commit 195d155a1c43f23c9f7d9c4d27ae2ed2771a8599 · pyrox.dev/nixpkgs

+16 -2

nixos/modules/security/krb5/default.nix

···

       77
        
           };

     

       78
        
         };

     

       79
        
       

     

       80
       -
         config = mkIf cfg.enable {

     

       81
       -
           environment = {

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       82
        
             systemPackages = [ cfg.package ];

     

       83
        
             etc."krb5.conf".source = format.generate "krb5.conf" cfg.settings;

     

       84
        
           };

···

       77
        
           };

     

       78
        
         };

     

       79
        
       

     

       80
       +
         config = {

     

       81
       +
           assertions = mkIf (cfg.enable || config.services.kerberos_server.enable) [(let

     

       82
       +
             implementation = cfg.package.passthru.implementation or "<NOT SET>";

     

       83
       +
           in {

     

       84
       +
             assertion = lib.elem implementation [ "krb5" "heimdal" ];

     

       85
       +
             message = ''

     

       86
       +
               `security.krb5.package` must be one of:

     

       87
       +
       

     

       88
       +
                 - krb5

     

       89
       +
                 - heimdal

     

       90
       +
       

     

       91
       +
               Currently chosen implementation: ${implementation}

     

       92
       +
             '';

     

       93
       +
           })];

     

       94
       +
       

     

       95
       +
           environment = mkIf cfg.enable {

     

       96
        
             systemPackages = [ cfg.package ];

     

       97
        
             etc."krb5.conf".source = format.generate "krb5.conf" cfg.settings;

     

       98
        
           };

+65 -8

nixos/modules/security/krb5/krb5-conf-format.nix

···

       7
        
       let

     

       8
        
         inherit (lib) boolToString concatMapStringsSep concatStringsSep filter

     

       9
        
           isAttrs isBool isList mapAttrsToList mkOption singleton splitString;

     

       10
       -
         inherit (lib.types) attrsOf bool coercedTo either int listOf oneOf path

     

       11
       -
           str submodule;

     

       12
        
       in

     

       13
       -
       { }: {

     

       14
       -
         type = let

     

       15
       -
           section = attrsOf relation;

     

       16
       -
           relation = either (attrsOf value) value;

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       17
        
           value = either (listOf atom) atom;

     

       18
        
           atom = oneOf [int str bool];

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       19
        
         in submodule {

     

       20
       -
           freeformType = attrsOf section;

     

       21
        
           options = {

     

       22
        
             include = mkOption {

     

       23
        
               default = [ ];

     
···

       40
        
               '';

     

       41
        
               type = coercedTo path singleton (listOf path);

     

       42
        
             };

     

       43
       -
           };

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       44
        
         };

     

       45
        
       

     

       46
        
         generate = let

     
···

       71
        
               ${name} = {

     

       72
        
               ${indent (concatStringsSep "\n" (mapAttrsToList formatValue relation))}

     

       73
        
               }''

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       74
        
             else formatValue name relation;

     

       75
        
       

     

       76
        
           formatValue = name: value:

···

       7
        
       let

     

       8
        
         inherit (lib) boolToString concatMapStringsSep concatStringsSep filter

     

       9
        
           isAttrs isBool isList mapAttrsToList mkOption singleton splitString;

     

       10
       +
         inherit (lib.types) attrsOf bool coercedTo either enum int listOf oneOf

     

       11
       +
           path str submodule;

     

       12
        
       in

     

       13
       +
       {

     

       14
       +
         enableKdcACLEntries ? false

     

       15
       +
       }: rec {

     

       16
       +
         sectionType = let

     

       17
       +
           relation = oneOf [

     

       18
       +
             (listOf (attrsOf value))

     

       19
       +
             (attrsOf value)

     

       20
       +
             value

     

       21
       +
           ];

     

       22
        
           value = either (listOf atom) atom;

     

       23
        
           atom = oneOf [int str bool];

     

       24
       +
         in attrsOf relation;

     

       25
       +
       

     

       26
       +
         type = let

     

       27
       +
           aclEntry = submodule {

     

       28
       +
             options = {

     

       29
       +
               principal = mkOption {

     

       30
       +
                 type = str;

     

       31
       +
                 description = "Which principal the rule applies to";

     

       32
       +
               };

     

       33
       +
               access = mkOption {

     

       34
       +
                 type = either

     

       35
       +
                   (listOf (enum ["add" "cpw" "delete" "get" "list" "modify"]))

