pyrox.dev
1{ pkgs, config, lib, ... } :
2
3let
4 inherit (lib) mkIf concatStringsSep concatMapStrings toList mapAttrs
5 mapAttrsToList;
6 cfg = config.services.kerberos_server;
7 kerberos = config.security.krb5.package;
8 stateDir = "/var/heimdal";
9 aclFiles = mapAttrs
10 (name: {acl, ...}: pkgs.writeText "${name}.acl" (concatMapStrings ((
11 {principal, access, target, ...} :
12 "${principal}\t${concatStringsSep "," (toList access)}\t${target}\n"
13 )) acl)) cfg.realms;
14
15 kdcConfigs = mapAttrsToList (name: value: ''
16 database = {
17 dbname = ${stateDir}/heimdal
18 acl_file = ${value}
19 }
20 '') aclFiles;
21 kdcConfFile = pkgs.writeText "kdc.conf" ''
22 [kdc]
23 ${concatStringsSep "\n" kdcConfigs}
24 '';
25in
26
27{
28 # No documentation about correct triggers, so guessing at them.
29
30 config = mkIf (cfg.enable && kerberos == pkgs.heimdal) {
31 systemd.services.kadmind = {
32 description = "Kerberos Administration Daemon";
33 wantedBy = [ "multi-user.target" ];
34 preStart = ''
35 mkdir -m 0755 -p ${stateDir}
36 '';
37 serviceConfig.ExecStart =
38 "${kerberos}/libexec/kadmind --config-file=/etc/heimdal-kdc/kdc.conf";
39 restartTriggers = [ kdcConfFile ];
40 };
41
42 systemd.services.kdc = {
43 description = "Key Distribution Center daemon";
44 wantedBy = [ "multi-user.target" ];
45 preStart = ''
46 mkdir -m 0755 -p ${stateDir}
47 '';
48 serviceConfig.ExecStart =
49 "${kerberos}/libexec/kdc --config-file=/etc/heimdal-kdc/kdc.conf";
50 restartTriggers = [ kdcConfFile ];
51 };
52
53 systemd.services.kpasswdd = {
54 description = "Kerberos Password Changing daemon";
55 wantedBy = [ "multi-user.target" ];
56 preStart = ''
57 mkdir -m 0755 -p ${stateDir}
58 '';
59 serviceConfig.ExecStart = "${kerberos}/libexec/kpasswdd";
60 restartTriggers = [ kdcConfFile ];
61 };
62
63 environment.etc = {
64 # Can be set via the --config-file option to KDC
65 "heimdal-kdc/kdc.conf".source = kdcConfFile;
66 };
67 };
68}