nixos-config/modules/nixos/domain.nix

{
  inputs,
  lib,
  pkgs,
  config,
  ...
}:

with lib;
let
  cfg = config.modules.domain;
  domain = inputs.secrets.lab.domain;
  domainUpper = lib.strings.toUpper domain;
in
{
  options.modules.domain = {
    enable = mkEnableOption "Domain Integration";
    join = {
      userFile = mkOption {
        type = types.str;
        description = "File containing the user used to join the computer.";
      };
      passwordFile = mkOption {
        type = types.str;
        description = "File containing the password for the join user.";
      };
      domainOUFile = mkOption {
        type = types.str;
        description = "The OU to join the computer to.";
      };
    };
  };

  config = mkIf cfg.enable {
    # Set network domain
    networking.domain = domain;
    networking.search = [ domain ];

    # Automatically join the domain
    systemd.services.adcli-join = {
      description = "Automatically join the domain";
      wantedBy = [ "default.target" ];
      before = [ "sssd.service" ];
      requiredBy = [ "sssd.service" ];
      after = [
        "network-online.target"
      ];
      requires = [
        "network-online.target"
      ];
      serviceConfig = {
        Type = "oneshot";
      };
      script = ''
        ADCLI_JOIN_USER=$(cat ${cfg.join.userFile})
        ADCLI_JOIN_OU=$(cat ${cfg.join.domainOUFile})
        ${pkgs.adcli}/bin/adcli join -D ${domain} \
          -U $ADCLI_JOIN_USER \
          -O $ADCLI_JOIN_OU \
          --dont-expire-password=true \
          --stdin-password < ${cfg.join.passwordFile}
      '';
    };

    # Set up Kerberos
    security.krb5 = {
      enable = true;
      settings = {
        libdefaults = {
          default_realm = domainUpper;
        };
        realms.${domainUpper} = {
        };
        domain_realm = {
          "${domain}" = domainUpper;
          ".${domain}" = domainUpper;
        };
      };
    };

    # Set up SSSD
    services.sssd = {
      enable = true;
      config = ''
        [sssd]
        domains = ${domain}
        config_file_version = 2
        services = nss, pam

        [nss]
        filter_users = ${concatStringsSep "," (lib.attrNames config.users.users)}
        filter_groups = ${concatStringsSep "," (lib.attrNames config.users.groups)}

        [domain/${domain}]
        enumerate = False
        ad_domain = ${domain}
        krb5_realm = ${domainUpper}H
        id_provider = ad
        auth_provider = ad
        access_provider = ad
        chpass_provider = ad
        use_fully_qualified_names = False
        ldap_schema = ad
        ldap_id_mapping = True
        ad_gpo_access_control = enforcing
        ad_gpo_implicit_deny = True
        dyndns_update = True
        dyndns_update_ptr = False
        dyndns_refresh_interval = 86400
        dyndns_ttl = 3600
      '';
    };
    security.pam.services.login.sssdStrictAccess = true;
    security.pam.services.sshd.sssdStrictAccess = true;
    security.pam.services.su.sssdStrictAccess = true;

    # Set up Sudo
    security.sudo =
      let
        admin_group = "host_${lib.replaceStrings [ "-" ] [ "_" ] config.networking.hostName}_admin";
      in
      {
        extraConfig = ''
          %${admin_group} ALL=(ALL) SETENV: ALL
        '';
      };

    # Set up SSH
    services.openssh = {
      package = pkgs.opensshWithKerberos;
      settings = {
        GSSAPIAuthentication = true;
        GSSAPICleanupCredentials = true;
        GSSAPIStrictAcceptorCheck = true;
      };
    };

    # Set up home directory
    security.pam.services.login.makeHomeDir = true;
    security.pam.services.sshd.makeHomeDir = true;
    environment.etc.profile.text =
      let
        # TODO: Activate configuration based on AD group
        homeConfiguration = inputs.home-manager.lib.homeManagerConfiguration {
          inherit pkgs;
          modules = [
            (
              { lib, ... }:
              {
                home.stateVersion = "24.11";
                home.username = "$USER";
                home.homeDirectory = "/.$HOME";
                modules.profiles.base.enable = true;