     

       36
       +
                   (enum ["all"]);

     

       37
       +
                 default = "all";

     

       38
       +
                 description = "The changes the principal is allowed to make.";

     

       39
       +
               };

     

       40
       +
               target = mkOption {

     

       41
       +
                 type = str;

     

       42
       +
                 default = "*";

     

       43
       +
                 description = "The principals that 'access' applies to.";

     

       44
       +
               };

     

       45
       +
             };

     

       46
       +
           };

     

       47
       +
       

     

       48
       +
           realm = submodule ({ name, ... }: {

     

       49
       +
             freeformType = sectionType;

     

       50
       +
             options = {

     

       51
       +
               acl = mkOption {

     

       52
       +
                 type = listOf aclEntry;

     

       53
       +
                 default = [

     

       54
       +
                   { principal = "*/admin"; access = "all"; }

     

       55
       +
                   { principal = "admin"; access = "all"; }

     

       56
       +
                 ];

     

       57
       +
                 description = ''

     

       58
       +
                   The privileges granted to a user.

     

       59
       +
                 '';

     

       60
       +
               };

     

       61
       +
             };

     

       62
       +
           });

     

       63
        
         in submodule {

     

       64
       +
           freeformType = attrsOf sectionType;

     

       65
        
           options = {

     

       66
        
             include = mkOption {

     

       67
        
               default = [ ];

     
···

       84
        
               '';

     

       85
        
               type = coercedTo path singleton (listOf path);

     

       86
        
             };

     

       87
       +
       

     

       88
       +
           }

     

       89
       +
           //

     

       90
       +
           (lib.optionalAttrs enableKdcACLEntries {

     

       91
       +
             realms = mkOption {

     

       92
       +
               type = attrsOf realm;

     

       93
       +
               description = ''

     

       94
       +
                 The realm(s) to serve keys for.

     

       95
       +
               '';

     

       96
       +
             };

     

       97
       +
           });

     

       98
        
         };

     

       99
        
       

     

       100
        
         generate = let

     
···

       125
        
               ${name} = {

     

       126
        
               ${indent (concatStringsSep "\n" (mapAttrsToList formatValue relation))}

     

       127
        
               }''

     

       128
       +
             else if isList relation

     

       129
       +
             then

     

       130
       +
               concatMapStringsSep "\n" (formatRelation name) relation

     

       131
        
             else formatValue name relation;

     

       132
        
       

     

       133
        
           formatValue = name: value:

+33 -49

nixos/modules/services/system/kerberos/default.nix

···

       1
       -
       {config, lib, ...}:

     

       2
        
       

     

       3
        
       let

     

       4
       -
         inherit (lib) mkOption mkIf types length attrNames;

     

       5
        
         cfg = config.services.kerberos_server;

     

       6
       -
         kerberos = config.security.krb5.package;

     

       7
        
       

     

       8
       -
         aclEntry = {

     

       9
       -
           options = {

     

       10
       -
             principal = mkOption {

     

       11
       -
               type = types.str;

     

       12
       -
               description = "Which principal the rule applies to";

     

       13
       -
             };

     

       14
       -
             access = mkOption {

     

       15
       -
               type = types.either

     

       16
       -
                 (types.listOf (types.enum ["add" "cpw" "delete" "get" "list" "modify"]))

     

       17
       -
                 (types.enum ["all"]);

     

       18
       -
               default = "all";

     

       19
       -
               description = "The changes the principal is allowed to make.";

     

       20
       -
             };

     

       21
       -
             target = mkOption {

     

       22
       -
               type = types.str;

     

       23
       -
               default = "*";

     

       24
       -
               description = "The principals that 'access' applies to.";

     

       25
       -
             };

     

       26
       -
           };

     

       27
       -
         };

     

       28
       -
       

     

       29
       -
         realm = {

     

       30
       -
           options = {

     

       31
       -
             acl = mkOption {

     

       32
       -
               type = types.listOf (types.submodule aclEntry);

     

       33
       -
               default = [

     

       34
       -
                 { principal = "*/admin"; access = "all"; }

     

       35
       -
                 { principal = "admin"; access = "all"; }

     

       36
       -
               ];

     

       37
       -
               description = ''

     

       38
       -
                 The privileges granted to a user.

