nixos/modules/services/system/kerberos/mit.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / system / kerberos / mit.nix
at 25.11-pre 2.4 kB view raw
  1{
  2  pkgs,
  3  config,
  4  lib,
  5  ...
  6}:
  7
  8let
  9  inherit (lib) mapAttrs;
 10  cfg = config.services.kerberos_server;
 11  package = config.security.krb5.package;
 12  PIDFile = "/run/kdc.pid";
 13
 14  format = import ../../../security/krb5/krb5-conf-format.nix { inherit pkgs lib; } {
 15    enableKdcACLEntries = true;
 16  };
 17
 18  aclMap = {
 19    add = "a";
 20    cpw = "c";
 21    delete = "d";
 22    get-keys = "e";
 23    get = "i";
 24    list = "l";
 25    modify = "m";
 26    all = "x";
 27  };
 28
 29  aclConfigs = lib.pipe cfg.settings.realms [
 30    (mapAttrs (
 31      name:
 32      { acl, ... }:
 33      lib.concatMapStringsSep "\n" (
 34        {
 35          principal,
 36          access,
 37          target,
 38          ...
 39        }:
 40        let
 41          access_code = map (a: aclMap.${a}) (lib.toList access);
 42        in
 43        "${principal} ${lib.concatStrings access_code} ${target}"
 44      ) acl
 45    ))
 46
 47    (lib.concatMapAttrs (
 48      name: text: {
 49        ${name} = {
 50          acl_file = pkgs.writeText "${name}.acl" text;
 51        };
 52      }
 53    ))
 54  ];
 55
 56  finalConfig = cfg.settings // {
 57    realms = mapAttrs (n: v: (removeAttrs v [ "acl" ]) // aclConfigs.${n}) (cfg.settings.realms or { });
 58  };
 59
 60  kdcConfFile = format.generate "kdc.conf" finalConfig;
 61  env = {
 62    # What Debian uses, could possibly link directly to Nix store?
 63    KRB5_KDC_PROFILE = "/etc/krb5kdc/kdc.conf";
 64  };
 65in
 66
 67{
 68  config = lib.mkIf (cfg.enable && package.passthru.implementation == "krb5") {
 69    environment = {
 70      etc."krb5kdc/kdc.conf".source = kdcConfFile;
 71      variables = env;
 72    };
 73
 74    systemd.services.kadmind = {
 75      description = "Kerberos Administration Daemon";
 76      partOf = [ "kerberos-server.target" ];
 77      wantedBy = [ "kerberos-server.target" ];
 78      serviceConfig = {
 79        ExecStart = "${package}/bin/kadmind -nofork";
 80        Slice = "system-kerberos-server.slice";
 81        StateDirectory = "krb5kdc";
 82      };
 83      restartTriggers = [ kdcConfFile ];
 84      environment = env;
 85    };
 86
 87    systemd.services.kdc = {
 88      description = "Key Distribution Center daemon";
 89      partOf = [ "kerberos-server.target" ];
 90      wantedBy = [ "kerberos-server.target" ];
 91      serviceConfig = {
 92        Type = "forking";
 93        PIDFile = PIDFile;
 94        ExecStart = "${package}/bin/krb5kdc -P ${PIDFile}";
 95        Slice = "system-kerberos-server.slice";
 96        StateDirectory = "krb5kdc";
 97      };
 98      restartTriggers = [ kdcConfFile ];
 99      environment = env;
100    };
101  };
102}