                # Mount the directories from the network share
                home.activation.dirMount =
                  let
                    bindScript = dir: ''
                      mkdir -p /network/$USER/${dir}
                      mkdir -p $HOME/${dir}
                      ${pkgs.bindfs}/bin/bindfs /network/$USER/${dir} $HOME/${dir}
                    '';
                  in
                  lib.hm.dag.entryAfter [ "writeBoundary" ] ''
                    if ! ${pkgs.krb5}/bin/klist -s; then
                      echo "No kerberos ticket found"
                      ${pkgs.krb5}/bin/kinit
                    fi

                    if ${pkgs.krb5}/bin/klist -s; then
                      echo "Kerberos ticket found, mounting home directory"
                      ${bindScript "Documents"}
                      ${bindScript "Music"}
                      ${bindScript "Pictures"}
                      ${bindScript "Video"}
                    else
                      echo "Still no kerberos ticket found, skipping home directory mount"
                    fi
                  '';
              }
            )
          ] ++ config.home-manager.sharedModules;
        };
      in
      mkAfter ''
        # Activate Home Manager configuration for domain users
        if id | egrep -o 'groups=.*' | sed 's/,/\n/g' | cut -d'(' -f2 | sed 's/)//' | egrep -o "^domain users$"; then
          echo "Setting up environment for domain user"
          SKIP_SANITY_CHECKS=1 ${homeConfiguration.activationPackage}/activate
          if test -f "$HOME/.bashrc"; then
            . $HOME/.bashrc
          fi
        fi
      '';

    # Automatically mount home share
    # Can be accessed at /network/$USER
    services.autofs = {
      enable = true;
      autoMaster =
        let
          networkMap = pkgs.writeText "auto" ''
            * -fstype=cifs,sec=krb5,user=&,uid=$UID,gid=$GID,cruid=$UID ://${inputs.secrets.lab.nas.host}/home
          '';
        in
        ''
          /network ${networkMap} --timeout=30
        '';
    };
  };
}
Moved domain config 2025-06-08 03:04:14 +02:00			`{`
			`inputs,`
			`lib,`
			`pkgs,`
			`config,`
			`...`
			`}:`

			`with lib;`
			`let`
			`cfg = config.modules.domain;`
			`domain = inputs.secrets.lab.domain;`
			`domainUpper = lib.strings.toUpper domain;`
			`in`
			`{`
			`options.modules.domain = {`
			`enable = mkEnableOption "Domain Integration";`
			`join = {`
			`userFile = mkOption {`
			`type = types.str;`
			`description = "File containing the user used to join the computer.";`
			`};`
			`passwordFile = mkOption {`
			`type = types.str;`
			`description = "File containing the password for the join user.";`
			`};`
			`domainOUFile = mkOption {`
			`type = types.str;`
			`description = "The OU to join the computer to.";`
			`};`
			`};`
			`};`

			`config = mkIf cfg.enable {`
			`# Set network domain`
			`networking.domain = domain;`
			`networking.search = [ domain ];`

			`# Automatically join the domain`
			`systemd.services.adcli-join = {`
			`description = "Automatically join the domain";`
			`wantedBy = [ "default.target" ];`
Updated SSH to use GSSAPI 2025-06-11 14:13:25 +02:00			`before = [ "sssd.service" ];`
			`requiredBy = [ "sssd.service" ];`
Moved domain config 2025-06-08 03:04:14 +02:00			`after = [`
Added SSSD config 2025-06-08 03:39:12 +02:00			`"network-online.target"`
			`];`
			`requires = [`
			`"network-online.target"`
Moved domain config 2025-06-08 03:04:14 +02:00			`];`
			`serviceConfig = {`
Moved to systemd for initrd, added integration for vmWithDisko 2025-06-11 11:58:54 +02:00			`Type = "oneshot";`
Moved domain config 2025-06-08 03:04:14 +02:00			`};`
			`script = ''`
			`ADCLI_JOIN_USER=$(cat ${cfg.join.userFile})`
			`ADCLI_JOIN_OU=$(cat ${cfg.join.domainOUFile})`
			`${pkgs.adcli}/bin/adcli join -D ${domain} \`
			`-U $ADCLI_JOIN_USER \`
Updated adcli script 2025-06-08 03:22:10 +02:00			`-O $ADCLI_JOIN_OU \`
Created standard local user hm config for VMs 2025-06-11 12:42:06 +02:00			`--dont-expire-password=true \`
Updated adcli script 2025-06-08 03:22:10 +02:00			`--stdin-password < ${cfg.join.passwordFile}`
Moved domain config 2025-06-08 03:04:14 +02:00			`'';`
			`};`
Added SSSD config 2025-06-08 03:39:12 +02:00
Setup kerberos config 2025-06-09 01:47:48 +02:00			`# Set up Kerberos`
			`security.krb5 = {`
			`enable = true;`
			`settings = {`
			`libdefaults = {`
			`default_realm = domainUpper;`
			`};`
Simplified kerberos config 2025-06-09 01:54:39 +02:00			`realms.${domainUpper} = {`
			`};`
Setup kerberos config 2025-06-09 01:47:48 +02:00			`domain_realm = {`
			`"${domain}" = domainUpper;`
			`".${domain}" = domainUpper;`
			`};`
			`};`
			`};`

