nixos/modules/services/system/kerberos/mit.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / system / kerberos / mit.nix
at master 2.6 kB view raw
  1{
  2  pkgs,
  3  config,
  4  lib,
  5  utils,
  6  ...
  7}:
  8
  9let
 10  inherit (lib) mapAttrs;
 11  inherit (utils) escapeSystemdExecArgs;
 12
 13  cfg = config.services.kerberos_server;
 14  package = config.security.krb5.package;
 15  PIDFile = "/run/kdc.pid";
 16
 17  format = import ../../../security/krb5/krb5-conf-format.nix { inherit pkgs lib; } {
 18    enableKdcACLEntries = true;
 19  };
 20
 21  aclMap = {
 22    add = "a";
 23    cpw = "c";
 24    delete = "d";
 25    get-keys = "e";
 26    get = "i";
 27    list = "l";
 28    modify = "m";
 29    all = "x";
 30  };
 31
 32  aclConfigs = lib.pipe cfg.settings.realms [
 33    (mapAttrs (
 34      name:
 35      { acl, ... }:
 36      lib.concatMapStringsSep "\n" (
 37        {
 38          principal,
 39          access,
 40          target,
 41          ...
 42        }:
 43        let
 44          access_code = map (a: aclMap.${a}) (lib.toList access);
 45        in
 46        "${principal} ${lib.concatStrings access_code} ${target}"
 47      ) acl
 48    ))
 49
 50    (lib.concatMapAttrs (
 51      name: text: {
 52        ${name} = {
 53          acl_file = pkgs.writeText "${name}.acl" text;
 54        };
 55      }
 56    ))
 57  ];
 58
 59  finalConfig = cfg.settings // {
 60    realms = mapAttrs (n: v: (removeAttrs v [ "acl" ]) // aclConfigs.${n}) (cfg.settings.realms or { });
 61  };
 62
 63  kdcConfFile = format.generate "kdc.conf" finalConfig;
 64  env = {
 65    # What Debian uses, could possibly link directly to Nix store?
 66    KRB5_KDC_PROFILE = "/etc/krb5kdc/kdc.conf";
 67  };
 68in
 69
 70{
 71  config = lib.mkIf (cfg.enable && package.passthru.implementation == "krb5") {
 72    environment = {
 73      etc."krb5kdc/kdc.conf".source = kdcConfFile;
 74      variables = env;
 75    };
 76
 77    systemd.services.kadmind = {
 78      description = "Kerberos Administration Daemon";
 79      partOf = [ "kerberos-server.target" ];
 80      wantedBy = [ "kerberos-server.target" ];
 81      serviceConfig = {
 82        ExecStart = "${package}/bin/kadmind -nofork";
 83        Slice = "system-kerberos-server.slice";
 84        StateDirectory = "krb5kdc";
 85      };
 86      restartTriggers = [ kdcConfFile ];
 87      environment = env;
 88    };
 89
 90    systemd.services.kdc = {
 91      description = "Key Distribution Center daemon";
 92      partOf = [ "kerberos-server.target" ];
 93      wantedBy = [ "kerberos-server.target" ];
 94      serviceConfig = {
 95        Type = "forking";
 96        PIDFile = PIDFile;
 97        ExecStart = escapeSystemdExecArgs (
 98          [
 99            "${package}/bin/krb5kdc"
100            "-P"
101            "${PIDFile}"
102          ]
103          ++ cfg.extraKDCArgs
104        );
105        Slice = "system-kerberos-server.slice";
106        StateDirectory = "krb5kdc";
107      };
108      restartTriggers = [ kdcConfFile ];
109      environment = env;
110    };
111  };
112}