pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / system / kerberos / heimdal.nix
at 25.11-pre 3.2 kB view raw
1{ 2 pkgs, 3 config, 4 lib, 5 ... 6}: 7 8let 9 inherit (lib) mapAttrs; 10 cfg = config.services.kerberos_server; 11 package = config.security.krb5.package; 12 13 aclConfigs = lib.pipe cfg.settings.realms [ 14 (mapAttrs ( 15 name: 16 { acl, ... }: 17 lib.concatMapStringsSep "\n" ( 18 { 19 principal, 20 access, 21 target, 22 ... 23 }: 24 if target != "*" && target != "" then 25 "${principal}\t${lib.concatStringsSep "," (lib.toList access)}\t${target}" 26 else 27 "${principal}\t${lib.concatStringsSep "," (lib.toList access)}" 28 ) acl 29 )) 30 (lib.mapAttrsToList ( 31 name: text: { 32 dbname = "/var/lib/heimdal/heimdal"; 33 acl_file = pkgs.writeText "${name}.acl" text; 34 } 35 )) 36 ]; 37 38 finalConfig = cfg.settings // { 39 realms = mapAttrs (_: v: removeAttrs v [ "acl" ]) (cfg.settings.realms or { }); 40 kdc = (cfg.settings.kdc or { }) // { 41 database = aclConfigs; 42 }; 43 }; 44 45 format = import ../../../security/krb5/krb5-conf-format.nix { inherit pkgs lib; } { 46 enableKdcACLEntries = true; 47 }; 48 49 kdcConfFile = format.generate "kdc.conf" finalConfig; 50in 51 52{ 53 config = lib.mkIf (cfg.enable && package.passthru.implementation == "heimdal") { 54 environment.etc."heimdal-kdc/kdc.conf".source = kdcConfFile; 55 56 systemd.tmpfiles.settings."10-heimdal" = 57 let 58 databases = lib.pipe finalConfig.kdc.database [ 59 (map (dbAttrs: dbAttrs.dbname or null)) 60 (lib.filter (x: x != null)) 61 lib.unique 62 ]; 63 in 64 lib.genAttrs databases (_: { 65 d = { 66 user = "root"; 67 group = "root"; 68 mode = "0700"; 69 }; 70 }); 71 72 systemd.services.kadmind = { 73 description = "Kerberos Administration Daemon"; 74 partOf = [ "kerberos-server.target" ]; 75 wantedBy = [ "kerberos-server.target" ]; 76 documentation = [ 77 "man:kadmind(8)" 78 "info:heimdal" 79 ]; 80 serviceConfig = { 81 ExecStart = "${package}/libexec/kadmind --config-file=/etc/heimdal-kdc/kdc.conf"; 82 Slice = "system-kerberos-server.slice"; 83 StateDirectory = "heimdal"; 84 }; 85 restartTriggers = [ kdcConfFile ]; 86 }; 87 88 systemd.services.kdc = { 89 description = "Key Distribution Center daemon"; 90 partOf = [ "kerberos-server.target" ]; 91 wantedBy = [ "kerberos-server.target" ]; 92 documentation = [ 93 "man:kdc(8)" 94 "info:heimdal" 95 ]; 96 serviceConfig = { 97 ExecStart = "${package}/libexec/kdc --config-file=/etc/heimdal-kdc/kdc.conf"; 98 Slice = "system-kerberos-server.slice"; 99 StateDirectory = "heimdal"; 100 }; 101 restartTriggers = [ kdcConfFile ]; 102 }; 103 104 systemd.services.kpasswdd = { 105 description = "Kerberos Password Changing daemon"; 106 partOf = [ "kerberos-server.target" ]; 107 wantedBy = [ "kerberos-server.target" ]; 108 documentation = [ 109 "man:kpasswdd(8)" 110 "info:heimdal" 111 ]; 112 serviceConfig = { 113 ExecStart = "${package}/libexec/kpasswdd"; 114 Slice = "system-kerberos-server.slice"; 115 StateDirectory = "heimdal"; 116 }; 117 restartTriggers = [ kdcConfFile ]; 118 }; 119 }; 120}