     

       39
       -
               '';

     

       40
       -
             };

     

       41
       -
           };

     

       42
       -
         };

     

       43
        
       in

     

       44
        
       

     

       45
        
       {

     

       46
        
         imports = [

     

       0
        
       
     

       0
        
       
     

       47
        
           ./mit.nix

     

       48
        
           ./heimdal.nix

     

       49
        
         ];

     

       50
        
       

     

       51
       -
         ###### interface

     

       52
        
         options = {

     

       53
        
           services.kerberos_server = {

     

       54
        
             enable = lib.mkEnableOption "the kerberos authentication server";

     

       55
        
       

     

       56
       -
             realms = mkOption {

     

       57
       -
               type = types.attrsOf (types.submodule realm);

     

       58
        
               description = ''

     

       59
       -
                 The realm(s) to serve keys for.

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       60
        
               '';

     

       0
        
       
     

       61
        
             };

     

       62
        
           };

     

       63
        
         };

     

       64
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       65
        
       

     

       66
       -
         ###### implementation

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       67
        
       

     

       68
       -
         config = mkIf cfg.enable {

     

       69
       -
           environment.systemPackages = [ kerberos ];

     

       70
       -
           assertions = [{

     

       71
       -
             assertion = length (attrNames cfg.realms) <= 1;

     

       72
       -
             message = "Only one realm per server is currently supported.";

     

       73
       -
           }];

     

       74
        
         };

     

       75
        
       }

···

       1
       +
       { config, pkgs, lib, ... }:

     

       2
        
       

     

       3
        
       let

     

       4
       +
         inherit (lib) mkOption types;

     

       5
        
         cfg = config.services.kerberos_server;

     

       6
       +
         inherit (config.security.krb5) package;

     

       7
        
       

     

       8
       +
         format = import ../../../security/krb5/krb5-conf-format.nix { inherit pkgs lib; } { enableKdcACLEntries = true; };

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       9
        
       in

     

       10
        
       

     

       11
        
       {

     

       12
        
         imports = [

     

       13
       +
           (lib.mkRenamedOptionModule [ "services" "kerberos_server" "realms" ] [ "services" "kerberos_server" "settings" "realms" ])

     

       14
       +
       

     

       15
        
           ./mit.nix

     

       16
        
           ./heimdal.nix

     

       17
        
         ];

     

       18
        
       

     

       0
        
       
     

       19
        
         options = {

     

       20
        
           services.kerberos_server = {

     

       21
        
             enable = lib.mkEnableOption "the kerberos authentication server";

     

       22
        
       

     

       23
       +
             settings = mkOption {

     

       24
       +
               type = format.type;

     

       25
        
               description = ''

     

       26
       +
                 Settings for the kerberos server of choice.

     

       27
       +
       

     

       28
       +
                 See the following documentation:

     

       29
       +
                 - Heimdal: {manpage}`kdc.conf(5)`

     

       30
       +
                 - MIT Kerberos: <https://web.mit.edu/kerberos/krb5-1.21/doc/admin/conf_files/kdc_conf.html>

     

       31
        
               '';

     

       32
       +
               default = { };

     

       33
        
             };

     

       34
        
           };

     

       35
        
         };

     

       36
        
       

     

       37
       +
         config = lib.mkIf cfg.enable {

     

       38
       +
           environment.systemPackages = [ package ];

     

       39
       +
           assertions = [

     

       40
       +
             {

     

       41
       +
               assertion = cfg.settings.realms != { };

     

       42
       +
               message = "The server needs at least one realm";

     

       43
       +
             }

     

       44
       +
             {

     

       45
       +
               assertion = lib.length (lib.attrNames cfg.settings.realms) <= 1;

     

       46
       +
               message = "Only one realm per server is currently supported.";

     

       47
       +
             }

     

       48
       +
           ];

     

       49
        
       

     

       50
       +
           systemd.slices.system-kerberos-server = { };

     

       51
       +
           systemd.targets.kerberos-server = {

     

       52
       +
             wantedBy = [ "multi-user.target" ];

     

       53
       +
           };

     

       54
       +
         };

     

       55
        
       

     

       56
       +
         meta = {

     

       57
       +
           doc = ./kerberos-server.md;

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       58
        
         };

     

       59
        
       }

+62 -43

nixos/modules/services/system/kerberos/heimdal.nix

···

       1
        
       { pkgs, config, lib, ... } :

     

       2
        
       

     

       3
        
       let

     

       4
       -
         inherit (lib) mkIf concatStringsSep concatMapStrings toList mapAttrs

     

       5
       -
           mapAttrsToList;

     

       6
        
         cfg = config.services.kerberos_server;

