Skip to content

Instantly share code, notes, and snippets.

@s1341

s1341/freeipa-server.nix

Created May 29, 2023 04:08
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save s1341/125b95ddc2edb4f7e174eca1ab217ca6 to your computer and use it in GitHub Desktop.
Save s1341/125b95ddc2edb4f7e174eca1ab217ca6 to your computer and use it in GitHub Desktop.
Download ZIP
working freeipa config
Raw
freeipa-server.nix
{
config,
lib,
...
}: let
cfg = config.services.freeipa-server;
in {
options.services.freeipa-server = {
enable = lib.mkEnableOption "freeipa service";
router = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default =
null;
};
};
config = lib.mkIf cfg.enable {
virtualisation.oci-containers.containers.freeipa-server = {
autoStart = true;
image = "freeipa/freeipa-server:rocky-9";
volumes = [
"/var/data/freeipa:/data"
"/run/agenix:/run/agenix"
];
extraOptions = [
"-hipa.${config.services.hosts.freeipa-server.domain}"
"--dns=${cfg.router}"
"--sysctl=net.ipv6.conf.all.disable_ipv6=0"
"--network=br-services"
"--ip=${config.services.hosts.freeipa-server.ipv4}"
];
cmd = [
"--unattended"
"--realm=EXAMPLE.COM"
"--domain=example.com"
"--ds-password=$(cat /data/ds_password)"
"--admin-password=$(cat /data/admin_password)"
"--ntp-server=${cfg.router}"
"--setup-dns"
# "--no-host-dns"
"--forwarder=${config.services.hosts.adguard.ipv4}"
"--no-reverse"
];
};
};
}
Raw
ipa-tuura.nix
{
config,
lib,
...
}: let
domain = config.services.hosts.ipa-tuura.domain;
cfg = config.services.ipa-tuura;
ipa_server = "ipa.${config.services.hosts.freeipa-server.domain}";
nameserver = config.services.hosts.adguard.ipv4;
in {
options.services.ipa-tuura.enable = lib.mkEnableOption "ipa-tuura service";
config = lib.mkIf cfg.enable {
containers.ipa-tuura = {
ephemeral = true;
autoStart = true;
privateNetwork = true;
hostBridge = "br-services";
localAddress = "${config.services.hosts.ipa-tuura.ipv4}/24";
bindMounts = {
"/var/lib/ipa-tuura" = {
hostPath = "/var/data/ipa-tuura";
isReadOnly = false;
};
"/run/agenix" = {
hostPath = "/run/agenix";
isReadOnly = true;
};
};
nixpkgs = /home/s1341/src/nixpkgs;
config = {
config,
pkgs,
lib,
...
}: let
ipa-tuura-pkg = pkgs.python3.pkgs.buildPythonApplication rec {
pname = "ipa-tuura";
version = "unstable-20230420";
format = "other";
src = pkgs.fetchFromGitHub {
owner = "freeipa";
repo = pname;
rev = "279f7d1f9aa32d6d47f2bd25d646379a4d464683";
hash = "sha256-OJQyqiPQi+LX7HYDpcMOTuNJ5CWUg3GxeTsnxQfQS7c=";
};
propagatedBuildInputs = with pkgs.python3.pkgs; [
dbus-python
django
django-scim2
django-extensions
django-oauth-toolkit
django-rest-swagger
python-pam
six
pkgs.freeipa
netaddr
dns
setuptools
djangorestframework
];
patchPhase = ''
substituteInPlace src/ipa-tuura/root/settings.py --replace "localhost" "ipa-tuura.example.com";
substituteInPlace src/ipa-tuura/root/settings.py --replace "BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))" "BASE_DIR = '/var/lib/ipa-tuura'";
'';
installPhase = ''
cp -vr src/ipa-tuura $out/
echo "#!${pkgs.python3}/bin/python" > $out/manage.py
cat src/ipa-tuura/manage.py >> $out/manage.py
chmod +x $out/manage.py
makeWrapper $out/manage.py $out/bin/ipa-tuura \
--prefix PYTHONPATH : "$PYTHONPATH"
'';
passthru = {
pythonPath = pkgs.python3.pkgs.makePythonPath propagatedBuildInputs;
#${pkgs.freeipa}/bin/ipa-join
};
};
in {
security.ipa = {
enable = true;
domain = "example.com";
realm = "example.com";
server = ipa_server;
basedn = "dc=example,dc=com";
certificate = pkgs.fetchurl {
url = "http://${ipa_server}/ipa/config/ca.crt";
hash = "sha256-m3X3o834ywjqDA9cE/u5vzlN7hgSk9Oc4PrYtsLf4z4=";
};
};
systemd.services = {
init-sssd = {
before = ["sssd.service"];
wantedBy = ["sssd.service"];
script = ''
if ! ${pkgs.krb5}/bin/kinit -V -v -kt /var/lib/ipa-tuura/krb5.keytab; then
echo Joining to the domain
cat /var/lib/ipa-tuura/admin_password | ${pkgs.krb5}/bin/kinit -V admin@example.com
/run/current-system/sw/bin/ipa-join -d -f -k /etc/krb5.keytab
mv /etc/krb5.keytab /var/lib/ipa-tuura/
ln -s /var/lib/ipa-tuura/krb5.keytab /etc/
systemctl restart sssd.service
else
ln -s /var/lib/ipa-tuura/krb5.keytab /etc/
systemctl restart sssd.service
fi
'';
};
ipa-tuura-migrations = {
wantedBy = ["sssd.service" "ipa-tuura.service"];
environment = {
PYTHONPATH = ipa-tuura-pkg.pythonPath;
};
serviceConfig = {
ExecStart = ''
${ipa-tuura-pkg}/bin/ipa-tuura migrate
'';
};
};
ipa-tuura = {
description = "ipa-tuura service";
after = ["ipa-tuura-migrations.service" "init-sssd.service"];
wantedBy = ["sssd.service"];
environment = {
PYTHONPATH = ipa-tuura-pkg.pythonPath;
};
serviceConfig = {
Restart = "on-failure";
ExecStart = ''
${ipa-tuura-pkg}/bin/ipa-tuura runserver 0.0.0.0:80
'';
};
};
};
networking.firewall.allowedTCPPorts = [80];
networking.domain = domain;
networking.hostName = "ipa-tuura";
# networking.firewall.enable = true;
# workaround to get fqdn to work
services.nscd.enableNsncd = false;
environment.systemPackages = [ipa-tuura-pkg];
environment.etc = {
"resolv.conf".text = ''
nameserver ${nameserver}
'';
};
system.stateVersion = "22.11"; # Did you read the comment?
};
};
};
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment