nixos/modules/services/system/kerberos/default.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / system / kerberos / default.nix
at master 2.3 kB view raw
 1{
 2  config,
 3  pkgs,
 4  lib,
 5  ...
 6}:
 7
 8let
 9  inherit (lib) mkOption types;
10  inherit (lib.types) listOf str;
11  cfg = config.services.kerberos_server;
12  inherit (config.security.krb5) package;
13
14  format = import ../../../security/krb5/krb5-conf-format.nix { inherit pkgs lib; } {
15    enableKdcACLEntries = true;
16  };
17in
18
19{
20  imports = [
21    (lib.mkRenamedOptionModule
22      [ "services" "kerberos_server" "realms" ]
23      [ "services" "kerberos_server" "settings" "realms" ]
24    )
25
26    ./mit.nix
27    ./heimdal.nix
28  ];
29
30  options = {
31    services.kerberos_server = {
32      enable = lib.mkEnableOption "the kerberos authentication server";
33
34      settings = mkOption {
35        type = format.type;
36        description = ''
37          Settings for the kerberos server of choice.
38
39          See the following documentation:
40          - Heimdal: {manpage}`kdc.conf(5)`
41          - MIT Kerberos: <https://web.mit.edu/kerberos/krb5-1.21/doc/admin/conf_files/kdc_conf.html>
42        '';
43        default = { };
44      };
45
46      extraKDCArgs = mkOption {
47        type = listOf str;
48        description = ''
49          Extra arguments to pass to the KDC process. See {manpage}`kdc(8)`.
50        '';
51        default = [ ];
52      };
53    };
54  };
55
56  config = lib.mkIf cfg.enable {
57    environment.systemPackages = [ package ];
58    assertions = [
59      {
60        assertion = cfg.settings.realms != { };
61        message = "The server needs at least one realm";
62      }
63      {
64        assertion = lib.length (lib.attrNames cfg.settings.realms) <= 1;
65        message = "Only one realm per server is currently supported.";
66      }
67      {
68        assertion =
69          let
70            inherit (builtins) attrValues elem length;
71            realms = attrValues cfg.settings.realms;
72            accesses = lib.concatMap (r: map (a: a.access) r.acl) realms;
73            property = a: !elem "all" a || (length a <= 1) || (length a <= 2 && elem "get-keys" a);
74          in
75          builtins.all property accesses;
76        message = "Cannot specify \"all\" in a list with additional permissions other than \"get-keys\"";
77      }
78    ];
79
80    systemd.slices.system-kerberos-server = { };
81    systemd.targets.kerberos-server = {
82      wantedBy = [ "multi-user.target" ];
83    };
84  };
85
86  meta = {
87    doc = ./kerberos-server.md;
88  };
89}