nixpkgs/nixos/modules/services/system/kerberos/heimdal.nix

{
  pkgs,
  config,
  lib,
  ...
}:

let
  inherit (lib) mapAttrs;
  cfg = config.services.kerberos_server;
  package = config.security.krb5.package;

  aclConfigs = lib.pipe cfg.settings.realms [
    (mapAttrs (
      name:
      { acl, ... }:
      lib.concatMapStringsSep "\n" (
        {
          principal,
          access,
          target,
          ...
        }:
        if target != "*" && target != "" then
          "${principal}\t${lib.concatStringsSep "," (lib.toList access)}\t${target}"
        else
          "${principal}\t${lib.concatStringsSep "," (lib.toList access)}"
      ) acl
    ))
    (lib.mapAttrsToList (
      name: text: {
        dbname = "/var/lib/heimdal/heimdal";
        acl_file = pkgs.writeText "${name}.acl" text;
      }
    ))
  ];

  finalConfig = cfg.settings // {
    realms = mapAttrs (_: v: removeAttrs v [ "acl" ]) (cfg.settings.realms or { });
    kdc = (cfg.settings.kdc or { }) // {
      database = aclConfigs;
    };
  };

  format = import ../../../security/krb5/krb5-conf-format.nix { inherit pkgs lib; } {
    enableKdcACLEntries = true;
  };

  kdcConfFile = format.generate "kdc.conf" finalConfig;
in

{
  config = lib.mkIf (cfg.enable && package.passthru.implementation == "heimdal") {
    environment.etc."heimdal-kdc/kdc.conf".source = kdcConfFile;

    systemd.tmpfiles.settings."10-heimdal" =
      let
        databases = lib.pipe finalConfig.kdc.database [
          (map (dbAttrs: dbAttrs.dbname or null))
          (lib.filter (x: x != null))
          lib.unique
        ];
      in
      lib.genAttrs databases (_: {
        d = {
          user = "root";
          group = "root";
          mode = "0700";
        };
      });

    systemd.services.kadmind = {
      description = "Kerberos Administration Daemon";
      partOf = [ "kerberos-server.target" ];
      wantedBy = [ "kerberos-server.target" ];
      documentation = [
        "man:kadmind(8)"
        "info:heimdal"
      ];
      serviceConfig = {
        ExecStart = "${package}/libexec/kadmind --config-file=/etc/heimdal-kdc/kdc.conf";
        Slice = "system-kerberos-server.slice";
        StateDirectory = "heimdal";
      };
      restartTriggers = [ kdcConfFile ];
    };

    systemd.services.kdc = {
      description = "Key Distribution Center daemon";
      partOf = [ "kerberos-server.target" ];
      wantedBy = [ "kerberos-server.target" ];
      documentation = [
        "man:kdc(8)"
        "info:heimdal"
      ];
      serviceConfig = {
        ExecStart = "${package}/libexec/kdc --config-file=/etc/heimdal-kdc/kdc.conf";
        Slice = "system-kerberos-server.slice";
        StateDirectory = "heimdal";
      };
      restartTriggers = [ kdcConfFile ];
    };

    systemd.services.kpasswdd = {
      description = "Kerberos Password Changing daemon";
      partOf = [ "kerberos-server.target" ];
      wantedBy = [ "kerberos-server.target" ];
      documentation = [
        "man:kpasswdd(8)"
        "info:heimdal"
      ];
      serviceConfig = {
        ExecStart = "${package}/libexec/kpasswdd";
        Slice = "system-kerberos-server.slice";
        StateDirectory = "heimdal";
      };
      restartTriggers = [ kdcConfFile ];
    };
  };
}
kerberos-server: add kerberos option Allow switching out kerberos server implementation. Sharing config is probably sensible, but implementation is different enough to be worth splitting into two files. Not sure this is the correct way to split an implementation, but it works for now. Uses the switch from config.krb5 to select implementation. 2017-11-06 17:41:34 +00:00			`{`
			`pkgs,`
			`config,`
			`lib,`
			`...`
			`}:`

