nixos/modules/services/system/kerberos/heimdal.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / system / kerberos / heimdal.nix
at master 3.4 kB view raw
  1{
  2  pkgs,
  3  config,
  4  lib,
  5  utils,
  6  ...
  7}:
  8
  9let
 10  inherit (lib) mapAttrs;
 11  inherit (utils) escapeSystemdExecArgs;
 12
 13  cfg = config.services.kerberos_server;
 14  package = config.security.krb5.package;
 15
 16  aclConfigs = lib.pipe cfg.settings.realms [
 17    (mapAttrs (
 18      name:
 19      { acl, ... }:
 20      lib.concatMapStringsSep "\n" (
 21        {
 22          principal,
 23          access,
 24          target,
 25          ...
 26        }:
 27        if target != "*" && target != "" then
 28          "${principal}\t${lib.concatStringsSep "," (lib.toList access)}\t${target}"
 29        else
 30          "${principal}\t${lib.concatStringsSep "," (lib.toList access)}"
 31      ) acl
 32    ))
 33    (lib.mapAttrsToList (
 34      name: text: {
 35        dbname = "/var/lib/heimdal/heimdal";
 36        acl_file = pkgs.writeText "${name}.acl" text;
 37      }
 38    ))
 39  ];
 40
 41  finalConfig = cfg.settings // {
 42    realms = mapAttrs (_: v: removeAttrs v [ "acl" ]) (cfg.settings.realms or { });
 43    kdc = (cfg.settings.kdc or { }) // {
 44      database = aclConfigs;
 45    };
 46  };
 47
 48  format = import ../../../security/krb5/krb5-conf-format.nix { inherit pkgs lib; } {
 49    enableKdcACLEntries = true;
 50  };
 51
 52  kdcConfFile = format.generate "kdc.conf" finalConfig;
 53in
 54
 55{
 56  config = lib.mkIf (cfg.enable && package.passthru.implementation == "heimdal") {
 57    environment.etc."heimdal-kdc/kdc.conf".source = kdcConfFile;
 58
 59    systemd.tmpfiles.settings."10-heimdal" =
 60      let
 61        databases = lib.pipe finalConfig.kdc.database [
 62          (map (dbAttrs: dbAttrs.dbname or null))
 63          (lib.filter (x: x != null))
 64          lib.unique
 65        ];
 66      in
 67      lib.genAttrs databases (_: {
 68        d = {
 69          user = "root";
 70          group = "root";
 71          mode = "0700";
 72        };
 73      });
 74
 75    systemd.services.kadmind = {
 76      description = "Kerberos Administration Daemon";
 77      partOf = [ "kerberos-server.target" ];
 78      wantedBy = [ "kerberos-server.target" ];
 79      documentation = [
 80        "man:kadmind(8)"
 81        "info:heimdal"
 82      ];
 83      serviceConfig = {
 84        ExecStart = "${package}/libexec/kadmind --config-file=/etc/heimdal-kdc/kdc.conf";
 85        Slice = "system-kerberos-server.slice";
 86        StateDirectory = "heimdal";
 87      };
 88      restartTriggers = [ kdcConfFile ];
 89    };
 90
 91    systemd.services.kdc = {
 92      description = "Key Distribution Center daemon";
 93      partOf = [ "kerberos-server.target" ];
 94      wantedBy = [ "kerberos-server.target" ];
 95      documentation = [
 96        "man:kdc(8)"
 97        "info:heimdal"
 98      ];
 99      serviceConfig = {
100        ExecStart = escapeSystemdExecArgs (
101          [
102            "${package}/libexec/kdc"
103            "--config-file=/etc/heimdal-kdc/kdc.conf"
104          ]
105          ++ cfg.extraKDCArgs
106        );
107        Slice = "system-kerberos-server.slice";
108        StateDirectory = "heimdal";
109      };
110      restartTriggers = [ kdcConfFile ];
111    };
112
113    systemd.services.kpasswdd = {
114      description = "Kerberos Password Changing daemon";
115      partOf = [ "kerberos-server.target" ];
116      wantedBy = [ "kerberos-server.target" ];
117      documentation = [
118        "man:kpasswdd(8)"
119        "info:heimdal"
120      ];
121      serviceConfig = {
122        ExecStart = "${package}/libexec/kpasswdd";
123        Slice = "system-kerberos-server.slice";
124        StateDirectory = "heimdal";
125      };
126      restartTriggers = [ kdcConfFile ];
127    };
128  };
129}