pyrox.dev
1{
2 config,
3 pkgs,
4 lib,
5 ...
6}:
7
8let
9 inherit (lib) mkOption types;
10 cfg = config.services.kerberos_server;
11 inherit (config.security.krb5) package;
12
13 format = import ../../../security/krb5/krb5-conf-format.nix { inherit pkgs lib; } {
14 enableKdcACLEntries = true;
15 };
16in
17
18{
19 imports = [
20 (lib.mkRenamedOptionModule
21 [ "services" "kerberos_server" "realms" ]
22 [ "services" "kerberos_server" "settings" "realms" ]
23 )
24
25 ./mit.nix
26 ./heimdal.nix
27 ];
28
29 options = {
30 services.kerberos_server = {
31 enable = lib.mkEnableOption "the kerberos authentication server";
32
33 settings = mkOption {
34 type = format.type;
35 description = ''
36 Settings for the kerberos server of choice.
37
38 See the following documentation:
39 - Heimdal: {manpage}`kdc.conf(5)`
40 - MIT Kerberos: <https://web.mit.edu/kerberos/krb5-1.21/doc/admin/conf_files/kdc_conf.html>
41 '';
42 default = { };
43 };
44 };
45 };
46
47 config = lib.mkIf cfg.enable {
48 environment.systemPackages = [ package ];
49 assertions = [
50 {
51 assertion = cfg.settings.realms != { };
52 message = "The server needs at least one realm";
53 }
54 {
55 assertion = lib.length (lib.attrNames cfg.settings.realms) <= 1;
56 message = "Only one realm per server is currently supported.";
57 }
58 {
59 assertion =
60 let
61 inherit (builtins) attrValues elem length;
62 realms = attrValues cfg.settings.realms;
63 accesses = lib.concatMap (r: map (a: a.access) r.acl) realms;
64 property = a: !elem "all" a || (length a <= 1) || (length a <= 2 && elem "get-keys" a);
65 in
66 builtins.all property accesses;
67 message = "Cannot specify \"all\" in a list with additional permissions other than \"get-keys\"";
68 }
69 ];
70
71 systemd.slices.system-kerberos-server = { };
72 systemd.targets.kerberos-server = {
73 wantedBy = [ "multi-user.target" ];
74 };
75 };
76
77 meta = {
78 doc = ./kerberos-server.md;
79 };
80}