moe
        GSSAPIAuthentication yes
        GSSAPIDelegateCredentials yes
  '';

  security.pam.services.sshd.makeHomeDir = true;
  security.pam.services.login.makeHomeDir = true;

  security.pki.certificates = [ ''
Yuuta
=========
-----BEGIN CERTIFICATE-----
MIIJGDCCBwCgAwIBAgIQUO5CWfFhBolDqnnAFe61MzANBgkqhkiG9w0BAQ0FADAR
MQ8wDQYDVQQDDAZST09UQ0EwHhcNMjIwNDA0MTk0NjAwWhcNNDIwNDA0MTk1NTU5
WjARMQ8wDQYDVQQDDAZST09UQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQC67MLXzJ5Xer6PsCuzjoNR+6wdEOIdczlH3RRxtGpjQ4cw0gVhyDpK2Mkd
eewY2Sp5KicKiGPtwBiu72K6fVqfwbsvqVDPfPvIRfaEe+gCqmvybXn10jpdiIMV
UhmW2/Mon8tVDn2MC78QZP4yqkIff0p8sTlgELhH/NK5nC6ffFdO60HWML7RhqOw
GDZyKJbHunHs5X5R+rY/D9Vu1Bwo2hWSzHDjbRDErxARqrf75KE6KpsqqvNdNWnx
cBLEgdvkJPO9aZ1wk52hMPQgv1/INJUpR4ndPHOUU2gX1+mlveWeIvyLt2/KOsdF
ILBvJFqtATFgnNJU+nZxHqHyA3MadGRvYKYkgoif0vVYsTbkYQCxrFNr1QT7H7nP
DqNsF+IBPKmDxnnCL+udVJnXJy/YrUw9jeur+QZCHl42JB1Ft+1u11dUREunMbJZ
A2b9CUEcZLn7HMEDcUe9hvqLp60a1wIFJ3GDagHt/eH7PNaiBejoxAqSsjfVPqBX
8lz+yJ8tzue2O4ietYLdtLElVJN+opjth0By9oyYzNZvAv5hNtjOAaa1FjALXXWP
nLAOl5fAQaTLq1FxYw0dLoVyfGzazIKMVnihWoljzzrQ1HKLyqX0hHF3nSZkl3t9
xeL8LHZwHXAj7susg5TPnlLPm0VJMgk+MJAYzQQNpBWWf2Oa3QIDAQABo4IEajCC
BGYwCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFA9a2yPE
TwIF+bXh5afzREa7LvazMDUGA1UdHwQuMCwwKqAooCaGJGh0dHA6Ly9ob21lLnl1
dXRhLm1vZS9jZHAvUm9vdENBLmNybDAQBgkrBgEEAYI3FQEEAwIBADCCA5cGA1Ud
IASCA44wggOKMIIBKgYLKwYBBAGG/lIFAQEwggEZMIHuBggrBgEFBQcCAjCB4R6B
3gBUAGgAaQBzACAAQwBlAHIAdABpAGYAaQBjAGEAdABpAG8AbgAgAEEAdQB0AGgA
bwByAGkAdAB5ACAAaQBzACAAYQBuACAAaQBuAHQAZQByAG4AYQBsACAAcgBlAHMA
bwB1AHIAYwBlAC4AIABDAGUAcgB0AGkAZgBpAGMAYQB0AGUAcwAgAGkAcwBzAHUA
ZQBkACAAYgB5ACAAdABoAGkAcwAgAEMAQQAgAGEAcgBlACAAZgBvAHIAIABpAG4A
dABlAHIAbgBhAGwAIAB1AHMAZQAgAG8AbgBsAHkALjAmBggrBgEFBQcCARYaaHR0