Added SSSD config 2025-06-08 03:39:12 +02:00			`# Set up SSSD`
			`services.sssd = {`
			`enable = true;`
			`config = ''`
			`[sssd]`
			`domains = ${domain}`
			`config_file_version = 2`
Updated SSH to use GSSAPI 2025-06-11 14:13:25 +02:00			`services = nss, pam`
Added SSSD config 2025-06-08 03:39:12 +02:00
Filter out locally defined users and groups 2025-06-10 00:07:22 +02:00			`[nss]`
			`filter_users = ${concatStringsSep "," (lib.attrNames config.users.users)}`
			`filter_groups = ${concatStringsSep "," (lib.attrNames config.users.groups)}`

Added SSSD config 2025-06-08 03:39:12 +02:00			`[domain/${domain}]`
Disable PTR update 2025-06-09 03:09:14 +02:00			`enumerate = False`
Added SSSD config 2025-06-08 03:39:12 +02:00			`ad_domain = ${domain}`
Filter out locally defined users and groups 2025-06-10 00:07:22 +02:00			`krb5_realm = ${domainUpper}H`
Added SSSD config 2025-06-08 03:39:12 +02:00			`id_provider = ad`
			`auth_provider = ad`
			`access_provider = ad`
			`chpass_provider = ad`
Disable PTR update 2025-06-09 03:09:14 +02:00			`use_fully_qualified_names = False`
Enforce GPO access control 2025-06-09 01:34:29 +02:00			`ldap_schema = ad`
Disable PTR update 2025-06-09 03:09:14 +02:00			`ldap_id_mapping = True`
Enforce GPO access control 2025-06-09 01:34:29 +02:00			`ad_gpo_access_control = enforcing`
Disable PTR update 2025-06-09 03:09:14 +02:00			`ad_gpo_implicit_deny = True`
Updated sssd dyndns config 2025-06-11 13:01:02 +02:00			`dyndns_update = True`
			`dyndns_update_ptr = False`
			`dyndns_refresh_interval = 86400`
Enabled dyndns 2025-06-08 03:45:33 +02:00			`dyndns_ttl = 3600`
Added SSSD config 2025-06-08 03:39:12 +02:00			`'';`
			`};`
Update PAM 2025-06-09 04:05:52 +02:00			`security.pam.services.login.sssdStrictAccess = true;`
Setup strict ssh auth 2025-06-09 03:42:25 +02:00			`security.pam.services.sshd.sssdStrictAccess = true;`
Updated SSH to use GSSAPI 2025-06-11 14:13:25 +02:00			`security.pam.services.su.sssdStrictAccess = true;`
Added sudo domain integration 2025-06-09 02:17:05 +02:00
			`# Set up Sudo`
			`security.sudo =`
			`let`
Updated SSH to use GSSAPI 2025-06-11 14:13:25 +02:00			`admin_group = "host_${lib.replaceStrings [ "-" ] [ "_" ] config.networking.hostName}_admin";`
Added sudo domain integration 2025-06-09 02:17:05 +02:00			`in`
			`{`
			`extraConfig = ''`
			`%${admin_group} ALL=(ALL) SETENV: ALL`
			`'';`
			`};`
Update PAM 2025-06-09 04:05:52 +02:00
Updated SSH to use GSSAPI 2025-06-11 14:13:25 +02:00			`# Set up SSH`
Switched to openssh package with kerberos support 2025-06-11 14:21:57 +02:00			`services.openssh = {`
			`package = pkgs.opensshWithKerberos;`
			`settings = {`
			`GSSAPIAuthentication = true;`
			`GSSAPICleanupCredentials = true;`
			`GSSAPIStrictAcceptorCheck = true;`
			`};`
Updated SSH to use GSSAPI 2025-06-11 14:13:25 +02:00			`};`

