Moved domain config

Update secrets
2025-06-08 03:04:14 +02:00 · 2025-06-08 03:04:00 +02:00
4 changed files with 75 additions and 14 deletions
--- a/flake.lock
+++ b/flake.lock
@ -161,11 +161,11 @@
    },
    "secrets": {
      "locked": {
-        "lastModified": 1749332102,
+        "lastModified": 1749344539,
-        "narHash": "sha256-64n0gavIbrMXF4OJJMCLQ9YIZh14Nk95nXd8dz0Hb9I=",
+        "narHash": "sha256-DeiiLB9cl/DftwhEWxgdwNbTlMAPj10SkjJAZC6BZvI=",
        "ref": "refs/heads/main",
-        "rev": "2f57d921b9fd90a6807102ad305844a6402131ac",
+        "rev": "48050bddb5c566acfca602ace655fb251f39b8fc",
-        "revCount": 10,
+        "revCount": 12,
        "type": "git",
        "url": "ssh://gitea@git.bulthuis.dev/Jan/nixos-secrets"
      },
--- a/hosts/vm-oddjob/configuration.nix
+++ b/hosts/vm-oddjob/configuration.nix
@ -19,16 +19,6 @@
  };
  # Setup NAS backups
  # TODO: Move kerberos setup to general module
  security.krb5 = {
    enable = true;
    settings = {
      libdefaults = {
        rdns = false;
      };
      realms = (inputs.secrets.lab.krb5Realm);
    };
  };
  environment.systemPackages = with pkgs; [
    cifs-utils
    samba
--- a/modules/nixos/domain.nix
+++ b/modules/nixos/domain.nix
@ -0,0 +1,58 @@
 {
  inputs,
  lib,
  pkgs,
  config,
  ...
 }:
 with lib;
 let
  cfg = config.modules.domain;
  domain = inputs.secrets.lab.domain;
  domainUpper = lib.strings.toUpper domain;
 in
 {
  options.modules.domain = {
    enable = mkEnableOption "Domain Integration";
    join = {
      userFile = mkOption {
        type = types.str;
        description = "File containing the user used to join the computer.";
      };
      passwordFile = mkOption {
        type = types.str;
        description = "File containing the password for the join user.";
      };
      domainOUFile = mkOption {
        type = types.str;
        description = "The OU to join the computer to.";
      };
    };
  };
  config = mkIf cfg.enable {
    # Set network domain
    networking.domain = domain;
    networking.search = [ domain ];
    # Automatically join the domain
    systemd.services.adcli-join = {
      description = "Automatically join the domain";
      wantedBy = [ "default.target" ];
      after = [
        "network.target"
      ];
      serviceConfig = {
        type = "oneshot";
      };
      script = ''
        ADCLI_JOIN_USER=$(cat ${cfg.join.userFile})
        ADCLI_JOIN_OU=$(cat ${cfg.join.domainOUFile})
        ${pkgs.adcli}/bin/adcli join -D ${domain} \
          -U $ADCLI_JOIN_USER \
          -O $ADCLI_JOIN_OU < ${cfg.join.passwordFile}
      '';
    };
  };
 }
--- a/profiles/nixos/vm.nix
+++ b/profiles/nixos/vm.nix
@ -29,9 +29,22 @@ in
          zfs rollback -r tank/root@blank
        '';
      };
      domain = {
        enable = true;
        join = {
          userFile = config.sops.secrets."vm-join/user".path;
          passwordFile = config.sops.secrets."vm-join/password".path;
          domainOUFile = config.sops.secrets."vm-join/ou".path;
        };
      };
      ssh.enable = true;
    };
    # Initialize domain join secrets
    sops.secrets."vm-join/user" = { };
    sops.secrets."vm-join/password" = { };
    sops.secrets."vm-join/ou" = { };
    # Autologin to root for access from hypervisor
    services.getty.autologinUser = "root";
Author	SHA1	Message	Date
Jan-Bulthuis	cc75c95ad4	Moved domain config	2025-06-08 03:04:14 +02:00
Jan-Bulthuis	a321251b93	Update secrets	2025-06-08 03:04:00 +02:00