     

       7
       -
         kerberos = config.security.krb5.package;

     

       8
       -
         stateDir = "/var/heimdal";

     

       9
       -
         aclFiles = mapAttrs

     

       10
       -
           (name: {acl, ...}: pkgs.writeText "${name}.acl" (concatMapStrings ((

     

       11
       -
             {principal, access, target, ...} :

     

       12
       -
             "${principal}\t${concatStringsSep "," (toList access)}\t${target}\n"

     

       13
       -
           )) acl)) cfg.realms;

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       14
        
       

     

       15
       -
         kdcConfigs = mapAttrsToList (name: value: ''

     

       16
       -
           database = {

     

       17
       -
             dbname = ${stateDir}/heimdal

     

       18
       -
             acl_file = ${value}

     

       19
       -
           }

     

       20
       -
         '') aclFiles;

     

       21
       -
         kdcConfFile = pkgs.writeText "kdc.conf" ''

     

       22
       -
           [kdc]

     

       23
       -
           ${concatStringsSep "\n" kdcConfigs}

     

       24
       -
         '';

     

       25
        
       in

     

       26
        
       

     

       27
        
       {

     

       28
       -
         # No documentation about correct triggers, so guessing at them.

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       29
        
       

     

       30
       -
         config = mkIf (cfg.enable && kerberos == pkgs.heimdal) {

     

       31
        
           systemd.services.kadmind = {

     

       32
        
             description = "Kerberos Administration Daemon";

     

       33
       -
             wantedBy = [ "multi-user.target" ];

     

       34
       -
             preStart = ''

     

       35
       -
               mkdir -m 0755 -p ${stateDir}

     

       36
       -
             '';

     

       37
       -
             serviceConfig.ExecStart =

     

       38
       -
               "${kerberos}/libexec/kadmind --config-file=/etc/heimdal-kdc/kdc.conf";

     

       0
        
       
     

       39
        
             restartTriggers = [ kdcConfFile ];

     

       40
        
           };

     

       41
        
       

     

       42
        
           systemd.services.kdc = {

     

       43
        
             description = "Key Distribution Center daemon";

     

       44
       -
             wantedBy = [ "multi-user.target" ];

     

       45
       -
             preStart = ''

     

       46
       -
               mkdir -m 0755 -p ${stateDir}

     

       47
       -
             '';

     

       48
       -
             serviceConfig.ExecStart =

     

       49
       -
               "${kerberos}/libexec/kdc --config-file=/etc/heimdal-kdc/kdc.conf";

     

       0
        
       
     

       50
        
             restartTriggers = [ kdcConfFile ];

     

       51
        
           };

     

       52
        
       

     

       53
        
           systemd.services.kpasswdd = {

     

       54
        
             description = "Kerberos Password Changing daemon";

     

       55
       -
             wantedBy = [ "multi-user.target" ];

     

       56
       -
             preStart = ''

     

       57
       -
               mkdir -m 0755 -p ${stateDir}

     

       58
       -
             '';

     

       59
       -
             serviceConfig.ExecStart = "${kerberos}/libexec/kpasswdd";

     

       0
        
       
     

       0
        
       
     

       60
        
             restartTriggers = [ kdcConfFile ];

     

       61
       -
           };

     

       62
       -
       

     

       63
       -
           environment.etc = {

     

       64
       -
             # Can be set via the --config-file option to KDC

     

       65
       -
             "heimdal-kdc/kdc.conf".source = kdcConfFile;

     

       66
        
           };

     

       67
        
         };

     

       68
        
       }

···

       1
        
       { pkgs, config, lib, ... } :

     

       2
        
       

     

       3
        
       let

     

       4
       +
         inherit (lib)  mapAttrs;

     

       0
        
       
     

       5
        
         cfg = config.services.kerberos_server;

     

       6
       +
         package = config.security.krb5.package;

     

       7
       +
       

     

       8
       +
         aclConfigs = lib.pipe cfg.settings.realms [

     

       9
       +
           (mapAttrs (name: { acl, ... }: lib.concatMapStringsSep "\n" (

     

       10
       +
             { principal, access, target, ... }:

     

       11
       +
             "${principal}\t${lib.concatStringsSep "," (lib.toList access)}\t${target}"

     

       12
       +
           ) acl))

     

       13
       +
           (lib.mapAttrsToList (name: text:

     

       14
       +
             {

     

       15
       +
               dbname = "/var/lib/heimdal/heimdal";

     

