Opinions welcome: NixOS container server and IPA

Help
1

I have a Proxmox VM container server which currently consists of:
Freeipa installed on the podman0 bridge
Mariadb and Nextcloud installed on the podman1 bridge

I hope to eventually add quite a few more containers ranging from home assistant to Gitlab.

The Freeipa and Nextcloud are both working just fine and the Nextcloud server can use LDAP to authenticate users from the Freeipa.

The problem is that I also want to share out the Freeipa data so I can access it as a normal CIFS share. I was going to just create the NixOS samba config for this, but then I realized that the container server would have to be attached to the Freeipa for this to work correctly. I have assembled the appropriate nix config for this using security.ipa, but whenever I try to build it the Freeipa container will not run. I sort of expected this chicken and the egg problem and I have three potential solutions, but I having difficulty selecting one:

  1. install freeipa on another nix VM as a container and limit that server to only that container
  2. install freeipa on rocky/alma/etc, but then I have to administrate said rocky/alma/etc.
  3. create a container just for handling the sharing so that the container could be joined, but the container server would not have to be (I like that this fits within the current schema)

The first question is whether anyone has a reason that I should use Freeipa directly on Rocky/Alma/etc rather than on a container on Nix. (I wish I could just setup Freeipa on NixOS, but I do not believe there is any current support for that).
The second question is somewhat dependent on the first. If anyone else likes the idea of just having a container for sharing, then I would like to figure out the best way to do it. I could just do a NixOS container (nix-ception) and use the standard samba config, or I could go for something like a containerized version of open media vault.

I have my entire network in a Nix flake and I deploy it all from a single workstation. I really like the ability to keep a configuration managed approach to the network which is why I am so heavily into Nix for this.

Any thoughts, suggestions, even constructive opinions would be helpful.

(Edited for clarification and spelling)

1 Like
2

Can I just serve the cifs shares from the container server’s samba by configuring samba to connect to the simulation without connecting the whole service through sssd?

3

I did find a way to get the ipa client to co-exist with the freeipa container. The conflict was that the ipa-container wanted to listen for ntp requests and setting up the ipa client did the same thing. If I removed the port 123 mapping, then the ipa container would start normally.

I ran into a different issue where my ipa server was not forwarding requests for any domains that it didn’t control. I am not sure whether this is a result of being a container on where its own container server was a client or if I just had a bad configuration in my ipa server.

I finally decided that I was over trying to troubleshoot issues from having a non-standard configuration so I setup a new rocky 8 vm and I am just going to install on that.

I thought I would send an update just in case anyone else attempts this.