e7ec2969af
GitOrigin-RevId: 9b19f5e77dd906cb52dade0b7bd280339d2a1f3d
75 lines
1.8 KiB
Nix
75 lines
1.8 KiB
Nix
{config, lib, ...}:
|
|
|
|
let
|
|
inherit (lib) mkOption mkIf types length attrNames;
|
|
cfg = config.services.kerberos_server;
|
|
kerberos = config.security.krb5.package;
|
|
|
|
aclEntry = {
|
|
options = {
|
|
principal = mkOption {
|
|
type = types.str;
|
|
description = lib.mdDoc "Which principal the rule applies to";
|
|
};
|
|
access = mkOption {
|
|
type = types.either
|
|
(types.listOf (types.enum ["add" "cpw" "delete" "get" "list" "modify"]))
|
|
(types.enum ["all"]);
|
|
default = "all";
|
|
description = lib.mdDoc "The changes the principal is allowed to make.";
|
|
};
|
|
target = mkOption {
|
|
type = types.str;
|
|
default = "*";
|
|
description = lib.mdDoc "The principals that 'access' applies to.";
|
|
};
|
|
};
|
|
};
|
|
|
|
realm = {
|
|
options = {
|
|
acl = mkOption {
|
|
type = types.listOf (types.submodule aclEntry);
|
|
default = [
|
|
{ principal = "*/admin"; access = "all"; }
|
|
{ principal = "admin"; access = "all"; }
|
|
];
|
|
description = lib.mdDoc ''
|
|
The privileges granted to a user.
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
in
|
|
|
|
{
|
|
imports = [
|
|
./mit.nix
|
|
./heimdal.nix
|
|
];
|
|
|
|
###### interface
|
|
options = {
|
|
services.kerberos_server = {
|
|
enable = lib.mkEnableOption (lib.mdDoc "the kerberos authentication server");
|
|
|
|
realms = mkOption {
|
|
type = types.attrsOf (types.submodule realm);
|
|
description = lib.mdDoc ''
|
|
The realm(s) to serve keys for.
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
|
|
###### implementation
|
|
|
|
config = mkIf cfg.enable {
|
|
environment.systemPackages = [ kerberos ];
|
|
assertions = [{
|
|
assertion = length (attrNames cfg.realms) <= 1;
|
|
message = "Only one realm per server is currently supported.";
|
|
}];
|
|
};
|
|
}
|