about summary refs log tree commit diff
path: root/nixos/modules/services/system/kerberos/mit.nix
blob: 9ce58986e27af9ead816c7a6a113eb2c8b0a5bfe (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76

{ pkgs, config, lib, ... } :

let
  inherit (lib) mapAttrs;
  cfg = config.services.kerberos_server;
  package = config.security.krb5.package;
  PIDFile = "/run/kdc.pid";

  format = import ../../../security/krb5/krb5-conf-format.nix { inherit pkgs lib; } { enableKdcACLEntries = true; };

  aclMap = {
    add = "a"; cpw = "c"; delete = "d"; get = "i"; list = "l"; modify = "m";
    all = "*";
  };

  aclConfigs = lib.pipe cfg.settings.realms [
    (mapAttrs (name: { acl, ... }: lib.concatMapStringsSep "\n" (
      { principal, access, target, ... }: let
        access_code = map (a: aclMap.${a}) (lib.toList access);
      in "${principal} ${lib.concatStrings access_code} ${target}"
    ) acl))

    (lib.concatMapAttrs (name: text: {
      ${name} = {
        acl_file = pkgs.writeText "${name}.acl" text;
      };
    }))
  ];

  finalConfig = cfg.settings // {
    realms = mapAttrs (n: v: (removeAttrs v [ "acl" ]) // aclConfigs.${n}) (cfg.settings.realms or { });
  };

  kdcConfFile = format.generate "kdc.conf" finalConfig;
  env = {
    # What Debian uses, could possibly link directly to Nix store?
    KRB5_KDC_PROFILE = "/etc/krb5kdc/kdc.conf";
  };
in

{
  config = lib.mkIf (cfg.enable && package.passthru.implementation == "krb5") {
    environment = {
      etc."krb5kdc/kdc.conf".source = kdcConfFile;
      variables = env;
    };

    systemd.services.kadmind = {
      description = "Kerberos Administration Daemon";
      partOf = [ "kerberos-server.target" ];
      wantedBy = [ "kerberos-server.target" ];
      serviceConfig = {
        ExecStart = "${package}/bin/kadmind -nofork";
        Slice = "system-kerberos-server.slice";
        StateDirectory = "krb5kdc";
      };
      restartTriggers = [ kdcConfFile ];
      environment = env;
    };

    systemd.services.kdc = {
      description = "Key Distribution Center daemon";
      partOf = [ "kerberos-server.target" ];
      wantedBy = [ "kerberos-server.target" ];
      serviceConfig = {
        Type = "forking";
        PIDFile = PIDFile;
        ExecStart = "${package}/bin/krb5kdc -P ${PIDFile}";
        Slice = "system-kerberos-server.slice";
        StateDirectory = "krb5kdc";
      };
      restartTriggers = [ kdcConfFile ];
      environment = env;
    };
  };
}
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-09 17:10:09 +0000