diff options
Diffstat (limited to 'nixpkgs/nixos/modules/services/system/kerberos/mit.nix')
-rw-r--r-- | nixpkgs/nixos/modules/services/system/kerberos/mit.nix | 78 |
1 files changed, 43 insertions, 35 deletions
diff --git a/nixpkgs/nixos/modules/services/system/kerberos/mit.nix b/nixpkgs/nixos/modules/services/system/kerberos/mit.nix index a654bd1fe7e1..9ce58986e27a 100644 --- a/nixpkgs/nixos/modules/services/system/kerberos/mit.nix +++ b/nixpkgs/nixos/modules/services/system/kerberos/mit.nix @@ -1,31 +1,37 @@ { pkgs, config, lib, ... } : let - inherit (lib) mkIf concatStrings concatStringsSep concatMapStrings toList - mapAttrs mapAttrsToList; + inherit (lib) mapAttrs; cfg = config.services.kerberos_server; - kerberos = config.security.krb5.package; - stateDir = "/var/lib/krb5kdc"; + package = config.security.krb5.package; PIDFile = "/run/kdc.pid"; + + format = import ../../../security/krb5/krb5-conf-format.nix { inherit pkgs lib; } { enableKdcACLEntries = true; }; + aclMap = { add = "a"; cpw = "c"; delete = "d"; get = "i"; list = "l"; modify = "m"; all = "*"; }; - aclFiles = mapAttrs - (name: {acl, ...}: (pkgs.writeText "${name}.acl" (concatMapStrings ( - {principal, access, target, ...} : - let access_code = map (a: aclMap.${a}) (toList access); in - "${principal} ${concatStrings access_code} ${target}\n" - ) acl))) cfg.realms; - kdcConfigs = mapAttrsToList (name: value: '' - ${name} = { - acl_file = ${value} - } - '') aclFiles; - kdcConfFile = pkgs.writeText "kdc.conf" '' - [realms] - ${concatStringsSep "\n" kdcConfigs} - ''; + + aclConfigs = lib.pipe cfg.settings.realms [ + (mapAttrs (name: { acl, ... }: lib.concatMapStringsSep "\n" ( + { principal, access, target, ... }: let + access_code = map (a: aclMap.${a}) (lib.toList access); + in "${principal} ${lib.concatStrings access_code} ${target}" + ) acl)) + + (lib.concatMapAttrs (name: text: { + ${name} = { + acl_file = pkgs.writeText "${name}.acl" text; + }; + })) + ]; + + finalConfig = cfg.settings // { + realms = mapAttrs (n: v: (removeAttrs v [ "acl" ]) // aclConfigs.${n}) (cfg.settings.realms or { }); + }; + + kdcConfFile = format.generate "kdc.conf" finalConfig; env = { # What Debian uses, could possibly link directly to Nix store? KRB5_KDC_PROFILE = "/etc/krb5kdc/kdc.conf"; @@ -33,36 +39,38 @@ let in { - config = mkIf (cfg.enable && kerberos == pkgs.krb5) { + config = lib.mkIf (cfg.enable && package.passthru.implementation == "krb5") { + environment = { + etc."krb5kdc/kdc.conf".source = kdcConfFile; + variables = env; + }; + systemd.services.kadmind = { description = "Kerberos Administration Daemon"; - wantedBy = [ "multi-user.target" ]; - preStart = '' - mkdir -m 0755 -p ${stateDir} - ''; - serviceConfig.ExecStart = "${kerberos}/bin/kadmind -nofork"; + partOf = [ "kerberos-server.target" ]; + wantedBy = [ "kerberos-server.target" ]; + serviceConfig = { + ExecStart = "${package}/bin/kadmind -nofork"; + Slice = "system-kerberos-server.slice"; + StateDirectory = "krb5kdc"; + }; restartTriggers = [ kdcConfFile ]; environment = env; }; systemd.services.kdc = { description = "Key Distribution Center daemon"; - wantedBy = [ "multi-user.target" ]; - preStart = '' - mkdir -m 0755 -p ${stateDir} - ''; + partOf = [ "kerberos-server.target" ]; + wantedBy = [ "kerberos-server.target" ]; serviceConfig = { Type = "forking"; PIDFile = PIDFile; - ExecStart = "${kerberos}/bin/krb5kdc -P ${PIDFile}"; + ExecStart = "${package}/bin/krb5kdc -P ${PIDFile}"; + Slice = "system-kerberos-server.slice"; + StateDirectory = "krb5kdc"; }; restartTriggers = [ kdcConfFile ]; environment = env; }; - - environment.etc = { - "krb5kdc/kdc.conf".source = kdcConfFile; - }; - environment.variables = env; }; } |