depot/modules/sss/default.nix

{ config, lib, hosts, tools, utils, ... }:
let
  inherit (tools.meta) domain;
  inherit (tools) identity;
  inherit (config.networking) hostName;
  inherit (hosts.${hostName}) enterprise interfaces;

  toINI = content: lib.generators.toINI {} (iniFilter content);

  # apply some extra transformations for INI generation
  # 2 layers deep because the attrset for the INI generator does it
  iniFilter = builtins.mapAttrs iniFilter';
  iniFilter' = k: builtins.mapAttrs iniFilter'';
  iniFilter'' = k: v:
    if builtins.isList v then builtins.concatStringsSep ", " v
    else if builtins.isBool v then (if v then "True" else "False")
    else v;

  ipaProvide = services: lib.genAttrs (map (x: "${x}_provider") services) (_: "ipa");

  defaultShell = utils.toShellPath config.users.defaultUserShell;
in
{
  security.pam.services = lib.genAttrs [ "login" "sshd" ] (_: {
    makeHomeDir = true;
    sssdStrictAccess = true;
  });

  services.sssd.enable = true;
  services.sssd.sshAuthorizedKeysIntegration = true;
  services.sssd.config = toINI {
    "domain/${domain}" = {
      dns_discovery_domain = domain;
      ipa_domain = domain;
      ipa_server = [ "_srv_" identity.ldap.server.hostname ];
      ipa_hostname = "${lib.toLower hostName}.${enterprise.subdomain}.${domain}";
    
      # TODO: replace with proper cert
      ldap_tls_cacert = "${../../data/ca.crt}";

      cache_credentials = true;
      krb5_store_password_if_offline = true;

      dyndns_update = interfaces ? primary.link;
      dyndns_iface = interfaces.primary.link or "";

      fallback_homedir = "/home/%u@%d";
      default_shell = defaultShell;
      shell_fallback = defaultShell;

      use_fully_qualified_names = false;
    } // ipaProvide [
      "access"
      "auth"
      "autofs"
      "chpass"
      "hostid"
      "id"
      "session"
      "subdomains"
      "sudo"
    ];

    sssd = {
      domains = domain;
      services = [ "nss" "pam" "ssh" "sudo" "autofs" ];
    };
    nss.homedir_substring = "/home";
    pam.pam_cert_auth = true;
  };
}
modules/sss: init 2021-10-16 15:24:41 +03:00			`{ config, lib, hosts, tools, utils, ... }:`
			`let`
			`inherit (tools.meta) domain;`
			`inherit (tools) identity;`
			`inherit (config.networking) hostName;`
			`inherit (hosts.${hostName}) enterprise interfaces;`

			`toINI = content: lib.generators.toINI {} (iniFilter content);`

			`# apply some extra transformations for INI generation`
			`# 2 layers deep because the attrset for the INI generator does it`
			`iniFilter = builtins.mapAttrs iniFilter';`
meta: style 2022-03-13 00:16:38 +02:00			`iniFilter' = k: builtins.mapAttrs iniFilter'';`
modules/sss: init 2021-10-16 15:24:41 +03:00			`iniFilter'' = k: v:`
			`if builtins.isList v then builtins.concatStringsSep ", " v`
			`else if builtins.isBool v then (if v then "True" else "False")`
			`else v;`

			`ipaProvide = services: lib.genAttrs (map (x: "${x}_provider") services) (_: "ipa");`

			`defaultShell = utils.toShellPath config.users.defaultUserShell;`
			`in`
			`{`
			`security.pam.services = lib.genAttrs [ "login" "sshd" ] (_: {`
			`makeHomeDir = true;`
			`sssdStrictAccess = true;`
			`});`

			`services.sssd.enable = true;`
			`services.sssd.sshAuthorizedKeysIntegration = true;`
			`services.sssd.config = toINI {`
			`"domain/${domain}" = {`
			`dns_discovery_domain = domain;`
			`ipa_domain = domain;`
			`ipa_server = [ "_srv_" identity.ldap.server.hostname ];`
			`ipa_hostname = "${lib.toLower hostName}.${enterprise.subdomain}.${domain}";`

			`# TODO: replace with proper cert`
			`ldap_tls_cacert = "${../../data/ca.crt}";`

			`cache_credentials = true;`
			`krb5_store_password_if_offline = true;`

			`dyndns_update = interfaces ? primary.link;`
			`dyndns_iface = interfaces.primary.link or "";`

			`fallback_homedir = "/home/%u@%d";`
			`default_shell = defaultShell;`
			`shell_fallback = defaultShell;`

			`use_fully_qualified_names = false;`
			`} // ipaProvide [`
			`"access"`
			`"auth"`
			`"autofs"`
			`"chpass"`
			`"hostid"`
			`"id"`
			`"session"`
			`"subdomains"`
			`"sudo"`
			`];`

			`sssd = {`
			`domains = domain;`
			`services = [ "nss" "pam" "ssh" "sudo" "autofs" ];`
			`};`
			`nss.homedir_substring = "/home";`
			`pam.pam_cert_auth = true;`
			`};`
			`}`