Update PAM 2025-06-09 04:05:52 +02:00			`# Set up home directory`
Quick fix 2025-06-09 04:07:18 +02:00			`security.pam.services.login.makeHomeDir = true;`
			`security.pam.services.sshd.makeHomeDir = true;`
Resource bashrc 2025-06-09 13:24:58 +02:00			`environment.etc.profile.text =`
Added initial homeConfiguration for domain users 2025-06-09 12:50:30 +02:00			`let`
Filter out locally defined users and groups 2025-06-10 00:07:22 +02:00			`# TODO: Activate configuration based on AD group`
Added initial homeConfiguration for domain users 2025-06-09 12:50:30 +02:00			`homeConfiguration = inputs.home-manager.lib.homeManagerConfiguration {`
			`inherit pkgs;`
			`modules = [`
			`(`
Added link creation to activation script 2025-06-10 03:04:44 +02:00			`{ lib, ... }:`
Added initial homeConfiguration for domain users 2025-06-09 12:50:30 +02:00			`{`
			`home.stateVersion = "24.11";`
			`home.username = "$USER";`
			`home.homeDirectory = "/.$HOME";`
Enabled base profile for domain users 2025-06-09 13:06:29 +02:00			`modules.profiles.base.enable = true;`
Used persistence for mounting network folders 2025-06-10 02:37:26 +02:00
			`# Mount the directories from the network share`
Moved to bind mounts 2025-06-10 03:23:30 +02:00			`home.activation.dirMount =`
			`let`
			`bindScript = dir: ''`
			`mkdir -p /network/$USER/${dir}`
Create additional directories 2025-06-10 03:27:46 +02:00			`mkdir -p $HOME/${dir}`
Moved to bind mounts 2025-06-10 03:23:30 +02:00			`${pkgs.bindfs}/bin/bindfs /network/$USER/${dir} $HOME/${dir}`
			`'';`
			`in`
			`lib.hm.dag.entryAfter [ "writeBoundary" ] ''`
			`if ! ${pkgs.krb5}/bin/klist -s; then`
			`echo "No kerberos ticket found"`
			`${pkgs.krb5}/bin/kinit`
			`fi`

			`if ${pkgs.krb5}/bin/klist -s; then`
			`echo "Kerberos ticket found, mounting home directory"`
			`${bindScript "Documents"}`
			`${bindScript "Music"}`
			`${bindScript "Pictures"}`
			`${bindScript "Video"}`
			`else`
			`echo "Still no kerberos ticket found, skipping home directory mount"`
			`fi`
			`'';`
Added initial homeConfiguration for domain users 2025-06-09 12:50:30 +02:00			`}`
			`)`
			`] ++ config.home-manager.sharedModules;`
			`};`
			`in`
Resource bashrc 2025-06-09 13:24:58 +02:00			`mkAfter ''`
Added initial homeConfiguration for domain users 2025-06-09 12:50:30 +02:00			`# Activate Home Manager configuration for domain users`
			`if id \| egrep -o 'groups=.*' \| sed 's/,/\n/g' \| cut -d'(' -f2 \| sed 's/)//' \| egrep -o "^domain users$"; then`
			`echo "Setting up environment for domain user"`
Enabled base profile for domain users 2025-06-09 13:06:29 +02:00			`SKIP_SANITY_CHECKS=1 ${homeConfiguration.activationPackage}/activate`
Updated SSH to use GSSAPI 2025-06-11 14:13:25 +02:00			`if test -f "$HOME/.bashrc"; then`
			`. $HOME/.bashrc`
			`fi`
Added initial homeConfiguration for domain users 2025-06-09 12:50:30 +02:00			`fi`
			`'';`
Set up autofs 2025-06-10 01:15:50 +02:00
Used persistence for mounting network folders 2025-06-10 02:37:26 +02:00			`# Automatically mount home share`
			`# Can be accessed at /network/$USER`
Set up autofs 2025-06-10 01:15:50 +02:00			`services.autofs = {`
			`enable = true;`
			`autoMaster =`
			`let`
			`networkMap = pkgs.writeText "auto" ''`
Updated autofs 2025-06-10 02:12:19 +02:00			`* -fstype=cifs,sec=krb5,user=&,uid=$UID,gid=$GID,cruid=$UID ://${inputs.secrets.lab.nas.host}/home`
Set up autofs 2025-06-10 01:15:50 +02:00			`'';`
			`in`
			`''`
Updated autofs 2025-06-10 02:12:19 +02:00			`/network ${networkMap} --timeout=30`
Set up autofs 2025-06-10 01:15:50 +02:00			`'';`
			`};`
Moved domain config 2025-06-08 03:04:14 +02:00			`};`
			`}`