From 7d4ee4328332bd3428c46d20ec2a1cdbdc7f5b38 Mon Sep 17 00:00:00 2001
From: Jan-Bulthuis <git@bulthuis.dev>
Date: Tue, 10 Jun 2025 00:07:22 +0200
Subject: [PATCH] Filter out locally defined users and groups

---
 modules/nixos/domain.nix | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/modules/nixos/domain.nix b/modules/nixos/domain.nix
index cfc9112..c5a743f 100644
--- a/modules/nixos/domain.nix
+++ b/modules/nixos/domain.nix
@@ -85,10 +85,14 @@ in
         config_file_version = 2
         services = nss, pam, ssh
 
+        [nss]
+        filter_users = ${concatStringsSep "," (lib.attrNames config.users.users)}
+        filter_groups = ${concatStringsSep "," (lib.attrNames config.users.groups)}
+
         [domain/${domain}]
         enumerate = False
         ad_domain = ${domain}
-        krb5_realm = ${domainUpper}
+        krb5_realm = ${domainUpper}H
         id_provider = ad
         auth_provider = ad
         access_provider = ad
@@ -121,6 +125,7 @@ in
       {
         extraConfig = ''
           %${admin_group} ALL=(ALL) SETENV: ALL
+          %${domainUpper}${admin_group} ALL=(ALL) SETENV: ALL
         '';
       };
 
@@ -129,6 +134,7 @@ in
     security.pam.services.sshd.makeHomeDir = true;
     environment.etc.profile.text =
       let
+        # TODO: Activate configuration based on AD group
         homeConfiguration = inputs.home-manager.lib.homeManagerConfiguration {
           inherit pkgs;
           modules = [