2020-04-24 23:36:52 +00:00
|
|
|
{config, lib, ...}:
|
|
|
|
|
|
|
|
let
|
|
|
|
inherit (lib) mkOption mkIf types length attrNames;
|
|
|
|
cfg = config.services.kerberos_server;
|
2024-01-13 08:15:51 +00:00
|
|
|
kerberos = config.security.krb5.package;
|
2020-04-24 23:36:52 +00:00
|
|
|
|
|
|
|
aclEntry = {
|
|
|
|
options = {
|
|
|
|
principal = mkOption {
|
|
|
|
type = types.str;
|
2022-08-21 13:32:41 +00:00
|
|
|
description = lib.mdDoc "Which principal the rule applies to";
|
2020-04-24 23:36:52 +00:00
|
|
|
};
|
|
|
|
access = mkOption {
|
|
|
|
type = types.either
|
|
|
|
(types.listOf (types.enum ["add" "cpw" "delete" "get" "list" "modify"]))
|
|
|
|
(types.enum ["all"]);
|
|
|
|
default = "all";
|
2022-08-21 13:32:41 +00:00
|
|
|
description = lib.mdDoc "The changes the principal is allowed to make.";
|
2020-04-24 23:36:52 +00:00
|
|
|
};
|
|
|
|
target = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "*";
|
2022-08-21 13:32:41 +00:00
|
|
|
description = lib.mdDoc "The principals that 'access' applies to.";
|
2020-04-24 23:36:52 +00:00
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
realm = {
|
|
|
|
options = {
|
|
|
|
acl = mkOption {
|
|
|
|
type = types.listOf (types.submodule aclEntry);
|
|
|
|
default = [
|
|
|
|
{ principal = "*/admin"; access = "all"; }
|
|
|
|
{ principal = "admin"; access = "all"; }
|
|
|
|
];
|
2022-08-21 13:32:41 +00:00
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
The privileges granted to a user.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
in
|
|
|
|
|
|
|
|
{
|
|
|
|
imports = [
|
|
|
|
./mit.nix
|
|
|
|
./heimdal.nix
|
|
|
|
];
|
|
|
|
|
|
|
|
###### interface
|
|
|
|
options = {
|
|
|
|
services.kerberos_server = {
|
2022-12-28 21:21:41 +00:00
|
|
|
enable = lib.mkEnableOption (lib.mdDoc "the kerberos authentication server");
|
2020-04-24 23:36:52 +00:00
|
|
|
|
|
|
|
realms = mkOption {
|
|
|
|
type = types.attrsOf (types.submodule realm);
|
2022-08-21 13:32:41 +00:00
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
The realm(s) to serve keys for.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
###### implementation
|
|
|
|
|
|
|
|
config = mkIf cfg.enable {
|
|
|
|
environment.systemPackages = [ kerberos ];
|
|
|
|
assertions = [{
|
|
|
|
assertion = length (attrNames cfg.realms) <= 1;
|
|
|
|
message = "Only one realm per server is currently supported.";
|
|
|
|
}];
|
|
|
|
};
|
|
|
|
}
|