nixos-config/modules/nixos/domain.nix

{
  inputs,
  lib,
  pkgs,
  config,
  ...
}:

with lib;
let
  cfg = config.modules.domain;
  domain = inputs.secrets.lab.domain;
  domainUpper = lib.strings.toUpper domain;
in
{
  options.modules.domain = {
    enable = mkEnableOption "Domain Integration";
    join = {
      userFile = mkOption {
        type = types.str;
        description = "File containing the user used to join the computer.";
      };
      passwordFile = mkOption {
        type = types.str;
        description = "File containing the password for the join user.";
      };
      domainOUFile = mkOption {
        type = types.str;
        description = "The OU to join the computer to.";
      };
    };
  };

  config = mkIf cfg.enable {
    # Set network domain
    networking.domain = domain;
    networking.search = [ domain ];

    # Automatically join the domain
    systemd.services.adcli-join = {
      description = "Automatically join the domain";
      wantedBy = [ "default.target" ];
      after = [
        "network-online.target"
      ];
      requires = [
        "network-online.target"
      ];
      serviceConfig = {
        type = "oneshot";
      };
      script = ''
        ADCLI_JOIN_USER=$(cat ${cfg.join.userFile})
        ADCLI_JOIN_OU=$(cat ${cfg.join.domainOUFile})
        ${pkgs.adcli}/bin/adcli join -D ${domain} \
          -U $ADCLI_JOIN_USER \
          -O $ADCLI_JOIN_OU \
          --stdin-password < ${cfg.join.passwordFile}
      '';
    };

    # Set up SSSD
    services.sssd = {
      enable = true;
      config = ''
        [sssd]
        domains = ${domain}
        config_file_version = 2
        services = nss, pam, ssh

        [domain/${domain}]
        enumerate = false
        ad_domain = ${domain}
        krb5_realm = ${domainUpper}
        id_provider = ad
        auth_provider = ad
        access_provider = ad
        chpass_provider = ad
        use_fully_qualified_names = false
        ldap_id_mapping = true
        ad_gpo_access_control = permissive
        dyndns_update = true
        dyndns_refresh_interval = 3600
        dyndns_update_ptr = true
        dyndns_ttl = 3600
      '';
    };
    systemd.services.sssd = {
      after = [ "adcli-join.service" ];
      requires = [ "adcli-join.service" ];
    };
  };
}