kerberos_server: Keep ACL file in store

Could also move kdc.conf, but this makes it inconvenient to use command line utilities with heimdal, as it would require specifying --config-file with every command.
2025-07-13 21:50:33 +03:00 · 2017-11-13 13:09:35 +00:00 · 2017-11-13 13:09:35 +00:00 · 4e4a599e7e
commit 4e4a599e7e
parent 6cca9c0f9f
2 changed files with 25 additions and 37 deletions
--- a/nixos/modules/services/system/kerberos/heimdal.nix
+++ b/nixos/modules/services/system/kerberos/heimdal.nix
@ -1,25 +1,23 @@
 { pkgs, config, lib, ... } :
 let
-  inherit (lib) mkIf concatStringsSep concatMapStrings toList mapAttrs'
+  inherit (lib) mkIf concatStringsSep concatMapStrings toList mapAttrs
-    nameValuePair attrNames attrValues;
+    mapAttrsToList attrValues;
  cfg = config.services.kerberos_server;
  kerberos = config.krb5.kerberos;
  stateDir = "/var/heimdal";
-  aclFiles = mapAttrs'
+  aclFiles = mapAttrs
-    (name: {acl, ...}: nameValuePair "${name}.acl" (
+    (name: {acl, ...}: pkgs.writeText "${name}.acl" (concatMapStrings ((
-      pkgs.writeText "${name}.acl" (concatMapStrings ((
+      {principal, access, target, ...} :
-        {principal, access, target, ...} :
+      "${principal}\t${concatStringsSep "," (toList access)}\t${target}\n"
-        "${principal}\t${concatStringsSep "," (toList access)}\t${target}\n"
+    )) acl)) cfg.realms;
      )) acl)
    )) cfg.realms;
-  kdcConfigs = map (name: ''
+  kdcConfigs = mapAttrsToList (name: value: ''
    database = {
      dbname = ${stateDir}/heimdal
-      acl_file = /etc/heimdal-kdc/${name}.acl
+      acl_file = ${value}
    }
-  '') (attrNames cfg.realms);
+  '') aclFiles;
  kdcConfFile = pkgs.writeText "kdc.conf" ''
    [kdc]
    ${concatStringsSep "\n" kdcConfigs}
@ -38,7 +36,7 @@ in
      '';
      serviceConfig.ExecStart =
        "${kerberos}/libexec/heimdal/kadmind --config-file=/etc/heimdal-kdc/kdc.conf";
-      restartTriggers = [ kdcConfFile ] ++ (attrValues aclFiles);
+      restartTriggers = [ kdcConfFile ];
    };
    systemd.services.kdc = {
@ -59,16 +57,12 @@ in
        mkdir -m 0755 -p ${stateDir}
      '';
      serviceConfig.ExecStart = "${kerberos}/libexec/heimdal/kpasswdd";
-      restartTriggers = [ kdcConfFile ] ++ (attrValues aclFiles);
+      restartTriggers = [ kdcConfFile ];
    };
    environment.etc = {
      # Can be set via the --config-file option to KDC
      "heimdal-kdc/kdc.conf".source = kdcConfFile;
-    } // (
+    };
      mapAttrs'
      (name: value: nameValuePair "heimdal-kdc/${name}" {source = value;})
      aclFiles
    );
  };
 }
--- a/nixos/modules/services/system/kerberos/mit.nix
+++ b/nixos/modules/services/system/kerberos/mit.nix
@ -2,7 +2,7 @@
 let
  inherit (lib) mkIf concatStrings concatStringsSep concatMapStrings toList
-    mapAttrs' nameValuePair attrNames attrValues;
+    mapAttrs mapAttrsToList attrValues;
  cfg = config.services.kerberos_server;
  kerberos = config.krb5.kerberos;
  stateDir = "/var/lib/krb5kdc";
@ -11,19 +11,17 @@ let
    add = "a"; cpw = "c"; delete = "d"; get = "i"; list = "l"; modify = "m";
    all = "*";
  };
-  aclFiles = mapAttrs'
+  aclFiles = mapAttrs
-    (name: {acl, ...}: nameValuePair "${name}.acl" (
+    (name: {acl, ...}: (pkgs.writeText "${name}.acl" (concatMapStrings (
-      pkgs.writeText "${name}.acl" (concatMapStrings (
+      {principal, access, target, ...} :
-        {principal, access, target, ...} :
+      let access_code = map (a: aclMap.${a}) (toList access); in
-        let access_code = map (a: aclMap.${a}) (toList access); in
+      "${principal} ${concatStrings access_code} ${target}\n"
-        "${principal} ${concatStrings access_code} ${target}\n"
+    ) acl))) cfg.realms;
-      ) acl)
+  kdcConfigs = mapAttrsToList (name: value: ''
    )) cfg.realms;
  kdcConfigs = map (name: ''
    ${name} = {
-      acl_file = /etc/krb5kdc/${name}.acl
+      acl_file = ${value}
    }
-  '') (attrNames cfg.realms);
+  '') aclFiles;
  kdcConfFile = pkgs.writeText "kdc.conf" ''
    [realms]
    ${concatStringsSep "\n" kdcConfigs}
@ -43,7 +41,7 @@ in
        mkdir -m 0755 -p ${stateDir}
      '';
      serviceConfig.ExecStart = "${kerberos}/bin/kadmind -nofork";
-      restartTriggers = [ kdcConfFile ] ++ (attrValues aclFiles);
+      restartTriggers = [ kdcConfFile ];
      environment = env;
    };
@ -64,11 +62,7 @@ in
    environment.etc = {
      "krb5kdc/kdc.conf".source = kdcConfFile;
-    } // (
+    };
      mapAttrs'
      (name: value: nameValuePair "krb5kdc/${name}" {source = value;})
      aclFiles
    );
    environment.variables = env;
  };
 }