pyrox.dev / nixpkgs
lol
fork atom

nixos/krb5: move to security.krb5

Marco Rebhan fed77d17 92a541c0

options
unified split
Changed files
+22 -22
nixos
doc
manual
release-notes
rl-2405.section.md
modules
module-list.nix
security
ipa.nix
krb5
default.nix
krb5-conf-format.nix
pam.nix
services
system
kerberos
default.nix
heimdal.nix
mit.nix
tests
kerberos
heimdal.nix
mit.nix
krb5
example-config.nix
nfs
kerberos.nix
pam
pam-file-contents.nix
+1 -1
nixos/doc/manual/release-notes/rl-2405.section.md 
···

       
94

       
94

       
 

       
- `services.zfs.zed.enableMail` now uses the global `sendmail` wrapper defined by an email module


     

       
95

       
95

       
 

       
  (such as msmtp or Postfix). It no longer requires using a special ZFS build with email support.


     

       
96

       
96

       
 

       



     

       
97

       

       
-

       
- The `krb5` module has been rewritten, moving all options but `krb5.enable` and `krb5.package` into `krb5.settings`.


     

       

       
97

       
+

       
- The `krb5` module has been rewritten and moved to `security.krb5`, moving all options but `security.krb5.enable` and `security.krb5.package` into `security.krb5.settings`.


     

       
98

       
98

       
 

       



     

       
99

       
99

       
 

       
- Gitea 1.21 upgrade has several breaking changes, including:


     

       
100

       
100

       
 

       
  - Custom themes and other assets that were previously stored in `custom/public/*` now belong in `custom/public/assets/*`
+5 -5
nixos/modules/config/krb5/default.nix nixos/modules/security/krb5/default.nix 
···

       
5

       
5

       
 

       



     

       
6

       
6

       
 

       
  mkRemovedOptionModule' = name: reason: mkRemovedOptionModule ["krb5" name] reason;


     

       
7

       
7

       
 

       
  mkRemovedOptionModuleCfg = name: mkRemovedOptionModule' name ''


     

       
8

       

       
-

       
    The option `krb5.${name}' has been removed. Use `krb5.settings.${name}' for


     

       
9

       

       
-

       
    structured configuration.


     

       

       
8

       
+

       
    The option `krb5.${name}' has been removed. Use


     

       

       
9

       
+

       
    `security.krb5.settings.${name}' for structured configuration.


     

       
10

       
10

       
 

       
  '';


     

       
11

       
11

       
 

       



     

       
12

       

       
-

       
  cfg = config.krb5;


     

       

       
12

       
+

       
  cfg = config.security.krb5;


     

       
13

       
13

       
 

       
  format = import ./krb5-conf-format.nix { inherit pkgs lib; } { };


     

       
14

       
14

       
 

       
in {


     

       
15

       
15

       
 

       
  imports = [


     
···

       
22

       
22

       
 

       
    (mkRemovedOptionModuleCfg "config")


     

       
23

       
23

       
 

       
    (mkRemovedOptionModuleCfg "extraConfig")


     

       
24

       
24

       
 

       
    (mkRemovedOptionModule' "kerberos" ''


     

       
25

       

       
-

       
      The option `krb5.kerberos' has been moved to `krb5.package'.


     

       

       
25

       
+

       
      The option `krb5.kerberos' has been moved to `security.krb5.package'.


     

       
26

       
26

       
 

       
    '')


     

       
27

       
27

       
 

       
  ];


     

       
28

       
28

       
 

       



     

       
29

       
29

       
 

       
  options = {


     

       
30

       

       
-

       
    krb5 = {


     

       

       
30

       
+

       
    security.krb5 = {


     

       
31

       
31

       
 

       
      enable = mkOption {


     

       
32

       
32

       
 

       
        default = false;


     

       
33

       
33

       
 

       
        description = mdDoc "Enable and configure Kerberos utilities";
nixos/modules/config/krb5/krb5-conf-format.nix nixos/modules/security/krb5/krb5-conf-format.nix
+1 -1
nixos/modules/module-list.nix 
···

       
10

       
10

       
 

       
  ./config/gtk/gtk-icon-cache.nix


     

       
11

       
11

       
 

       
  ./config/i18n.nix


     

       
12

       
12

       
 

       
  ./config/iproute2.nix


     

       
13

       

       
-

       
  ./config/krb5/default.nix


     

       
14

       
13

       
 

       
  ./config/ldap.nix


     

       
15

       
14

       
 

