From e93ccda88728ca2269cd937cfeab127f0b69faee Mon Sep 17 00:00:00 2001
From: Benjamin Staffin <benley@gmail.com>
Date: Sat, 22 Jun 2024 11:29:54 -0400
Subject: [PATCH] nixos/ipa: Make ipa_hostname configurable (#321588)

Some sites put hosts in domains outside of the IPA server's default
domain, so this needs to be user-configurable.  The default is to use
the system's FQDN if it is configured, otherwise fallback to the
previous default behaviour of assuming the IPA's server's domain.
---
 nixos/doc/manual/release-notes/rl-2411.section.md |  4 ++++
 nixos/modules/security/ipa.nix                    | 14 +++++++++++++-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md
index 2cbcf3a7e572..2de4cf4d08af 100644
--- a/nixos/doc/manual/release-notes/rl-2411.section.md
+++ b/nixos/doc/manual/release-notes/rl-2411.section.md
@@ -40,6 +40,10 @@
 - `openssh` and `openssh_hpn` are now compiled without Kerberos 5 / GSSAPI support in an effort to reduce the attack surface of the components for the majority of users. Users needing this support can
   use the new `opensshWithKerberos` and `openssh_hpnWithKerberos` flavors (e.g. `programs.ssh.package = pkgs.openssh_gssapi`).
 
+- `security.ipa.ipaHostname` now defaults to the value of `networking.fqdn` if
+  it is set, instead of the previous hardcoded default of
+  `${networking.hostName}.${security.ipa.domain}`.
+
 - `nvimpager` was updated to version 0.13.0, which changes the order of user and
   nvimpager settings: user commands in `-c` and `--cmd` now override the
   respective default settings because they are executed later.
diff --git a/nixos/modules/security/ipa.nix b/nixos/modules/security/ipa.nix
index 543b1abfa672..b160d0bc23ef 100644
--- a/nixos/modules/security/ipa.nix
+++ b/nixos/modules/security/ipa.nix
@@ -85,6 +85,18 @@ in {
         description = "Whether to cache credentials.";
       };
 
+      ipaHostname = mkOption {
+        type = types.str;
+        example = "myworkstation.example.com";
+        default = if config.networking.domain != null then config.networking.fqdn
+                  else "${config.networking.hostName}.${cfg.domain}";
+        defaultText = literalExpression ''
+          if config.networking.domain != null then config.networking.fqdn
+          else "''${networking.hostName}.''${security.ipa.domain}"
+        '';
+        description = "Fully-qualified hostname used to identify this host in the IPA domain.";
+      };
+
       ifpAllowedUids = mkOption {
         type = types.listOf types.str;
         default = ["root"];
@@ -218,7 +230,7 @@ in {
 
       ipa_domain = ${cfg.domain}
       ipa_server = _srv_, ${cfg.server}
-      ipa_hostname = ${config.networking.hostName}.${cfg.domain}
+      ipa_hostname = ${cfg.ipaHostname}
 
       cache_credentials = ${pyBool cfg.cacheCredentials}
       krb5_store_password_if_offline = ${pyBool cfg.offlinePasswords}