77 lines
2.2 KiB
Nix
77 lines
2.2 KiB
Nix
|
{ pkgs, config, lib, ... } :
|
||
|
|
||
|
let
|
||
|
inherit (lib) mapAttrs;
|
||
|
cfg = config.services.kerberos_server;
|
||
|
package = config.security.krb5.package;
|
||
|
PIDFile = "/run/kdc.pid";
|
||
|
|
||
|
format = import ../../../security/krb5/krb5-conf-format.nix { inherit pkgs lib; } { enableKdcACLEntries = true; };
|
||
|
|
||
|
aclMap = {
|
||
|
add = "a"; cpw = "c"; delete = "d"; get = "i"; list = "l"; modify = "m";
|
||
|
all = "*";
|
||
|
};
|
||
|
|
||
|
aclConfigs = lib.pipe cfg.settings.realms [
|
||
|
(mapAttrs (name: { acl, ... }: lib.concatMapStringsSep "\n" (
|
||
|
{ principal, access, target, ... }: let
|
||
|
access_code = map (a: aclMap.${a}) (lib.toList access);
|
||
|
in "${principal} ${lib.concatStrings access_code} ${target}"
|
||
|
) acl))
|
||
|
|
||
|
(lib.concatMapAttrs (name: text: {
|
||
|
${name} = {
|
||
|
acl_file = pkgs.writeText "${name}.acl" text;
|
||
|
};
|
||
|
}))
|
||
|
];
|
||
|
|
||
|
finalConfig = cfg.settings // {
|
||
|
realms = mapAttrs (n: v: (removeAttrs v [ "acl" ]) // aclConfigs.${n}) (cfg.settings.realms or { });
|
||
|
};
|
||
|
|
||
|
kdcConfFile = format.generate "kdc.conf" finalConfig;
|
||
|
env = {
|
||
|
# What Debian uses, could possibly link directly to Nix store?
|
||
|
KRB5_KDC_PROFILE = "/etc/krb5kdc/kdc.conf";
|
||
|
};
|
||
|
in
|
||
|
|
||
|
{
|
||
|
config = lib.mkIf (cfg.enable && package.passthru.implementation == "krb5") {
|
||
|
environment = {
|
||
|
etc."krb5kdc/kdc.conf".source = kdcConfFile;
|
||
|
variables = env;
|
||
|
};
|
||
|
|
||
|
systemd.services.kadmind = {
|
||
|
description = "Kerberos Administration Daemon";
|
||
|
partOf = [ "kerberos-server.target" ];
|
||
|
wantedBy = [ "kerberos-server.target" ];
|
||
|
serviceConfig = {
|
||
|
ExecStart = "${package}/bin/kadmind -nofork";
|
||
|
Slice = "system-kerberos-server.slice";
|
||
|
StateDirectory = "krb5kdc";
|
||
|
};
|
||
|
restartTriggers = [ kdcConfFile ];
|
||
|
environment = env;
|
||
|
};
|
||
|
|
||
|
systemd.services.kdc = {
|
||
|
description = "Key Distribution Center daemon";
|
||
|
partOf = [ "kerberos-server.target" ];
|
||
|
wantedBy = [ "kerberos-server.target" ];
|
||
|
serviceConfig = {
|
||
|
Type = "forking";
|
||
|
PIDFile = PIDFile;
|
||
|
ExecStart = "${package}/bin/krb5kdc -P ${PIDFile}";
|
||
|
Slice = "system-kerberos-server.slice";
|
||
|
StateDirectory = "krb5kdc";
|
||
|
};
|
||
|
restartTriggers = [ kdcConfFile ];
|
||
|
environment = env;
|
||
|
};
|
||
|
};
|
||
|
}
|