Loading nixos/modules/security/ipa.nix +49 −44 Original line number Diff line number Diff line Loading @@ -43,8 +43,8 @@ in ''; example = literalExpression '' pkgs.fetchurl { url = http://ipa.example.com/ipa/config/ca.crt; sha256 = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; url = "http://ipa.example.com/ipa/config/ca.crt"; hash = lib.fakeHash; }; ''; }; Loading Loading @@ -191,12 +191,12 @@ in ''; "ldap.conf".source = ldapConf; }; environment.etc."chromium/policies/managed/freeipa.json" = mkIf cfg.chromiumSupport { text = '' { "AuthServerWhitelist": "*.${cfg.domain}" } ''; "chromium/policies/managed/freeipa.json" = mkIf cfg.chromiumSupport { text = builtins.toJSON { AuthServerWhitelist = "*.${cfg.domain}"; }; }; }; systemd.services."ipa-activation" = { Loading @@ -207,8 +207,10 @@ in ]; conflicts = [ "shutdown.target" ]; unitConfig.DefaultDependencies = false; serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = true; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; }; script = '' # libcurl requires a hard copy of the certificate if ! ${pkgs.diffutils}/bin/diff ${cfg.certificate} /etc/ipa/ca.crt > /dev/null 2>&1; then Loading @@ -226,11 +228,15 @@ in 4. Restart sssd systemd service: sudo systemctl restart sssd EOF # let service fail, to raise awareness exit 1 fi ''; }; services.sssd.config = '' services.sssd = { enable = true; config = '' [domain/${cfg.domain}] id_provider = ipa auth_provider = ipa Loading Loading @@ -274,10 +280,9 @@ in user_attributes = +mail, +telephoneNumber, +givenname, +sn, +lock allowed_uids = ${concatStringsSep ", " cfg.ifpAllowedUids} ''; }; services.ntp.servers = singleton cfg.server; services.sssd.enable = true; services.ntp.enable = true; networking.timeServers = singleton cfg.server; security.pki.certificateFiles = singleton cfg.certificate; }; Loading Loading
nixos/modules/security/ipa.nix +49 −44 Original line number Diff line number Diff line Loading @@ -43,8 +43,8 @@ in ''; example = literalExpression '' pkgs.fetchurl { url = http://ipa.example.com/ipa/config/ca.crt; sha256 = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; url = "http://ipa.example.com/ipa/config/ca.crt"; hash = lib.fakeHash; }; ''; }; Loading Loading @@ -191,12 +191,12 @@ in ''; "ldap.conf".source = ldapConf; }; environment.etc."chromium/policies/managed/freeipa.json" = mkIf cfg.chromiumSupport { text = '' { "AuthServerWhitelist": "*.${cfg.domain}" } ''; "chromium/policies/managed/freeipa.json" = mkIf cfg.chromiumSupport { text = builtins.toJSON { AuthServerWhitelist = "*.${cfg.domain}"; }; }; }; systemd.services."ipa-activation" = { Loading @@ -207,8 +207,10 @@ in ]; conflicts = [ "shutdown.target" ]; unitConfig.DefaultDependencies = false; serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = true; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; }; script = '' # libcurl requires a hard copy of the certificate if ! ${pkgs.diffutils}/bin/diff ${cfg.certificate} /etc/ipa/ca.crt > /dev/null 2>&1; then Loading @@ -226,11 +228,15 @@ in 4. Restart sssd systemd service: sudo systemctl restart sssd EOF # let service fail, to raise awareness exit 1 fi ''; }; services.sssd.config = '' services.sssd = { enable = true; config = '' [domain/${cfg.domain}] id_provider = ipa auth_provider = ipa Loading Loading @@ -274,10 +280,9 @@ in user_attributes = +mail, +telephoneNumber, +givenname, +sn, +lock allowed_uids = ${concatStringsSep ", " cfg.ifpAllowedUids} ''; }; services.ntp.servers = singleton cfg.server; services.sssd.enable = true; services.ntp.enable = true; networking.timeServers = singleton cfg.server; security.pki.certificateFiles = singleton cfg.certificate; }; Loading
