qbit/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/ipa: Make ipa_hostname configurable (#321588)

Browse Source 
Some sites put hosts in domains outside of the IPA server's default
domain, so this needs to be user-configurable.  The default is to use
the system's FQDN if it is configured, otherwise fallback to the
previous default behaviour of assuming the IPA's server's domain.
This commit is contained in:
Benjamin Staffin 2024-06-22 11:29:54 -04:00 committed by GitHub
parent 7546a9d9de
commit e93ccda887
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 17 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
nixos/doc/manual/release-notes/rl-2411.section.md
View File

@ -40,6 +40,10 @@
- `openssh` and `openssh_hpn` are now compiled without Kerberos 5 / GSSAPI support in an effort to reduce the attack surface of the components for the majority of users. Users needing this support can - `openssh` and `openssh_hpn` are now compiled without Kerberos 5 / GSSAPI support in an effort to reduce the attack surface of the components for the majority of users. Users needing this support can
use the new `opensshWithKerberos` and `openssh_hpnWithKerberos` flavors (e.g. `programs.ssh.package = pkgs.openssh_gssapi`). use the new `opensshWithKerberos` and `openssh_hpnWithKerberos` flavors (e.g. `programs.ssh.package = pkgs.openssh_gssapi`).
- `security.ipa.ipaHostname` now defaults to the value of `networking.fqdn` if
it is set, instead of the previous hardcoded default of
`${networking.hostName}.${security.ipa.domain}`.
- `nvimpager` was updated to version 0.13.0, which changes the order of user and - `nvimpager` was updated to version 0.13.0, which changes the order of user and
nvimpager settings: user commands in `-c` and `--cmd` now override the nvimpager settings: user commands in `-c` and `--cmd` now override the
respective default settings because they are executed later. respective default settings because they are executed later.

14
nixos/modules/security/ipa.nix
View File

@ -85,6 +85,18 @@ in {
description = "Whether to cache credentials."; description = "Whether to cache credentials.";
}; };
ipaHostname = mkOption {
type = types.str;
example = "myworkstation.example.com";
default = if config.networking.domain != null then config.networking.fqdn
else "${config.networking.hostName}.${cfg.domain}";
defaultText = literalExpression ''
if config.networking.domain != null then config.networking.fqdn
else "''${networking.hostName}.''${security.ipa.domain}"
'';
description = "Fully-qualified hostname used to identify this host in the IPA domain.";
};
ifpAllowedUids = mkOption { ifpAllowedUids = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = ["root"]; default = ["root"];
@ -218,7 +230,7 @@ in {
ipa_domain = ${cfg.domain} ipa_domain = ${cfg.domain}
ipa_server = _srv_, ${cfg.server} ipa_server = _srv_, ${cfg.server}
ipa_hostname = ${config.networking.hostName}.${cfg.domain} ipa_hostname = ${cfg.ipaHostname}
cache_credentials = ${pyBool cfg.cacheCredentials} cache_credentials = ${pyBool cfg.cacheCredentials}
krb5_store_password_if_offline = ${pyBool cfg.offlinePasswords} krb5_store_password_if_offline = ${pyBool cfg.offlinePasswords}