2024-12-10 20:26:33 +01:00
|
|
|
{
|
|
|
|
|
config,
|
|
|
|
|
pkgs,
|
|
|
|
|
lib,
|
|
|
|
|
...
|
|
|
|
|
}:
|
2017-11-06 17:41:34 +00:00
|
|
|
|
|
|
|
|
let
|
2023-12-09 01:16:54 +01:00
|
|
|
inherit (lib) mkOption types;
|
2017-11-06 17:41:34 +00:00
|
|
|
cfg = config.services.kerberos_server;
|
2023-12-09 01:16:54 +01:00
|
|
|
inherit (config.security.krb5) package;
|
2017-11-06 17:41:34 +00:00
|
|
|
|
2024-12-10 20:26:33 +01:00
|
|
|
format = import ../../../security/krb5/krb5-conf-format.nix { inherit pkgs lib; } {
|
|
|
|
|
enableKdcACLEntries = true;
|
|
|
|
|
};
|
2017-11-06 17:41:34 +00:00
|
|
|
in
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
imports = [
|
2024-12-10 20:26:33 +01:00
|
|
|
(lib.mkRenamedOptionModule
|
|
|
|
|
[ "services" "kerberos_server" "realms" ]
|
|
|
|
|
[ "services" "kerberos_server" "settings" "realms" ]
|
|
|
|
|
)
|
2023-12-09 01:16:54 +01:00
|
|
|
|
2017-11-06 17:41:34 +00:00
|
|
|
./mit.nix
|
|
|
|
|
./heimdal.nix
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
options = {
|
|
|
|
|
services.kerberos_server = {
|
2024-04-13 14:54:15 +02:00
|
|
|
enable = lib.mkEnableOption "the kerberos authentication server";
|
2017-11-06 17:41:34 +00:00
|
|
|
|
2023-12-09 01:16:54 +01:00
|
|
|
settings = mkOption {
|
|
|
|
|
type = format.type;
|
2024-04-13 14:54:15 +02:00
|
|
|
description = ''
|
2023-12-09 01:16:54 +01:00
|
|
|
Settings for the kerberos server of choice.
|
|
|
|
|
|
|
|
|
|
See the following documentation:
|
|
|
|
|
- Heimdal: {manpage}`kdc.conf(5)`
|
|
|
|
|
- MIT Kerberos: <https://web.mit.edu/kerberos/krb5-1.21/doc/admin/conf_files/kdc_conf.html>
|
2017-11-06 17:41:34 +00:00
|
|
|
'';
|
2023-12-09 01:16:54 +01:00
|
|
|
default = { };
|
2017-11-06 17:41:34 +00:00
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2023-12-09 01:16:54 +01:00
|
|
|
config = lib.mkIf cfg.enable {
|
|
|
|
|
environment.systemPackages = [ package ];
|
|
|
|
|
assertions = [
|
|
|
|
|
{
|
|
|
|
|
assertion = cfg.settings.realms != { };
|
|
|
|
|
message = "The server needs at least one realm";
|
|
|
|
|
}
|
|
|
|
|
{
|
|
|
|
|
assertion = lib.length (lib.attrNames cfg.settings.realms) <= 1;
|
|
|
|
|
message = "Only one realm per server is currently supported.";
|
|
|
|
|
}
|
2025-02-14 19:45:27 +01:00
|
|
|
{
|
|
|
|
|
assertion =
|
|
|
|
|
let
|
|
|
|
|
inherit (builtins) attrValues elem length;
|
|
|
|
|
realms = attrValues cfg.settings.realms;
|
|
|
|
|
accesses = lib.concatMap (r: map (a: a.access) r.acl) realms;
|
|
|
|
|
property = a: !elem "all" a || (length a <= 1) || (length a <= 2 && elem "get-keys" a);
|
|
|
|
|
in
|
|
|
|
|
builtins.all property accesses;
|
|
|
|
|
message = "Cannot specify \"all\" in a list with additional permissions other than \"get-keys\"";
|
|
|
|
|
}
|
2023-12-09 01:16:54 +01:00
|
|
|
];
|
|
|
|
|
|
|
|
|
|
systemd.slices.system-kerberos-server = { };
|
|
|
|
|
systemd.targets.kerberos-server = {
|
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
|
};
|
|
|
|
|
};
|
2017-11-06 17:41:34 +00:00
|
|
|
|
2023-12-09 01:16:54 +01:00
|
|
|
meta = {
|
|
|
|
|
doc = ./kerberos-server.md;
|
2017-11-06 17:41:34 +00:00
|
|
|
};
|
|
|
|
|
}
|