cHM6Ly9ob21lLnl1dXRhLm1vZS9jcHMwggEqBgsrBgEEAYb+UgUBAjCCARkwge4G
CCsGAQUFBwICMIHhHoHeAFQAaABpAHMAIABDAGUAcgB0AGkAZgBpAGMAYQB0AGkA
bwBuACAAQQB1AHQAaABvAHIAaQB0AHkAIABpAHMAIABhAG4AIABpAG4AdABlAHIA
bgBhAGwAIAByAGUAcwBvAHUAcgBjAGUALgAgAEMAZQByAHQAaQBmAGkAYwBhAHQA
ZQBzACAAaQBzAHMAdQBlAGQAIABiAHkAIAB0AGgAaQBzACAAQwBBACAAYQByAGUA
IABmAG8AcgAgAGkAbgB0AGUAcgBuAGEAbAAgAHUAcwBlACAAbwBuAGwAeQAuMCYG
CCsGAQUFBwIBFhpodHRwczovL2hvbWUueXV1dGEubW9lL2NwczCCASoGCysGAQQB
hv5SBQEDMIIBGTCB7gYIKwYBBQUHAgIwgeEegd4AVABoAGkAcwAgAEMAZQByAHQA
aQBmAGkAYwBhAHQAaQBvAG4AIABBAHUAdABoAG8AcgBpAHQAeQAgAGkAcwAgAGEA
bgAgAGkAbgB0AGUAcgBuAGEAbAAgAHIAZQBzAG8AdQByAGMAZQAuACAAQwBlAHIA
dABpAGYAaQBjAGEAdABlAHMAIABpAHMAcwB1AGUAZAAgAGIAeQAgAHQAaABpAHMA
IABDAEEAIABhAHIAZQAgAGYAbwByACAAaQBuAHQAZQByAG4AYQBsACAAdQBzAGUA
IABvAG4AbAB5AC4wJgYIKwYBBQUHAgEWGmh0dHBzOi8vaG9tZS55dXV0YS5tb2Uv
Y3BzMEMGCCsGAQUFBwEBBDcwNTAzBggrBgEFBQcwAoYnaHR0cDovL2hvbWUueXV1
dGEubW9lL1B1YmxpYy9Sb290Q0EuY3J0MA0GCSqGSIb3DQEBDQUAA4ICAQBpep0v
TUIgb5gQ58gVM1zsPKgXlp2qLsTsbKkhSopsPmkrM8iCIVmZSthmJ9netyhb5pLG
RYX2wQLnk/6CxI0Ky0ja1Ljk8OmxlZ37pVSCb0A9+sxNdOb6rOjsuBJhxrG4gWoQ
LWTw52axvAspwkMfy3WK/AiU8KfnTI/PnlxevZPk4DqA3r+Cl8EeuRAVjm8vfNjF
41kChxjlzkkNdKi1+e0Ne9V+KBhlkGA7RRe7IZfGiCqZ3qF1gs3JlnupZvUibFVJ
E1i3GJrFglMoG5MPF2Ta3EGwqhJG5cp72IQ6+V3fTVKMu4gS+Xr3EK1y2P4ti8UN
btWp0VRk0n8hH2lJtaWPW0pzYyaCb0TLxsy6b1N2Ky0Md1gGkJizKCxqok+D92un
wOrPStBc/v2/B7RksJCr1QdVVWJNkrDbacgGBAJbrnEfiwvggOuLoW/VmGC9HG05
UQhG2AyTL/ZG52JFr1HvpPKmoR37Ovh6AUA3InI3fFQ4aITojai/PLeFwKPdAO6B
BqTIRcc3pekpcFTxyV1/aJixdXXeuPK2PGdHjvaeb2oR6R3xW89K1enn71MQ/4gw
vrUSgPWrir+zgQWs0SELJe48QqLez1Gzg5ToWF67YGUMMp03w5FEG00+qsWUBgbV
AN+3FUEMFG+GcubnaIQlcx2rC5r/cJWTaeDZZw==
-----END CERTIFICATE-----
'' ];
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-18 20:49:13 +0000