diff options
Diffstat (limited to 'nixos/modules/security')
-rw-r--r-- | nixos/modules/security/ipa.nix | 4 | ||||
-rw-r--r-- | nixos/modules/security/krb5/default.nix | 86 | ||||
-rw-r--r-- | nixos/modules/security/krb5/krb5-conf-format.nix | 88 | ||||
-rw-r--r-- | nixos/modules/security/pam.nix | 6 |
4 files changed, 179 insertions, 5 deletions
diff --git a/nixos/modules/security/ipa.nix b/nixos/modules/security/ipa.nix index 69a670cd5e4a3..df59d1e754140 100644 --- a/nixos/modules/security/ipa.nix +++ b/nixos/modules/security/ipa.nix @@ -117,8 +117,8 @@ in { config = mkIf cfg.enable { assertions = [ { - assertion = !config.krb5.enable; - message = "krb5 must be disabled through `krb5.enable` for FreeIPA integration to work."; + assertion = !config.security.krb5.enable; + message = "krb5 must be disabled through `security.krb5.enable` for FreeIPA integration to work."; } { assertion = !config.users.ldap.enable; diff --git a/nixos/modules/security/krb5/default.nix b/nixos/modules/security/krb5/default.nix new file mode 100644 index 0000000000000..5f0cfe3e23b0a --- /dev/null +++ b/nixos/modules/security/krb5/default.nix @@ -0,0 +1,86 @@ +{ config, lib, pkgs, ... }: +let + inherit (lib) mdDoc mkIf mkOption mkPackageOption mkRemovedOptionModule; + inherit (lib.types) bool; + + mkRemovedOptionModule' = name: reason: mkRemovedOptionModule ["krb5" name] reason; + mkRemovedOptionModuleCfg = name: mkRemovedOptionModule' name '' + The option `krb5.${name}' has been removed. Use + `security.krb5.settings.${name}' for structured configuration. + ''; + + cfg = config.security.krb5; + format = import ./krb5-conf-format.nix { inherit pkgs lib; } { }; +in { + imports = [ + (mkRemovedOptionModuleCfg "libdefaults") + (mkRemovedOptionModuleCfg "realms") + (mkRemovedOptionModuleCfg "domain_realm") + (mkRemovedOptionModuleCfg "capaths") + (mkRemovedOptionModuleCfg "appdefaults") + (mkRemovedOptionModuleCfg "plugins") + (mkRemovedOptionModuleCfg "config") + (mkRemovedOptionModuleCfg "extraConfig") + (mkRemovedOptionModule' "kerberos" '' + The option `krb5.kerberos' has been moved to `security.krb5.package'. + '') + ]; + + options = { + security.krb5 = { + enable = mkOption { + default = false; + description = mdDoc "Enable and configure Kerberos utilities"; + type = bool; + }; + + package = mkPackageOption pkgs "krb5" { + example = "heimdal"; + }; + + settings = mkOption { + default = { }; + type = format.type; + description = mdDoc '' + Structured contents of the {file}`krb5.conf` file. See + {manpage}`krb5.conf(5)` for details about configuration. + ''; + example = { + include = [ "/run/secrets/secret-krb5.conf" ]; + includedir = [ "/run/secrets/secret-krb5.conf.d" ]; + + libdefaults = { + default_realm = "ATHENA.MIT.EDU"; + }; + + realms = { + "ATHENA.MIT.EDU" = { + admin_server = "athena.mit.edu"; + kdc = [ + "athena01.mit.edu" + "athena02.mit.edu" + ]; + }; + }; + + domain_realm = { + "mit.edu" = "ATHENA.MIT.EDU"; + }; + + logging = { + kdc = "SYSLOG:NOTICE"; + admin_server = "SYSLOG:NOTICE"; + default = "SYSLOG:NOTICE"; + }; + }; + }; + }; + }; + + config = mkIf cfg.enable { + environment = { + systemPackages = [ cfg.package ]; + etc."krb5.conf".source = format.generate "krb5.conf" cfg.settings; + }; + }; +} diff --git a/nixos/modules/security/krb5/krb5-conf-format.nix b/nixos/modules/security/krb5/krb5-conf-format.nix new file mode 100644 index 0000000000000..d01e47a40be05 --- /dev/null +++ b/nixos/modules/security/krb5/krb5-conf-format.nix @@ -0,0 +1,88 @@ +{ pkgs, lib, ... }: + +# Based on +# - https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html +# - https://manpages.debian.org/unstable/heimdal-docs/krb5.conf.5heimdal.en.html + +let + inherit (lib) boolToString concatMapStringsSep concatStringsSep filter + isAttrs isBool isList mapAttrsToList mdDoc mkOption singleton splitString; + inherit (lib.types) attrsOf bool coercedTo either int listOf oneOf path + str submodule; +in +{ }: { + type = let + section = attrsOf relation; + relation = either (attrsOf value) value; + value = either (listOf atom) atom; + atom = oneOf [int str bool]; + in submodule { + freeformType = attrsOf section; + options = { + include = mkOption { + default = [ ]; + description = mdDoc '' + Files to include in the Kerberos configuration. + ''; + type = coercedTo path singleton (listOf path); + }; + includedir = mkOption { + default = [ ]; + description = mdDoc '' + Directories containing files to include in the Kerberos configuration. + ''; + type = coercedTo path singleton (listOf path); + }; + module = mkOption { + default = [ ]; + description = mdDoc '' + Modules to obtain Kerberos configuration from. + ''; + type = coercedTo path singleton (listOf path); + }; + }; + }; + + generate = let + indent = str: concatMapStringsSep "\n" (line: " " + line) (splitString "\n" str); + + formatToplevel = args @ { + include ? [ ], + includedir ? [ ], + module ? [ ], + ... + }: let + sections = removeAttrs args [ "include" "includedir" "module" ]; + in concatStringsSep "\n" (filter (x: x != "") [ + (concatStringsSep "\n" (mapAttrsToList formatSection sections)) + (concatMapStringsSep "\n" (m: "module ${m}") module) + (concatMapStringsSep "\n" (i: "include ${i}") include) + (concatMapStringsSep "\n" (i: "includedir ${i}") includedir) + ]); + + formatSection = name: section: '' + [${name}] + ${indent (concatStringsSep "\n" (mapAttrsToList formatRelation section))} + ''; + + formatRelation = name: relation: + if isAttrs relation + then '' + ${name} = { + ${indent (concatStringsSep "\n" (mapAttrsToList formatValue relation))} + }'' + else formatValue name relation; + + formatValue = name: value: + if isList value + then concatMapStringsSep "\n" (formatAtom name) value + else formatAtom name value; + + formatAtom = name: atom: let + v = if isBool atom then boolToString atom else toString atom; + in "${name} = ${v}"; + in + name: value: pkgs.writeText name '' + ${formatToplevel value} + ''; +} diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index c99615d5a6362..b5e5dcb24426a 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -1067,8 +1067,8 @@ in security.pam.krb5 = { enable = mkOption { - default = config.krb5.enable; - defaultText = literalExpression "config.krb5.enable"; + default = config.security.krb5.enable; + defaultText = literalExpression "config.security.krb5.enable"; type = types.bool; description = lib.mdDoc '' Enables Kerberos PAM modules (`pam-krb5`, @@ -1076,7 +1076,7 @@ in If set, users can authenticate with their Kerberos password. This requires a valid Kerberos configuration - (`config.krb5.enable` should be set to + (`config.security.krb5.enable` should be set to `true`). Note that the Kerberos PAM modules are not necessary when using SSS |