       16
       +
               acl_file = pkgs.writeText "${name}.acl" text;

     

       17
       +
             }

     

       18
       +
           ))

     

       19
       +
         ];

     

       20
       +
       

     

       21
       +
         finalConfig = cfg.settings // {

     

       22
       +
           realms = mapAttrs (_: v: removeAttrs v [ "acl" ]) (cfg.settings.realms or { });

     

       23
       +
           kdc = (cfg.settings.kdc or { }) // {

     

       24
       +
             database = aclConfigs;

     

       25
       +
           };

     

       26
       +
         };

     

       27
       +
       

     

       28
       +
         format = import ../../../security/krb5/krb5-conf-format.nix { inherit pkgs lib; } { enableKdcACLEntries = true; };

     

       29
        
       

     

       30
       +
         kdcConfFile = format.generate "kdc.conf" finalConfig;

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       31
        
       in

     

       32
        
       

     

       33
        
       {

     

       34
       +
         config = lib.mkIf (cfg.enable && package.passthru.implementation == "heimdal") {

     

       35
       +
           environment.etc."heimdal-kdc/kdc.conf".source = kdcConfFile;

     

       36
       +
       

     

       37
       +
           systemd.tmpfiles.settings."10-heimdal" = let

     

       38
       +
             databases = lib.pipe finalConfig.kdc.database [

     

       39
       +
               (map (dbAttrs: dbAttrs.dbname or null))

     

       40
       +
               (lib.filter (x: x != null))

     

       41
       +
               lib.unique

     

       42
       +
             ];

     

       43
       +
           in lib.genAttrs databases (_: {

     

       44
       +
             d = {

     

       45
       +
               user = "root";

     

       46
       +
               group = "root";

     

       47
       +
               mode = "0700";

     

       48
       +
             };

     

       49
       +
           });

     

       50
        
       

     

       0
        
       
     

       51
        
           systemd.services.kadmind = {

     

       52
        
             description = "Kerberos Administration Daemon";

     

       53
       +
             partOf = [ "kerberos-server.target" ];

     

       54
       +
             wantedBy = [ "kerberos-server.target" ];

     

       55
       +
             serviceConfig = {

     

       56
       +
               ExecStart = "${package}/libexec/kadmind --config-file=/etc/heimdal-kdc/kdc.conf";

     

       57
       +
               Slice = "system-kerberos-server.slice";

     

       58
       +
               StateDirectory = "heimdal";

     

       59
       +
             };

     

       60
        
             restartTriggers = [ kdcConfFile ];

     

       61
        
           };

     

       62
        
       

     

       63
        
           systemd.services.kdc = {

     

       64
        
             description = "Key Distribution Center daemon";

     

       65
       +
             partOf = [ "kerberos-server.target" ];

     

       66
       +
             wantedBy = [ "kerberos-server.target" ];

     

       67
       +
             serviceConfig = {

     

       68
       +
               ExecStart = "${package}/libexec/kdc --config-file=/etc/heimdal-kdc/kdc.conf";

     

       69
       +
               Slice = "system-kerberos-server.slice";

     

       70
       +
               StateDirectory = "heimdal";

     

       71
       +
             };

     

       72
        
             restartTriggers = [ kdcConfFile ];

     

       73
        
           };

     

       74
        
       

     

       75
        
           systemd.services.kpasswdd = {

     

       76
        
             description = "Kerberos Password Changing daemon";

     

       77
       +
             partOf = [ "kerberos-server.target" ];

     

       78
       +
             wantedBy = [ "kerberos-server.target" ];

     

       79
       +
             serviceConfig = {

     

       80
       +
               ExecStart = "${package}/libexec/kpasswdd";

     

       81
       +
               Slice = "system-kerberos-server.slice";

     

       82
       +
               StateDirectory = "heimdal";

     

       83
       +
             };

     

       84
        
             restartTriggers = [ kdcConfFile ];

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       85
        
           };

     

       86
        
         };

     

       87
        
       }

+55

nixos/modules/services/system/kerberos/kerberos-server.md

···

       1
       +
       # kerberos_server {#module-services-kerberos-server}

     

       2
       +
       

     

       3
       +
       Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.

     

       4
       +
       

     

       5
       +
       This module provides both the MIT and Heimdal implementations of the a Kerberos server.