			`let`
nixos/kerberos_server: use krb format generator, plus misc cleanup - Introduce more possible options by using the krb format generator. - Enforce package choice is using a correct package. - Use meta attribute to decide implementation, allows for overriding the package. - Make necessary changes to the format, to allow for multiple ACL files in heimdal. - Add systemd target and slice for both implementations. - Move state to `/var/lib` - Add documentation 2023-12-09 01:16:54 +01:00			`inherit (lib) mapAttrs;`
kerberos-server: add kerberos option Allow switching out kerberos server implementation. Sharing config is probably sensible, but implementation is different enough to be worth splitting into two files. Not sure this is the correct way to split an implementation, but it works for now. Uses the switch from config.krb5 to select implementation. 2017-11-06 17:41:34 +00:00			`cfg = config.services.kerberos_server;`
nixos/kerberos_server: use krb format generator, plus misc cleanup - Introduce more possible options by using the krb format generator. - Enforce package choice is using a correct package. - Use meta attribute to decide implementation, allows for overriding the package. - Make necessary changes to the format, to allow for multiple ACL files in heimdal. - Add systemd target and slice for both implementations. - Move state to `/var/lib` - Add documentation 2023-12-09 01:16:54 +01:00			`package = config.security.krb5.package;`
kerberos-server: add kerberos option Allow switching out kerberos server implementation. Sharing config is probably sensible, but implementation is different enough to be worth splitting into two files. Not sure this is the correct way to split an implementation, but it works for now. Uses the switch from config.krb5 to select implementation. 2017-11-06 17:41:34 +00:00
nixos/kerberos_server: use krb format generator, plus misc cleanup - Introduce more possible options by using the krb format generator. - Enforce package choice is using a correct package. - Use meta attribute to decide implementation, allows for overriding the package. - Make necessary changes to the format, to allow for multiple ACL files in heimdal. - Add systemd target and slice for both implementations. - Move state to `/var/lib` - Add documentation 2023-12-09 01:16:54 +01:00			`aclConfigs = lib.pipe cfg.settings.realms [`
			`(mapAttrs (`
			`name:`
			`{ acl, ... }:`
			`lib.concatMapStringsSep "\n" (`
			`{`
			`principal,`
			`access,`
			`target,`
			`...`
			`}:`
nixos/heimdal: correctly handle multitarget principals 2025-03-11 18:41:54 +01:00			`if target != "*" && target != "" then`
			`"${principal}\t${lib.concatStringsSep "," (lib.toList access)}\t${target}"`
			`else`
			`"${principal}\t${lib.concatStringsSep "," (lib.toList access)}"`
nixos/kerberos_server: use krb format generator, plus misc cleanup - Introduce more possible options by using the krb format generator. - Enforce package choice is using a correct package. - Use meta attribute to decide implementation, allows for overriding the package. - Make necessary changes to the format, to allow for multiple ACL files in heimdal. - Add systemd target and slice for both implementations. - Move state to `/var/lib` - Add documentation 2023-12-09 01:16:54 +01:00			`) acl`
			`))`
			`(lib.mapAttrsToList (`
			`name: text: {`
			`dbname = "/var/lib/heimdal/heimdal";`
			`acl_file = pkgs.writeText "${name}.acl" text;`
			`}`
			`))`
			`];`

			`finalConfig = cfg.settings // {`
			`realms = mapAttrs (_: v: removeAttrs v [ "acl" ]) (cfg.settings.realms or { });`
			`kdc = (cfg.settings.kdc or { }) // {`
			`database = aclConfigs;`
			`};`
			`};`

			`format = import ../../../security/krb5/krb5-conf-format.nix { inherit pkgs lib; } {`
			`enableKdcACLEntries = true;`
			`};`

			`kdcConfFile = format.generate "kdc.conf" finalConfig;`
kerberos-server: add kerberos option Allow switching out kerberos server implementation. Sharing config is probably sensible, but implementation is different enough to be worth splitting into two files. Not sure this is the correct way to split an implementation, but it works for now. Uses the switch from config.krb5 to select implementation. 2017-11-06 17:41:34 +00:00			`in`

			`{`
nixos/kerberos_server: use krb format generator, plus misc cleanup - Introduce more possible options by using the krb format generator. - Enforce package choice is using a correct package. - Use meta attribute to decide implementation, allows for overriding the package. - Make necessary changes to the format, to allow for multiple ACL files in heimdal. - Add systemd target and slice for both implementations. - Move state to `/var/lib` - Add documentation 2023-12-09 01:16:54 +01:00			`config = lib.mkIf (cfg.enable && package.passthru.implementation == "heimdal") {`
			`environment.etc."heimdal-kdc/kdc.conf".source = kdcConfFile;`

			`systemd.tmpfiles.settings."10-heimdal" =`
			`let`
			`databases = lib.pipe finalConfig.kdc.database [`
			`(map (dbAttrs: dbAttrs.dbname or null))`
			`(lib.filter (x: x != null))`
			`lib.unique`
			`];`
			`in`
			`lib.genAttrs databases (_: {`
			`d = {`
			`user = "root";`
			`group = "root";`
			`mode = "0700";`
			`};`
			`});`
kerberos-server: add kerberos option Allow switching out kerberos server implementation. Sharing config is probably sensible, but implementation is different enough to be worth splitting into two files. Not sure this is the correct way to split an implementation, but it works for now. Uses the switch from config.krb5 to select implementation. 2017-11-06 17:41:34 +00:00
			`systemd.services.kadmind = {`
			`description = "Kerberos Administration Daemon";`
nixos/kerberos_server: use krb format generator, plus misc cleanup - Introduce more possible options by using the krb format generator. - Enforce package choice is using a correct package. - Use meta attribute to decide implementation, allows for overriding the package. - Make necessary changes to the format, to allow for multiple ACL files in heimdal. - Add systemd target and slice for both implementations. - Move state to `/var/lib` - Add documentation 2023-12-09 01:16:54 +01:00			`partOf = [ "kerberos-server.target" ];`
			`wantedBy = [ "kerberos-server.target" ];`
nixos/heimdal: add documentation to systemd units 2025-03-11 18:41:54 +01:00			`documentation = [`
			`"man:kadmind(8)"`
			`"info:heimdal"`
			`];`
nixos/kerberos_server: use krb format generator, plus misc cleanup - Introduce more possible options by using the krb format generator. - Enforce package choice is using a correct package. - Use meta attribute to decide implementation, allows for overriding the package. - Make necessary changes to the format, to allow for multiple ACL files in heimdal. - Add systemd target and slice for both implementations. - Move state to `/var/lib` - Add documentation 2023-12-09 01:16:54 +01:00			`serviceConfig = {`
			`ExecStart = "${package}/libexec/kadmind --config-file=/etc/heimdal-kdc/kdc.conf";`
			`Slice = "system-kerberos-server.slice";`
			`StateDirectory = "heimdal";`
			`};`
kerberos_server: Keep ACL file in store Could also move kdc.conf, but this makes it inconvenient to use command line utilities with heimdal, as it would require specifying --config-file with every command. 2017-11-13 13:09:35 +00:00			`restartTriggers = [ kdcConfFile ];`
kerberos-server: add kerberos option Allow switching out kerberos server implementation. Sharing config is probably sensible, but implementation is different enough to be worth splitting into two files. Not sure this is the correct way to split an implementation, but it works for now. Uses the switch from config.krb5 to select implementation. 2017-11-06 17:41:34 +00:00			`};`

