nixos/tests/krb5/example-config.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118

# Verifies that the configuration suggested in (non-deprecated) example values
# will result in the expected output.

import ../make-test-python.nix ({ pkgs, ...} : {
  name = "krb5-with-example-config";
  meta = with pkgs.lib.maintainers; {
    maintainers = [ eqyiel dblsaiko ];
  };

  nodes.machine =
    { pkgs, ... }: {
      security.krb5 = {
        enable = true;
        package = pkgs.krb5;
        settings = {
          includedir = [
            "/etc/krb5.conf.d"
          ];
          include = [
            "/etc/krb5-extra.conf"
          ];
          libdefaults = {
            default_realm = "ATHENA.MIT.EDU";
          };
          realms = {
            "ATHENA.MIT.EDU" = {
              admin_server = "athena.mit.edu";
              kdc = [
                "athena01.mit.edu"
                "athena02.mit.edu"
              ];
            };
          };
          domain_realm = {
            "example.com" = "EXAMPLE.COM";
            ".example.com" = "EXAMPLE.COM";
          };
          capaths = {
            "ATHENA.MIT.EDU" = {
              "EXAMPLE.COM" = ".";
            };
            "EXAMPLE.COM" = {
              "ATHENA.MIT.EDU" = ".";
            };
          };
          appdefaults = {
            pam = {
              debug = false;
              ticket_lifetime = 36000;
              renew_lifetime = 36000;
              max_timeout = 30;
              timeout_shift = 2;
              initial_timeout = 1;
            };
          };
          plugins.ccselect.disable = "k5identity";
          logging = {
            kdc = "SYSLOG:NOTICE";
            admin_server = "SYSLOG:NOTICE";
            default = "SYSLOG:NOTICE";
          };
        };
      };
    };

  testScript =
    let snapshot = pkgs.writeText "krb5-with-example-config.conf" ''
      [appdefaults]
        pam = {
          debug = false
          initial_timeout = 1
          max_timeout = 30
          renew_lifetime = 36000
          ticket_lifetime = 36000
          timeout_shift = 2
        }

      [capaths]
        ATHENA.MIT.EDU = {
          EXAMPLE.COM = .
        }
        EXAMPLE.COM = {
          ATHENA.MIT.EDU = .
        }

      [domain_realm]
        .example.com = EXAMPLE.COM
        example.com = EXAMPLE.COM

      [libdefaults]
        default_realm = ATHENA.MIT.EDU

      [logging]
        admin_server = SYSLOG:NOTICE
        default = SYSLOG:NOTICE
        kdc = SYSLOG:NOTICE

      [plugins]
        ccselect = {
          disable = k5identity
        }

      [realms]
        ATHENA.MIT.EDU = {
          admin_server = athena.mit.edu
          kdc = athena01.mit.edu
          kdc = athena02.mit.edu
        }

      include /etc/krb5-extra.conf
      includedir /etc/krb5.conf.d
    '';
  in ''
    machine.succeed(
        "diff /etc/krb5.conf ${snapshot}"
    )
  '';
})