     

       6
       +
       

     

       7
       +
       ## Usage {#module-services-kerberos-server-usage}

     

       8
       +
       

     

       9
       +
       To enable a Kerberos server:

     

       10
       +
       

     

       11
       +
       ```nix

     

       12
       +
       {

     

       13
       +
         security.krb5 = {

     

       14
       +
           # Here you can choose between the MIT and Heimdal implementations.

     

       15
       +
           package = pkgs.krb5;

     

       16
       +
           # package = pkgs.heimdal;

     

       17
       +
       

     

       18
       +
           # Optionally set up a client on the same machine as the server

     

       19
       +
           enable = true;

     

       20
       +
           settings = {

     

       21
       +
             libdefaults.default_realm = "EXAMPLE.COM";

     

       22
       +
             realms."EXAMPLE.COM" = {

     

       23
       +
               kdc = "kerberos.example.com";

     

       24
       +
               admin_server = "kerberos.example.com";

     

       25
       +
             };

     

       26
       +
           };

     

       27
       +
         }

     

       28
       +
       

     

       29
       +
         services.kerberos-server = {

     

       30
       +
           enable = true;

     

       31
       +
           settings = {

     

       32
       +
             realms."EXAMPLE.COM" = {

     

       33
       +
               acl = [{ principal = "adminuser"; access=  ["add" "cpw"]; }];

     

       34
       +
             };

     

       35
       +
           };

     

       36
       +
         };

     

       37
       +
       }

     

       38
       +
       ```

     

       39
       +
       

     

       40
       +
       ## Notes {#module-services-kerberos-server-notes}

     

       41
       +
       

     

       42
       +
       - The Heimdal documentation will sometimes assume that state is stored in `/var/heimdal`, but this module uses `/var/lib/heimdal` instead.

     

       43
       +
       - Due to the heimdal implementation being chosen through `security.krb5.package`, it is not possible to have a system with one implementation of the client and another of the server.

     

       44
       +
       - While `services.kerberos_server.settings` has a common freeform type between the two implementations, the actual settings that can be set can vary between the two implementations. To figure out what settings are available, you should consult the upstream documentation for the implementation you are using.

     

       45
       +
       

     

       46
       +
       ## Upstream Documentation {#module-services-kerberos-server-upstream-documentation}

     

       47
       +
       

     

       48
       +
       - MIT Kerberos homepage: https://web.mit.edu/kerberos

     

       49
       +
       - MIT Kerberos docs: https://web.mit.edu/kerberos/krb5-latest/doc/index.html

     

       50
       +
       

     

       51
       +
       - Heimdal Kerberos GitHub wiki: https://github.com/heimdal/heimdal/wiki

     

       52
       +
       - Heimdal kerberos doc manpages (Debian unstable): https://manpages.debian.org/unstable/heimdal-docs/index.html

     

       53
       +
       - Heimdal Kerberos kdc manpages (Debian unstable): https://manpages.debian.org/unstable/heimdal-kdc/index.html

     

       54
       +
       

     

       55
       +
       Note the version number in the URLs, it may be different for the latest version.

+43 -35

nixos/modules/services/system/kerberos/mit.nix

···

       1
        
       { pkgs, config, lib, ... } :

     

       2
        
       

     

       3
        
       let

     

       4
       -
         inherit (lib) mkIf concatStrings concatStringsSep concatMapStrings toList

     

       5
       -
           mapAttrs mapAttrsToList;

     

       6
        
         cfg = config.services.kerberos_server;

     

       7
       -
         kerberos = config.security.krb5.package;

     

       8
       -
         stateDir = "/var/lib/krb5kdc";

     

       9
        
         PIDFile = "/run/kdc.pid";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       10
        
         aclMap = {

     

       11
        
           add = "a"; cpw = "c"; delete = "d"; get = "i"; list = "l"; modify = "m";

     

       12
        
           all = "*";

     

       13
        
         };

     

       14
       -
         aclFiles = mapAttrs

     

       15
       -
           (name: {acl, ...}: (pkgs.writeText "${name}.acl" (concatMapStrings (

     

       16
       -
             {principal, access, target, ...} :

     

       17
       -
             let access_code = map (a: aclMap.${a}) (toList access); in

     

       18
       -
             "${principal} ${concatStrings access_code} ${target}\n"

     

       19
       -
           ) acl))) cfg.realms;

     

       20
       -
         kdcConfigs = mapAttrsToList (name: value: ''

     

       21
       -
           ${name} = {

     

       22
       -
             acl_file = ${value}

     

       23
       -
           }

     

       24
       -
         '') aclFiles;

     

