···

       
61
       
 
       
            description = "Which principal the rule applies to";

     

       
62
       
 
       
          };

     

       
63
       
 
       
          access = mkOption {

     

       
64
       
-
       
            type = either (listOf (enum [

     

       
65
       
-
       
              "all"

     

       
66
       
-
       
              "add"

     

       
67
       
-
       
              "cpw"

     

       
68
       
-
       
              "delete"

     

       
69
       
-
       
              "get-keys"

     

       
70
       
-
       
              "get"

     

       
71
       
-
       
              "list"

     

       
72
       
-
       
              "modify"

     

       
73
       
-
       
            ])) (enum [ "all" ]);

     

       
0
       
 
       

     

       
0
       
 
       

     

       
74
       
 
       
            default = "all";

     

       
75
       
 
       
            description = ''

     

       
76
       
 
       
              The changes the principal is allowed to make.

     
···

       
78
       
 
       
              :::{.important}

     

       
79
       
 
       
              The "all" permission does not imply the "get-keys" permission. This

     

       
80
       
 
       
              is consistent with the behavior of both MIT Kerberos and Heimdal.

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
81
       
 
       
              :::

     

       
82
       
 
       
            '';

     

       
83
       
 
       
          };

     

···

       
61
       
 
       
            description = "Which principal the rule applies to";

     

       
62
       
 
       
          };

     

       
63
       
 
       
          access = mkOption {

     

       
64
       
+
       
            type = coercedTo str singleton (

     

       
65
       
+
       
              listOf (enum [

     

       
66
       
+
       
                "all"

     

       
67
       
+
       
                "add"

     

       
68
       
+
       
                "cpw"

     

       
69
       
+
       
                "delete"

     

       
70
       
+
       
                "get-keys"

     

       
71
       
+
       
                "get"

     

       
72
       
+
       
                "list"

     

       
73
       
+
       
                "modify"

     

       
74
       
+
       
              ])

     

       
75
       
+
       
            );

     

       
76
       
 
       
            default = "all";

     

       
77
       
 
       
            description = ''

     

       
78
       
 
       
              The changes the principal is allowed to make.

     
···

       
80
       
 
       
              :::{.important}

     

       
81
       
 
       
              The "all" permission does not imply the "get-keys" permission. This

     

       
82
       
 
       
              is consistent with the behavior of both MIT Kerberos and Heimdal.

     

       
83
       
+
       
              :::

     

       
84
       
+
       


     

       
85
       
+
       
              :::{.warning}

     

       
86
       
+
       
              Value "all" is allowed as a list member only if it appears alone

     

       
87
       
+
       
              or accompanied by "get-keys". Any other combination involving

     

       
88
       
+
       
              "all" will raise an exception.

     

       
89
       
 
       
              :::

     

       
90
       
 
       
            '';

     

       
91
       
 
       
          };

     

···

       
55
       
 
       
        assertion = lib.length (lib.attrNames cfg.settings.realms) <= 1;

     

       
56
       
 
       
        message = "Only one realm per server is currently supported.";

     

       
57
       
 
       
      }

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
58
       
 
       
    ];

     

       
59
       
 
       


     

       
60
       
 
       
    systemd.slices.system-kerberos-server = { };

     

···

       
55
       
 
       
        assertion = lib.length (lib.attrNames cfg.settings.realms) <= 1;

     

       
56
       
 
       
        message = "Only one realm per server is currently supported.";

     

       
57
       
 
       
      }

     

       
58
       
+
       
      {

     

       
59
       
+
       
        assertion =

     

       
60
       
+
       
          let

     

       
61
       
+
       
            inherit (builtins) attrValues elem length;

     

       
62
       
+
       
            realms = attrValues cfg.settings.realms;

     

       
63
       
+
       
            accesses = lib.concatMap (r: map (a: a.access) r.acl) realms;

     

       
64
       
+
       
            property = a: !elem "all" a || (length a <= 1) || (length a <= 2 && elem "get-keys" a);

     

       
65
       
+
       
          in

     

       
66
       
+
       
          builtins.all property accesses;

     

       
67
       
+
       
        message = "Cannot specify \"all\" in a list with additional permissions other than \"get-keys\"";

     

       
68
       
+
       
      }

     

       
69
       
 
       
    ];

     

       
70
       
 
       


     

       
71
       
 
       
    systemd.slices.system-kerberos-server = { };