Dawoox/nixpkgs
1
1
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

nixos/ipa: cleanup

Browse Source
This commit is contained in:
Marcel
2025-10-02 21:31:39 +02:00
parent e9f00bd893
commit 0afff2b7a7
1 changed files with 49 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

93
nixos/modules/security/ipa.nix
View File

@@ -43,8 +43,8 @@ in
''; '';
example = literalExpression '' example = literalExpression ''
pkgs.fetchurl { pkgs.fetchurl {
url = http://ipa.example.com/ipa/config/ca.crt; url = "http://ipa.example.com/ipa/config/ca.crt";
sha256 = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; hash = lib.fakeHash;
}; };
''; '';
}; };
@@ -191,12 +191,12 @@ in
''; '';
"ldap.conf".source = ldapConf; "ldap.conf".source = ldapConf;
};
environment.etc."chromium/policies/managed/freeipa.json" = mkIf cfg.chromiumSupport { "chromium/policies/managed/freeipa.json" = mkIf cfg.chromiumSupport {
text = '' text = builtins.toJSON {
{ "AuthServerWhitelist": "*.${cfg.domain}" } AuthServerWhitelist = "*.${cfg.domain}";
''; };
};
}; };
systemd.services."ipa-activation" = { systemd.services."ipa-activation" = {
@@ -207,8 +207,10 @@ in
]; ];
conflicts = [ "shutdown.target" ]; conflicts = [ "shutdown.target" ];
unitConfig.DefaultDependencies = false; unitConfig.DefaultDependencies = false;
serviceConfig.Type = "oneshot"; serviceConfig = {
serviceConfig.RemainAfterExit = true; Type = "oneshot";
RemainAfterExit = true;
};
script = '' script = ''
# libcurl requires a hard copy of the certificate # libcurl requires a hard copy of the certificate
if ! ${pkgs.diffutils}/bin/diff ${cfg.certificate} /etc/ipa/ca.crt > /dev/null 2>&1; then if ! ${pkgs.diffutils}/bin/diff ${cfg.certificate} /etc/ipa/ca.crt > /dev/null 2>&1; then
@@ -226,58 +228,61 @@ in
4. Restart sssd systemd service: sudo systemctl restart sssd 4. Restart sssd systemd service: sudo systemctl restart sssd
EOF EOF
# let service fail, to raise awareness
exit 1
fi fi
''; '';
}; };
services.sssd.config = '' services.sssd = {
[domain/${cfg.domain}] enable = true;
id_provider = ipa config = ''
auth_provider = ipa [domain/${cfg.domain}]
access_provider = ipa id_provider = ipa
chpass_provider = ipa auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_domain = ${cfg.domain} ipa_domain = ${cfg.domain}
ipa_server = _srv_, ${cfg.server} ipa_server = _srv_, ${cfg.server}
ipa_hostname = ${cfg.ipaHostname} ipa_hostname = ${cfg.ipaHostname}
cache_credentials = ${pyBool cfg.cacheCredentials} cache_credentials = ${pyBool cfg.cacheCredentials}
krb5_store_password_if_offline = ${pyBool cfg.offlinePasswords} krb5_store_password_if_offline = ${pyBool cfg.offlinePasswords}
${optionalString ((toLower cfg.domain) != (toLower cfg.realm)) "krb5_realm = ${cfg.realm}"} ${optionalString ((toLower cfg.domain) != (toLower cfg.realm)) "krb5_realm = ${cfg.realm}"}
dyndns_update = ${pyBool cfg.dyndns.enable} dyndns_update = ${pyBool cfg.dyndns.enable}
dyndns_iface = ${cfg.dyndns.interface} dyndns_iface = ${cfg.dyndns.interface}
ldap_tls_cacert = /etc/ipa/ca.crt ldap_tls_cacert = /etc/ipa/ca.crt
ldap_user_extra_attrs = mail:mail, sn:sn, givenname:givenname, telephoneNumber:telephoneNumber, lock:nsaccountlock ldap_user_extra_attrs = mail:mail, sn:sn, givenname:givenname, telephoneNumber:telephoneNumber, lock:nsaccountlock
[sssd] [sssd]
services = nss, sudo, pam, ssh, ifp services = nss, sudo, pam, ssh, ifp
domains = ${cfg.domain} domains = ${cfg.domain}
[nss] [nss]
homedir_substring = /home homedir_substring = /home
[pam] [pam]
pam_pwd_expiration_warning = 3 pam_pwd_expiration_warning = 3
pam_verbosity = 3 pam_verbosity = 3
[sudo] [sudo]
[autofs] [autofs]
[ssh] [ssh]
[pac] [pac]
[ifp] [ifp]
user_attributes = +mail, +telephoneNumber, +givenname, +sn, +lock user_attributes = +mail, +telephoneNumber, +givenname, +sn, +lock
allowed_uids = ${concatStringsSep ", " cfg.ifpAllowedUids} allowed_uids = ${concatStringsSep ", " cfg.ifpAllowedUids}
''; '';
};
services.ntp.servers = singleton cfg.server; networking.timeServers = singleton cfg.server;
services.sssd.enable = true;
services.ntp.enable = true;
security.pki.certificateFiles = singleton cfg.certificate; security.pki.certificateFiles = singleton cfg.certificate;
}; };