pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / config / krb5.nix
at 17.09-beta 6.4 kB view raw
1{ config, lib, pkgs, ... }: 2 3with lib; 4 5let 6 7 cfg = config.krb5; 8 9in 10 11{ 12 ###### interface 13 14 options = { 15 16 krb5 = { 17 18 enable = mkOption { 19 default = false; 20 description = "Whether to enable Kerberos V."; 21 }; 22 23 defaultRealm = mkOption { 24 default = "ATENA.MIT.EDU"; 25 description = "Default realm."; 26 }; 27 28 domainRealm = mkOption { 29 default = "atena.mit.edu"; 30 description = "Default domain realm."; 31 }; 32 33 kdc = mkOption { 34 default = "kerberos.mit.edu"; 35 description = "Key Distribution Center"; 36 }; 37 38 kerberosAdminServer = mkOption { 39 default = "kerberos.mit.edu"; 40 description = "Kerberos Admin Server."; 41 }; 42 43 }; 44 45 }; 46 47 ###### implementation 48 49 config = mkIf config.krb5.enable { 50 51 environment.systemPackages = [ pkgs.krb5Full ]; 52 53 environment.etc."krb5.conf".text = 54 '' 55 [libdefaults] 56 default_realm = ${cfg.defaultRealm} 57 encrypt = true 58 59 # The following krb5.conf variables are only for MIT Kerberos. 60 krb4_config = /etc/krb.conf 61 krb4_realms = /etc/krb.realms 62 kdc_timesync = 1 63 ccache_type = 4 64 forwardable = true 65 proxiable = true 66 67 # The following encryption type specification will be used by MIT Kerberos 68 # if uncommented. In general, the defaults in the MIT Kerberos code are 69 # correct and overriding these specifications only serves to disable new 70 # encryption types as they are added, creating interoperability problems. 71 72 # default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5 73 # default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5 74 # permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5 75 76 # The following libdefaults parameters are only for Heimdal Kerberos. 77 v4_instance_resolve = false 78 v4_name_convert = { 79 host = { 80 rcmd = host 81 ftp = ftp 82 } 83 plain = { 84 something = something-else 85 } 86 } 87 fcc-mit-ticketflags = true 88 89 [realms] 90 ${cfg.defaultRealm} = { 91 kdc = ${cfg.kdc} 92 admin_server = ${cfg.kerberosAdminServer} 93 #kpasswd_server = ${cfg.kerberosAdminServer} 94 } 95 ATHENA.MIT.EDU = { 96 kdc = kerberos.mit.edu:88 97 kdc = kerberos-1.mit.edu:88 98 kdc = kerberos-2.mit.edu:88 99 admin_server = kerberos.mit.edu 100 default_domain = mit.edu 101 } 102 MEDIA-LAB.MIT.EDU = { 103 kdc = kerberos.media.mit.edu 104 admin_server = kerberos.media.mit.edu 105 } 106 ZONE.MIT.EDU = { 107 kdc = casio.mit.edu 108 kdc = seiko.mit.edu 109 admin_server = casio.mit.edu 110 } 111 MOOF.MIT.EDU = { 112 kdc = three-headed-dogcow.mit.edu:88 113 kdc = three-headed-dogcow-1.mit.edu:88 114 admin_server = three-headed-dogcow.mit.edu 115 } 116 CSAIL.MIT.EDU = { 117 kdc = kerberos-1.csail.mit.edu 118 kdc = kerberos-2.csail.mit.edu 119 admin_server = kerberos.csail.mit.edu 120 default_domain = csail.mit.edu 121 krb524_server = krb524.csail.mit.edu 122 } 123 IHTFP.ORG = { 124 kdc = kerberos.ihtfp.org 125 admin_server = kerberos.ihtfp.org 126 } 127 GNU.ORG = { 128 kdc = kerberos.gnu.org 129 kdc = kerberos-2.gnu.org 130 kdc = kerberos-3.gnu.org 131 admin_server = kerberos.gnu.org 132 } 133 1TS.ORG = { 134 kdc = kerberos.1ts.org 135 admin_server = kerberos.1ts.org 136 } 137 GRATUITOUS.ORG = { 138 kdc = kerberos.gratuitous.org 139 admin_server = kerberos.gratuitous.org 140 } 141 DOOMCOM.ORG = { 142 kdc = kerberos.doomcom.org 143 admin_server = kerberos.doomcom.org 144 } 145 ANDREW.CMU.EDU = { 146 kdc = vice28.fs.andrew.cmu.edu 147 kdc = vice2.fs.andrew.cmu.edu 148 kdc = vice11.fs.andrew.cmu.edu 149 kdc = vice12.fs.andrew.cmu.edu 150 admin_server = vice28.fs.andrew.cmu.edu 151 default_domain = andrew.cmu.edu 152 } 153 CS.CMU.EDU = { 154 kdc = kerberos.cs.cmu.edu 155 kdc = kerberos-2.srv.cs.cmu.edu 156 admin_server = kerberos.cs.cmu.edu 157 } 158 DEMENTIA.ORG = { 159 kdc = kerberos.dementia.org 160 kdc = kerberos2.dementia.org 161 admin_server = kerberos.dementia.org 162 } 163 stanford.edu = { 164 kdc = krb5auth1.stanford.edu 165 kdc = krb5auth2.stanford.edu 166 kdc = krb5auth3.stanford.edu 167 admin_server = krb5-admin.stanford.edu 168 default_domain = stanford.edu 169 } 170 171 [domain_realm] 172 .${cfg.domainRealm} = ${cfg.defaultRealm} 173 ${cfg.domainRealm} = ${cfg.defaultRealm} 174 .mit.edu = ATHENA.MIT.EDU 175 mit.edu = ATHENA.MIT.EDU 176 .exchange.mit.edu = EXCHANGE.MIT.EDU 177 exchange.mit.edu = EXCHANGE.MIT.EDU 178 .media.mit.edu = MEDIA-LAB.MIT.EDU 179 media.mit.edu = MEDIA-LAB.MIT.EDU 180 .csail.mit.edu = CSAIL.MIT.EDU 181 csail.mit.edu = CSAIL.MIT.EDU 182 .whoi.edu = ATHENA.MIT.EDU 183 whoi.edu = ATHENA.MIT.EDU 184 .stanford.edu = stanford.edu 185 186 [logging] 187 kdc = SYSLOG:INFO:DAEMON 188 admin_server = SYSLOG:INFO:DAEMON 189 default = SYSLOG:INFO:DAEMON 190 krb4_convert = true 191 krb4_get_tickets = false 192 193 [appdefaults] 194 pam = { 195 debug = false 196 ticket_lifetime = 36000 197 renew_lifetime = 36000 198 max_timeout = 30 199 timeout_shift = 2 200 initial_timeout = 1 201 } 202 ''; 203 204 }; 205 206}