Dawoox/nixpkgs
1
1
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

nixos/ipa: cleanup

Browse Source
This commit is contained in:
Marcel
2025-10-02 21:31:39 +02:00
parent e9f00bd893
commit 0afff2b7a7
1 changed files with 49 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

93
nixos/modules/security/ipa.nix
View File

@@ -43,8 +43,8 @@ in
'';
example = literalExpression ''
pkgs.fetchurl {
url = http://ipa.example.com/ipa/config/ca.crt;
sha256 = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
url = "http://ipa.example.com/ipa/config/ca.crt";
hash = lib.fakeHash;
};
'';
};
@@ -191,12 +191,12 @@ in
'';
"ldap.conf".source = ldapConf;
};
environment.etc."chromium/policies/managed/freeipa.json" = mkIf cfg.chromiumSupport {
text = ''
{ "AuthServerWhitelist": "*.${cfg.domain}" }
'';
"chromium/policies/managed/freeipa.json" = mkIf cfg.chromiumSupport {
text = builtins.toJSON {
AuthServerWhitelist = "*.${cfg.domain}";
};
};
};
systemd.services."ipa-activation" = {
@@ -207,8 +207,10 @@ in
];
conflicts = [ "shutdown.target" ];
unitConfig.DefaultDependencies = false;
serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = true;
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
# libcurl requires a hard copy of the certificate
if ! ${pkgs.diffutils}/bin/diff ${cfg.certificate} /etc/ipa/ca.crt > /dev/null 2>&1; then
@@ -226,58 +228,61 @@ in
4. Restart sssd systemd service: sudo systemctl restart sssd
EOF
# let service fail, to raise awareness
exit 1
fi
'';
};
services.sssd.config = ''
[domain/${cfg.domain}]
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
services.sssd = {
enable = true;
config = ''
[domain/${cfg.domain}]
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_domain = ${cfg.domain}
ipa_server = _srv_, ${cfg.server}
ipa_hostname = ${cfg.ipaHostname}
ipa_domain = ${cfg.domain}
ipa_server = _srv_, ${cfg.server}
ipa_hostname = ${cfg.ipaHostname}
cache_credentials = ${pyBool cfg.cacheCredentials}
krb5_store_password_if_offline = ${pyBool cfg.offlinePasswords}
${optionalString ((toLower cfg.domain) != (toLower cfg.realm)) "krb5_realm = ${cfg.realm}"}
cache_credentials = ${pyBool cfg.cacheCredentials}
krb5_store_password_if_offline = ${pyBool cfg.offlinePasswords}
${optionalString ((toLower cfg.domain) != (toLower cfg.realm)) "krb5_realm = ${cfg.realm}"}
dyndns_update = ${pyBool cfg.dyndns.enable}
dyndns_iface = ${cfg.dyndns.interface}
dyndns_update = ${pyBool cfg.dyndns.enable}
dyndns_iface = ${cfg.dyndns.interface}
ldap_tls_cacert = /etc/ipa/ca.crt
ldap_user_extra_attrs = mail:mail, sn:sn, givenname:givenname, telephoneNumber:telephoneNumber, lock:nsaccountlock
ldap_tls_cacert = /etc/ipa/ca.crt
ldap_user_extra_attrs = mail:mail, sn:sn, givenname:givenname, telephoneNumber:telephoneNumber, lock:nsaccountlock
[sssd]
services = nss, sudo, pam, ssh, ifp
domains = ${cfg.domain}
[sssd]
services = nss, sudo, pam, ssh, ifp
domains = ${cfg.domain}
[nss]
homedir_substring = /home
[nss]
homedir_substring = /home
[pam]
pam_pwd_expiration_warning = 3
pam_verbosity = 3
[pam]
pam_pwd_expiration_warning = 3
pam_verbosity = 3
[sudo]
[sudo]
[autofs]
[autofs]
[ssh]
[ssh]
[pac]
[pac]
[ifp]
user_attributes = +mail, +telephoneNumber, +givenname, +sn, +lock
allowed_uids = ${concatStringsSep ", " cfg.ifpAllowedUids}
'';
[ifp]
user_attributes = +mail, +telephoneNumber, +givenname, +sn, +lock
allowed_uids = ${concatStringsSep ", " cfg.ifpAllowedUids}
'';
};
services.ntp.servers = singleton cfg.server;
services.sssd.enable = true;
services.ntp.enable = true;
networking.timeServers = singleton cfg.server;
security.pki.certificateFiles = singleton cfg.certificate;
};