blob: 4ed48e463741a88fb6a653565231d9109d051a77 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
{config, lib, ...}:
let
inherit (lib) mkOption mkIf types length attrNames;
cfg = config.services.kerberos_server;
kerberos = config.krb5.kerberos;
aclEntry = {
options = {
principal = mkOption {
type = types.str;
description = lib.mdDoc "Which principal the rule applies to";
};
access = mkOption {
type = types.either
(types.listOf (types.enum ["add" "cpw" "delete" "get" "list" "modify"]))
(types.enum ["all"]);
default = "all";
description = lib.mdDoc "The changes the principal is allowed to make.";
};
target = mkOption {
type = types.str;
default = "*";
description = lib.mdDoc "The principals that 'access' applies to.";
};
};
};
realm = {
options = {
acl = mkOption {
type = types.listOf (types.submodule aclEntry);
default = [
{ principal = "*/admin"; access = "all"; }
{ principal = "admin"; access = "all"; }
];
description = lib.mdDoc ''
The privileges granted to a user.
'';
};
};
};
in
{
imports = [
./mit.nix
./heimdal.nix
];
###### interface
options = {
services.kerberos_server = {
enable = lib.mkEnableOption (lib.mdDoc "the kerberos authentication server");
realms = mkOption {
type = types.attrsOf (types.submodule realm);
description = lib.mdDoc ''
The realm(s) to serve keys for.
'';
};
};
};
###### implementation
config = mkIf cfg.enable {
environment.systemPackages = [ kerberos ];
assertions = [{
assertion = length (attrNames cfg.realms) <= 1;
message = "Only one realm per server is currently supported.";
}];
};
}
|