			`systemd.services.kdc = {`
			`description = "Key Distribution Center daemon";`
nixos/kerberos_server: use krb format generator, plus misc cleanup - Introduce more possible options by using the krb format generator. - Enforce package choice is using a correct package. - Use meta attribute to decide implementation, allows for overriding the package. - Make necessary changes to the format, to allow for multiple ACL files in heimdal. - Add systemd target and slice for both implementations. - Move state to `/var/lib` - Add documentation 2023-12-09 01:16:54 +01:00			`partOf = [ "kerberos-server.target" ];`
			`wantedBy = [ "kerberos-server.target" ];`
nixos/heimdal: add documentation to systemd units 2025-03-11 18:41:54 +01:00			`documentation = [`
			`"man:kdc(8)"`
			`"info:heimdal"`
			`];`
nixos/kerberos_server: use krb format generator, plus misc cleanup - Introduce more possible options by using the krb format generator. - Enforce package choice is using a correct package. - Use meta attribute to decide implementation, allows for overriding the package. - Make necessary changes to the format, to allow for multiple ACL files in heimdal. - Add systemd target and slice for both implementations. - Move state to `/var/lib` - Add documentation 2023-12-09 01:16:54 +01:00			`serviceConfig = {`
			`ExecStart = "${package}/libexec/kdc --config-file=/etc/heimdal-kdc/kdc.conf";`
			`Slice = "system-kerberos-server.slice";`
			`StateDirectory = "heimdal";`
			`};`
kerberos-server: add kerberos option Allow switching out kerberos server implementation. Sharing config is probably sensible, but implementation is different enough to be worth splitting into two files. Not sure this is the correct way to split an implementation, but it works for now. Uses the switch from config.krb5 to select implementation. 2017-11-06 17:41:34 +00:00			`restartTriggers = [ kdcConfFile ];`
			`};`

			`systemd.services.kpasswdd = {`
			`description = "Kerberos Password Changing daemon";`
nixos/kerberos_server: use krb format generator, plus misc cleanup - Introduce more possible options by using the krb format generator. - Enforce package choice is using a correct package. - Use meta attribute to decide implementation, allows for overriding the package. - Make necessary changes to the format, to allow for multiple ACL files in heimdal. - Add systemd target and slice for both implementations. - Move state to `/var/lib` - Add documentation 2023-12-09 01:16:54 +01:00			`partOf = [ "kerberos-server.target" ];`
			`wantedBy = [ "kerberos-server.target" ];`
nixos/heimdal: add documentation to systemd units 2025-03-11 18:41:54 +01:00			`documentation = [`
			`"man:kpasswdd(8)"`
			`"info:heimdal"`
			`];`
nixos/kerberos_server: use krb format generator, plus misc cleanup - Introduce more possible options by using the krb format generator. - Enforce package choice is using a correct package. - Use meta attribute to decide implementation, allows for overriding the package. - Make necessary changes to the format, to allow for multiple ACL files in heimdal. - Add systemd target and slice for both implementations. - Move state to `/var/lib` - Add documentation 2023-12-09 01:16:54 +01:00			`serviceConfig = {`
			`ExecStart = "${package}/libexec/kpasswdd";`
			`Slice = "system-kerberos-server.slice";`
			`StateDirectory = "heimdal";`
			`};`
kerberos_server: Keep ACL file in store Could also move kdc.conf, but this makes it inconvenient to use command line utilities with heimdal, as it would require specifying --config-file with every command. 2017-11-13 13:09:35 +00:00			`restartTriggers = [ kdcConfFile ];`
kerberos-server: add kerberos option Allow switching out kerberos server implementation. Sharing config is probably sensible, but implementation is different enough to be worth splitting into two files. Not sure this is the correct way to split an implementation, but it works for now. Uses the switch from config.krb5 to select implementation. 2017-11-06 17:41:34 +00:00			`};`
			`};`
			`}`