       25
       -
         kdcConfFile = pkgs.writeText "kdc.conf" ''

     

       26
       -
           [realms]

     

       27
       -
           ${concatStringsSep "\n" kdcConfigs}

     

       28
       -
         '';

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       29
        
         env = {

     

       30
        
           # What Debian uses, could possibly link directly to Nix store?

     

       31
        
           KRB5_KDC_PROFILE = "/etc/krb5kdc/kdc.conf";

     
···

       33
        
       in

     

       34
        
       

     

       35
        
       {

     

       36
       -
         config = mkIf (cfg.enable && kerberos == pkgs.krb5) {

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       37
        
           systemd.services.kadmind = {

     

       38
        
             description = "Kerberos Administration Daemon";

     

       39
       -
             wantedBy = [ "multi-user.target" ];

     

       40
       -
             preStart = ''

     

       41
       -
               mkdir -m 0755 -p ${stateDir}

     

       42
       -
             '';

     

       43
       -
             serviceConfig.ExecStart = "${kerberos}/bin/kadmind -nofork";

     

       0
        
       
     

       0
        
       
     

       44
        
             restartTriggers = [ kdcConfFile ];

     

       45
        
             environment = env;

     

       46
        
           };

     

       47
        
       

     

       48
        
           systemd.services.kdc = {

     

       49
        
             description = "Key Distribution Center daemon";

     

       50
       -
             wantedBy = [ "multi-user.target" ];

     

       51
       -
             preStart = ''

     

       52
       -
               mkdir -m 0755 -p ${stateDir}

     

       53
       -
             '';

     

       54
        
             serviceConfig = {

     

       55
        
               Type = "forking";

     

       56
        
               PIDFile = PIDFile;

     

       57
       -
               ExecStart = "${kerberos}/bin/krb5kdc -P ${PIDFile}";

     

       0
        
       
     

       0
        
       
     

       58
        
             };

     

       59
        
             restartTriggers = [ kdcConfFile ];

     

       60
        
             environment = env;

     

       61
        
           };

     

       62
       -
       

     

       63
       -
           environment.etc = {

     

       64
       -
             "krb5kdc/kdc.conf".source = kdcConfFile;

     

       65
       -
           };

     

       66
       -
           environment.variables = env;

     

       67
        
         };

     

       68
        
       }

···

       1
        
       { pkgs, config, lib, ... } :

     

       2
        
       

     

       3
        
       let

     

       4
       +
         inherit (lib) mapAttrs;

     

       0
        
       
     

       5
        
         cfg = config.services.kerberos_server;

     

       6
       +
         package = config.security.krb5.package;

     

       0
        
       
     

       7
        
         PIDFile = "/run/kdc.pid";

     

       8
       +
       

     

       9
       +
         format = import ../../../security/krb5/krb5-conf-format.nix { inherit pkgs lib; } { enableKdcACLEntries = true; };

     

       10
       +
       

     

       11
        
         aclMap = {

     

       12
        
           add = "a"; cpw = "c"; delete = "d"; get = "i"; list = "l"; modify = "m";

     

       13
        
           all = "*";

     

       14
        
         };

     

       15
       +
       

     

       16
       +
         aclConfigs = lib.pipe cfg.settings.realms [

     

       17
       +
           (mapAttrs (name: { acl, ... }: lib.concatMapStringsSep "\n" (

     

       18
       +
             { principal, access, target, ... }: let

     

       19
       +
               access_code = map (a: aclMap.${a}) (lib.toList access);

     

       20
       +
             in "${principal} ${lib.concatStrings access_code} ${target}"

     

       21
       +
           ) acl))

     

       22
       +
       

     

       23
       +
           (lib.concatMapAttrs (name: text: {

     

       24
       +
             ${name} = {

     

       25
       +
               acl_file = pkgs.writeText "${name}.acl" text;

     

       26
       +
             };

     

       27
       +
           }))

     

       28
       +
         ];

     

       29
       +
       

     

       30
       +
         finalConfig = cfg.settings // {

     

       31
       +
           realms = mapAttrs (n: v: (removeAttrs v [ "acl" ]) // aclConfigs.${n}) (cfg.settings.realms or { });

     

       32
       +
         };

     

       33
       +
       

     

       34
       +
         kdcConfFile = format.generate "kdc.conf" finalConfig;

     

       35
        
         env = {

     

       36
        
           # What Debian uses, could possibly link directly to Nix store?

     

       37
        
           KRB5_KDC_PROFILE = "/etc/krb5kdc/kdc.conf";

