pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / system / kerberos / mit.nix
at 23.11-pre 1.9 kB view raw
1{ pkgs, config, lib, ... } : 2 3let 4 inherit (lib) mkIf concatStrings concatStringsSep concatMapStrings toList 5 mapAttrs mapAttrsToList; 6 cfg = config.services.kerberos_server; 7 kerberos = config.krb5.kerberos; 8 stateDir = "/var/lib/krb5kdc"; 9 PIDFile = "/run/kdc.pid"; 10 aclMap = { 11 add = "a"; cpw = "c"; delete = "d"; get = "i"; list = "l"; modify = "m"; 12 all = "*"; 13 }; 14 aclFiles = mapAttrs 15 (name: {acl, ...}: (pkgs.writeText "${name}.acl" (concatMapStrings ( 16 {principal, access, target, ...} : 17 let access_code = map (a: aclMap.${a}) (toList access); in 18 "${principal} ${concatStrings access_code} ${target}\n" 19 ) acl))) cfg.realms; 20 kdcConfigs = mapAttrsToList (name: value: '' 21 ${name} = { 22 acl_file = ${value} 23 } 24 '') aclFiles; 25 kdcConfFile = pkgs.writeText "kdc.conf" '' 26 [realms] 27 ${concatStringsSep "\n" kdcConfigs} 28 ''; 29 env = { 30 # What Debian uses, could possibly link directly to Nix store? 31 KRB5_KDC_PROFILE = "/etc/krb5kdc/kdc.conf"; 32 }; 33in 34 35{ 36 config = mkIf (cfg.enable && kerberos == pkgs.krb5) { 37 systemd.services.kadmind = { 38 description = "Kerberos Administration Daemon"; 39 wantedBy = [ "multi-user.target" ]; 40 preStart = '' 41 mkdir -m 0755 -p ${stateDir} 42 ''; 43 serviceConfig.ExecStart = "${kerberos}/bin/kadmind -nofork"; 44 restartTriggers = [ kdcConfFile ]; 45 environment = env; 46 }; 47 48 systemd.services.kdc = { 49 description = "Key Distribution Center daemon"; 50 wantedBy = [ "multi-user.target" ]; 51 preStart = '' 52 mkdir -m 0755 -p ${stateDir} 53 ''; 54 serviceConfig = { 55 Type = "forking"; 56 PIDFile = PIDFile; 57 ExecStart = "${kerberos}/bin/krb5kdc -P ${PIDFile}"; 58 }; 59 restartTriggers = [ kdcConfFile ]; 60 environment = env; 61 }; 62 63 environment.etc = { 64 "krb5kdc/kdc.conf".source = kdcConfFile; 65 }; 66 environment.variables = env; 67 }; 68}