pyrox.dev
1{config, lib, ...}:
2
3let
4 inherit (lib) mkOption mkIf types length attrNames;
5 cfg = config.services.kerberos_server;
6 kerberos = config.krb5.kerberos;
7
8 aclEntry = {
9 options = {
10 principal = mkOption {
11 type = types.str;
12 description = lib.mdDoc "Which principal the rule applies to";
13 };
14 access = mkOption {
15 type = types.either
16 (types.listOf (types.enum ["add" "cpw" "delete" "get" "list" "modify"]))
17 (types.enum ["all"]);
18 default = "all";
19 description = lib.mdDoc "The changes the principal is allowed to make.";
20 };
21 target = mkOption {
22 type = types.str;
23 default = "*";
24 description = lib.mdDoc "The principals that 'access' applies to.";
25 };
26 };
27 };
28
29 realm = {
30 options = {
31 acl = mkOption {
32 type = types.listOf (types.submodule aclEntry);
33 default = [
34 { principal = "*/admin"; access = "all"; }
35 { principal = "admin"; access = "all"; }
36 ];
37 description = lib.mdDoc ''
38 The privileges granted to a user.
39 '';
40 };
41 };
42 };
43in
44
45{
46 imports = [
47 ./mit.nix
48 ./heimdal.nix
49 ];
50
51 ###### interface
52 options = {
53 services.kerberos_server = {
54 enable = lib.mkEnableOption (lib.mdDoc "the kerberos authentication server");
55
56 realms = mkOption {
57 type = types.attrsOf (types.submodule realm);
58 description = lib.mdDoc ''
59 The realm(s) to serve keys for.
60 '';
61 };
62 };
63 };
64
65
66 ###### implementation
67
68 config = mkIf cfg.enable {
69 environment.systemPackages = [ kerberos ];
70 assertions = [{
71 assertion = length (attrNames cfg.realms) <= 1;
72 message = "Only one realm per server is currently supported.";
73 }];
74 };
75}