       
  ./config/ldso.nix


     

       
16

       
15

       
 

       
  ./config/locale.nix


     
···

       
308

       
307

       
 

       
  ./security/duosec.nix


     

       
309

       
308

       
 

       
  ./security/google_oslogin.nix


     

       
310

       
309

       
 

       
  ./security/ipa.nix


     

       

       
310

       
+

       
  ./security/krb5


     

       
311

       
311

       
 

       
  ./security/lock-kernel-modules.nix


     

       
312

       
312

       
 

       
  ./security/misc.nix


     

       
313

       
313

       
 

       
  ./security/oath.nix
+2 -2
nixos/modules/security/ipa.nix 
···

       
117

       
117

       
 

       
  config = mkIf cfg.enable {


     

       
118

       
118

       
 

       
    assertions = [


     

       
119

       
119

       
 

       
      {


     

       
120

       

       
-

       
        assertion = !config.krb5.enable;


     

       
121

       

       
-

       
        message = "krb5 must be disabled through `krb5.enable` for FreeIPA integration to work.";


     

       

       
120

       
+

       
        assertion = !config.security.krb5.enable;


     

       

       
121

       
+

       
        message = "krb5 must be disabled through `security.krb5.enable` for FreeIPA integration to work.";


     

       
122

       
122

       
 

       
      }


     

       
123

       
123

       
 

       
      {


     

       
124

       
124

       
 

       
        assertion = !config.users.ldap.enable;
+3 -3
nixos/modules/security/pam.nix 
···

       
1067

       
1067

       
 

       



     

       
1068

       
1068

       
 

       
    security.pam.krb5 = {


     

       
1069

       
1069

       
 

       
      enable = mkOption {


     

       
1070

       

       
-

       
        default = config.krb5.enable;


     

       
1071

       

       
-

       
        defaultText = literalExpression "config.krb5.enable";


     

       

       
1070

       
+

       
        default = config.security.krb5.enable;


     

       

       
1071

       
+

       
        defaultText = literalExpression "config.security.krb5.enable";


     

       
1072

       
1072

       
 

       
        type = types.bool;


     

       
1073

       
1073

       
 

       
        description = lib.mdDoc ''


     

       
1074

       
1074

       
 

       
          Enables Kerberos PAM modules (`pam-krb5`,


     
···

       
1076

       
1076

       
 

       



     

       
1077

       
1077

       
 

       
          If set, users can authenticate with their Kerberos password.


     

       
1078

       
1078

       
 

       
          This requires a valid Kerberos configuration


     

       
1079

       

       
-

       
          (`config.krb5.enable` should be set to


     

       

       
1079

       
+

       
          (`config.security.krb5.enable` should be set to


     

       
1080

       
1080

       
 

       
          `true`).


     

       
1081

       
1081

       
 

       



     

       
1082

       
1082

       
 

       
          Note that the Kerberos PAM modules are not necessary when using SSS
+1 -1
nixos/modules/services/system/kerberos/default.nix 
···

       
3

       
3

       
 

       
let


     

       
4

       
4

       
 

       
  inherit (lib) mkOption mkIf types length attrNames;


     

       
5

       
5

       
 

       
  cfg = config.services.kerberos_server;


     

       
6

       

       
-

       
  kerberos = config.krb5.package;


     

       

       
6

       
+

       
  kerberos = config.security.krb5.package;


     

       
7

       
7

       
 

       



     

       
8

       
8

       
 

       
  aclEntry = {


     

       
9

       
9

       
 

       
    options = {
+1 -1
nixos/modules/services/system/kerberos/heimdal.nix 
···

       
4

       
4

       
 

       
  inherit (lib) mkIf concatStringsSep concatMapStrings toList mapAttrs


     

       
5

       
5

       
 

       
    mapAttrsToList;


     

       
6

       
6

       
 

       
  cfg = config.services.kerberos_server;


     

       
7

       

       
-

       
  kerberos = config.krb5.package;


     

       

       
7

       
+

       
  kerberos = config.security.krb5.package;


     

       
8

       
8

       
 

       
  stateDir = "/var/heimdal";


     

       
9

       
9

       
 

       
  aclFiles = mapAttrs


     

       
10

       
10

       
 

       
    (name: {acl, ...}: pkgs.writeText "${name}.acl" (concatMapStrings ((
+1 -1
nixos/modules/services/system/kerberos/mit.nix 
···

       
4

       
4

       
 

       
  inherit (lib) mkIf concatStrings concatStringsSep concatMapStrings toList


     