     
···

       39
        
       in

     

       40
        
       

     

       41
        
       {

     

       42
       +
         config = lib.mkIf (cfg.enable && package.passthru.implementation == "krb5") {

     

       43
       +
           environment = {

     

       44
       +
             etc."krb5kdc/kdc.conf".source = kdcConfFile;

     

       45
       +
             variables = env;

     

       46
       +
           };

     

       47
       +
       

     

       48
        
           systemd.services.kadmind = {

     

       49
        
             description = "Kerberos Administration Daemon";

     

       50
       +
             partOf = [ "kerberos-server.target" ];

     

       51
       +
             wantedBy = [ "kerberos-server.target" ];

     

       52
       +
             serviceConfig = {

     

       53
       +
               ExecStart = "${package}/bin/kadmind -nofork";

     

       54
       +
               Slice = "system-kerberos-server.slice";

     

       55
       +
               StateDirectory = "krb5kdc";

     

       56
       +
             };

     

       57
        
             restartTriggers = [ kdcConfFile ];

     

       58
        
             environment = env;

     

       59
        
           };

     

       60
        
       

     

       61
        
           systemd.services.kdc = {

     

       62
        
             description = "Key Distribution Center daemon";

     

       63
       +
             partOf = [ "kerberos-server.target" ];

     

       64
       +
             wantedBy = [ "kerberos-server.target" ];

     

       0
        
       
     

       0
        
       
     

       65
        
             serviceConfig = {

     

       66
        
               Type = "forking";

     

       67
        
               PIDFile = PIDFile;

     

       68
       +
               ExecStart = "${package}/bin/krb5kdc -P ${PIDFile}";

     

       69
       +
               Slice = "system-kerberos-server.slice";

     

       70
       +
               StateDirectory = "krb5kdc";

     

       71
        
             };

     

       72
        
             restartTriggers = [ kdcConfFile ];

     

       73
        
             environment = env;

     

       74
        
           };

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       75
        
         };

     

       76
        
       }

+1 -1

nixos/tests/kerberos/heimdal.nix

···

       4
        
         nodes.machine = { config, libs, pkgs, ...}:

     

       5
        
         { services.kerberos_server =

     

       6
        
           { enable = true;

     

       7
       -
             realms = {

     

       8
        
               "FOO.BAR".acl = [{principal = "admin"; access = ["add" "cpw"];}];

     

       9
        
             };

     

       10
        
           };

···

       4
        
         nodes.machine = { config, libs, pkgs, ...}:

     

       5
        
         { services.kerberos_server =

     

       6
        
           { enable = true;

     

       7
       +
             settings.realms = {

     

       8
        
               "FOO.BAR".acl = [{principal = "admin"; access = ["add" "cpw"];}];

     

       9
        
             };

     

       10
        
           };

+1 -1

nixos/tests/kerberos/mit.nix

···

       4
        
         nodes.machine = { config, libs, pkgs, ...}:

     

       5
        
         { services.kerberos_server =

     

       6
        
           { enable = true;

     

       7
       -
             realms = {

     

       8
        
               "FOO.BAR".acl = [{principal = "admin"; access = ["add" "cpw"];}];

     

       9
        
             };

     

       10
        
           };

···

       4
        
         nodes.machine = { config, libs, pkgs, ...}:

     

       5
        
         { services.kerberos_server =

     

       6
        
           { enable = true;

     

       7
       +
             settings.realms = {

     

       8
        
               "FOO.BAR".acl = [{principal = "admin"; access = ["add" "cpw"];}];

     

       9
        
             };

     

       10
        
           };

pkgs/development/libraries/kerberos/heimdal.nix

···

       89
        
         ];

     

       90
        
       

     

       91
        
         configureFlags = [

     

       0
        
       
     

       0
        
       
     

       92
        
           "--with-libedit-include=${libedit.dev}/include"

     

       93
        
           "--with-libedit-lib=${libedit}/lib"

     

       94
        
           "--with-berkeley-db-include=${db.dev}/include"

···

       89
        
         ];

     

       90
        
       

     

       91
        
         configureFlags = [

     

       92
       +
           "--with-hdbdir=/var/lib/heimdal"

     

       93
       +
       

     

       94
        
           "--with-libedit-include=${libedit.dev}/include"

     

       95
        
           "--with-libedit-lib=${libedit}/lib"

     

       96
        
           "--with-berkeley-db-include=${db.dev}/include"