diff options
Diffstat (limited to 'nixos/modules/services/system/kerberos/default.nix')
-rw-r--r-- | nixos/modules/services/system/kerberos/default.nix | 84 |
1 files changed, 34 insertions, 50 deletions
diff --git a/nixos/modules/services/system/kerberos/default.nix b/nixos/modules/services/system/kerberos/default.nix index 7fe970c9609a9..34c7c6c84f865 100644 --- a/nixos/modules/services/system/kerberos/default.nix +++ b/nixos/modules/services/system/kerberos/default.nix @@ -1,75 +1,59 @@ -{config, lib, ...}: +{ config, pkgs, lib, ... }: let - inherit (lib) mkOption mkIf types length attrNames; + inherit (lib) mkOption types; cfg = config.services.kerberos_server; - kerberos = config.security.krb5.package; + inherit (config.security.krb5) package; - aclEntry = { - options = { - principal = mkOption { - type = types.str; - description = "Which principal the rule applies to"; - }; - access = mkOption { - type = types.either - (types.listOf (types.enum ["add" "cpw" "delete" "get" "list" "modify"])) - (types.enum ["all"]); - default = "all"; - description = "The changes the principal is allowed to make."; - }; - target = mkOption { - type = types.str; - default = "*"; - description = "The principals that 'access' applies to."; - }; - }; - }; - - realm = { - options = { - acl = mkOption { - type = types.listOf (types.submodule aclEntry); - default = [ - { principal = "*/admin"; access = "all"; } - { principal = "admin"; access = "all"; } - ]; - description = '' - The privileges granted to a user. - ''; - }; - }; - }; + format = import ../../../security/krb5/krb5-conf-format.nix { inherit pkgs lib; } { enableKdcACLEntries = true; }; in { imports = [ + (lib.mkRenamedOptionModule [ "services" "kerberos_server" "realms" ] [ "services" "kerberos_server" "settings" "realms" ]) + ./mit.nix ./heimdal.nix ]; - ###### interface options = { services.kerberos_server = { enable = lib.mkEnableOption "the kerberos authentication server"; - realms = mkOption { - type = types.attrsOf (types.submodule realm); + settings = mkOption { + type = format.type; description = '' - The realm(s) to serve keys for. + Settings for the kerberos server of choice. + + See the following documentation: + - Heimdal: {manpage}`kdc.conf(5)` + - MIT Kerberos: <https://web.mit.edu/kerberos/krb5-1.21/doc/admin/conf_files/kdc_conf.html> ''; + default = { }; }; }; }; + config = lib.mkIf cfg.enable { + environment.systemPackages = [ package ]; + assertions = [ + { + assertion = cfg.settings.realms != { }; + message = "The server needs at least one realm"; + } + { + assertion = lib.length (lib.attrNames cfg.settings.realms) <= 1; + message = "Only one realm per server is currently supported."; + } + ]; + + systemd.slices.system-kerberos-server = { }; + systemd.targets.kerberos-server = { + wantedBy = [ "multi-user.target" ]; + }; + }; - ###### implementation - - config = mkIf cfg.enable { - environment.systemPackages = [ kerberos ]; - assertions = [{ - assertion = length (attrNames cfg.realms) <= 1; - message = "Only one realm per server is currently supported."; - }]; + meta = { + doc = ./kerberos-server.md; }; } |