       
5

       
5

       
 

       
    mapAttrs mapAttrsToList;


     

       
6

       
6

       
 

       
  cfg = config.services.kerberos_server;


     

       
7

       

       
-

       
  kerberos = config.krb5.package;


     

       

       
7

       
+

       
  kerberos = config.security.krb5.package;


     

       
8

       
8

       
 

       
  stateDir = "/var/lib/krb5kdc";


     

       
9

       
9

       
 

       
  PIDFile = "/run/kdc.pid";


     

       
10

       
10

       
 

       
  aclMap = {
+1 -1
nixos/tests/kerberos/heimdal.nix 
···

       
7

       
7

       
 

       
        "FOO.BAR".acl = [{principal = "admin"; access = ["add" "cpw"];}];


     

       
8

       
8

       
 

       
      };


     

       
9

       
9

       
 

       
    };


     

       
10

       

       
-

       
    krb5 = {


     

       

       
10

       
+

       
    security.krb5 = {


     

       
11

       
11

       
 

       
      enable = true;


     

       
12

       
12

       
 

       
      package = pkgs.heimdal;


     

       
13

       
13

       
 

       
      settings = {
+1 -1
nixos/tests/kerberos/mit.nix 
···

       
7

       
7

       
 

       
        "FOO.BAR".acl = [{principal = "admin"; access = ["add" "cpw"];}];


     

       
8

       
8

       
 

       
      };


     

       
9

       
9

       
 

       
    };


     

       
10

       

       
-

       
    krb5 = {


     

       

       
10

       
+

       
    security.krb5 = {


     

       
11

       
11

       
 

       
      enable = true;


     

       
12

       
12

       
 

       
      package = pkgs.krb5;


     

       
13

       
13

       
 

       
      settings = {
+1 -1
nixos/tests/krb5/example-config.nix 
···

       
9

       
9

       
 

       



     

       
10

       
10

       
 

       
  nodes.machine =


     

       
11

       
11

       
 

       
    { pkgs, ... }: {


     

       
12

       

       
-

       
      krb5 = {


     

       

       
12

       
+

       
      security.krb5 = {


     

       
13

       
13

       
 

       
        enable = true;


     

       
14

       
14

       
 

       
        package = pkgs.krb5;


     

       
15

       
15

       
 

       
        settings = {
+3 -3
nixos/tests/nfs/kerberos.nix 
···

       
1

       
1

       
 

       
import ../make-test-python.nix ({ pkgs, lib, ... }:


     

       
2

       
2

       
 

       



     

       
3

       
3

       
 

       
let


     

       
4

       

       
-

       
  krb5 = {


     

       

       
4

       
+

       
  security.krb5 = {


     

       
5

       
5

       
 

       
    enable = true;


     

       
6

       
6

       
 

       
    settings = {


     

       
7

       
7

       
 

       
      domain_realm."nfs.test" = "NFS.TEST";


     
···

       
34

       
34

       
 

       



     

       
35

       
35

       
 

       
  nodes = {


     

       
36

       
36

       
 

       
    client = { lib, ... }:


     

       
37

       

       
-

       
      { inherit krb5 users;


     

       

       
37

       
+

       
      { inherit security users;


     

       
38

       
38

       
 

       



     

       
39

       
39

       
 

       
        networking.extraHosts = hosts;


     

       
40

       
40

       
 

       
        networking.domain = "nfs.test";


     
···

       
50

       
50

       
 

       
      };


     

       
51

       
51

       
 

       



     

       
52

       
52

       
 

       
    server = { lib, ...}:


     

       
53

       

       
-

       
      { inherit krb5 users;


     

       

       
53

       
+

       
      { inherit security users;


     

       
54

       
54

       
 

       



     

       
55

       
55

       
 

       
        networking.extraHosts = hosts;


     

       
56

       
56

       
 

       
        networking.domain = "nfs.test";
+1 -1
nixos/tests/pam/pam-file-contents.nix 
···

       
7

       
7

       
 

       
  nodes.machine = { ... }: {


     

       
8

       
8

       
 

       
    imports = [ ../../modules/profiles/minimal.nix ];


     

       
9

       
9

       
 

       



     

       
10

       

       
-

       
    krb5.enable = true;


     

       

       
10

       
+

       
    security.krb5.enable = true;


     

       
11

       
11

       
 

       



     

       
12

       
12

       
 

       
    users = {


     

       
13

       
13

       
 

       
      mutableUsers = false;