nixos/kerberos_server: disallow combining "all" with policies != "get-keys"

2025-07-13 13:40:28 +03:00 · 2025-02-14 19:45:27 +01:00 · 2025-02-14 19:45:27 +01:00 · f500ae084a
commit f500ae084a
parent 00a8c125b0
2 changed files with 29 additions and 10 deletions
--- a/nixos/modules/services/system/kerberos/default.nix
+++ b/nixos/modules/services/system/kerberos/default.nix
@ -55,6 +55,17 @@ in
        assertion = lib.length (lib.attrNames cfg.settings.realms) <= 1;
        message = "Only one realm per server is currently supported.";
      }
+      {
+        assertion =
+          let
+            inherit (builtins) attrValues elem length;
+            realms = attrValues cfg.settings.realms;
+            accesses = lib.concatMap (r: map (a: a.access) r.acl) realms;
+            property = a: !elem "all" a || (length a <= 1) || (length a <= 2 && elem "get-keys" a);
+          in
+          builtins.all property accesses;
+        message = "Cannot specify \"all\" in a list with additional permissions other than \"get-keys\"";
+      }
    ];

    systemd.slices.system-kerberos-server = { };