-
-
Notifications
You must be signed in to change notification settings - Fork 13.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
222 changed files
with
4,234 additions
and
3,098 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,75 +1,59 @@ | ||
{config, lib, ...}: | ||
{ config, pkgs, lib, ... }: | ||
|
||
let | ||
inherit (lib) mkOption mkIf types length attrNames; | ||
inherit (lib) mkOption types; | ||
cfg = config.services.kerberos_server; | ||
kerberos = config.security.krb5.package; | ||
inherit (config.security.krb5) package; | ||
|
||
aclEntry = { | ||
options = { | ||
principal = mkOption { | ||
type = types.str; | ||
description = "Which principal the rule applies to"; | ||
}; | ||
access = mkOption { | ||
type = types.either | ||
(types.listOf (types.enum ["add" "cpw" "delete" "get" "list" "modify"])) | ||
(types.enum ["all"]); | ||
default = "all"; | ||
description = "The changes the principal is allowed to make."; | ||
}; | ||
target = mkOption { | ||
type = types.str; | ||
default = "*"; | ||
description = "The principals that 'access' applies to."; | ||
}; | ||
}; | ||
}; | ||
|
||
realm = { | ||
options = { | ||
acl = mkOption { | ||
type = types.listOf (types.submodule aclEntry); | ||
default = [ | ||
{ principal = "*/admin"; access = "all"; } | ||
{ principal = "admin"; access = "all"; } | ||
]; | ||
description = '' | ||
The privileges granted to a user. | ||
''; | ||
}; | ||
}; | ||
}; | ||
format = import ../../../security/krb5/krb5-conf-format.nix { inherit pkgs lib; } { enableKdcACLEntries = true; }; | ||
in | ||
|
||
{ | ||
imports = [ | ||
(lib.mkRenamedOptionModule [ "services" "kerberos_server" "realms" ] [ "services" "kerberos_server" "settings" "realms" ]) | ||
|
||
./mit.nix | ||
./heimdal.nix | ||
]; | ||
|
||
###### interface | ||
options = { | ||
services.kerberos_server = { | ||
enable = lib.mkEnableOption "the kerberos authentication server"; | ||
|
||
realms = mkOption { | ||
type = types.attrsOf (types.submodule realm); | ||
settings = mkOption { | ||
type = format.type; | ||
description = '' | ||
The realm(s) to serve keys for. | ||
Settings for the kerberos server of choice. | ||
See the following documentation: | ||
- Heimdal: {manpage}`kdc.conf(5)` | ||
- MIT Kerberos: <https://web.mit.edu/kerberos/krb5-1.21/doc/admin/conf_files/kdc_conf.html> | ||
''; | ||
default = { }; | ||
}; | ||
}; | ||
}; | ||
|
||
config = lib.mkIf cfg.enable { | ||
environment.systemPackages = [ package ]; | ||
assertions = [ | ||
{ | ||
assertion = cfg.settings.realms != { }; | ||
message = "The server needs at least one realm"; | ||
} | ||
{ | ||
assertion = lib.length (lib.attrNames cfg.settings.realms) <= 1; | ||
message = "Only one realm per server is currently supported."; | ||
} | ||
]; | ||
|
||
systemd.slices.system-kerberos-server = { }; | ||
systemd.targets.kerberos-server = { | ||
wantedBy = [ "multi-user.target" ]; | ||
}; | ||
}; | ||
|
||
###### implementation | ||
|
||
config = mkIf cfg.enable { | ||
environment.systemPackages = [ kerberos ]; | ||
assertions = [{ | ||
assertion = length (attrNames cfg.realms) <= 1; | ||
message = "Only one realm per server is currently supported."; | ||
}]; | ||
meta = { | ||
doc = ./kerberos-server.md; | ||
}; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,68 +1,87 @@ | ||
{ pkgs, config, lib, ... } : | ||
|
||
let | ||
inherit (lib) mkIf concatStringsSep concatMapStrings toList mapAttrs | ||
mapAttrsToList; | ||
inherit (lib) mapAttrs; | ||
cfg = config.services.kerberos_server; | ||
kerberos = config.security.krb5.package; | ||
stateDir = "/var/heimdal"; | ||
aclFiles = mapAttrs | ||
(name: {acl, ...}: pkgs.writeText "${name}.acl" (concatMapStrings (( | ||
{principal, access, target, ...} : | ||
"${principal}\t${concatStringsSep "," (toList access)}\t${target}\n" | ||
)) acl)) cfg.realms; | ||
package = config.security.krb5.package; | ||
|
||
kdcConfigs = mapAttrsToList (name: value: '' | ||
database = { | ||
dbname = ${stateDir}/heimdal | ||
acl_file = ${value} | ||
} | ||
'') aclFiles; | ||
kdcConfFile = pkgs.writeText "kdc.conf" '' | ||
[kdc] | ||
${concatStringsSep "\n" kdcConfigs} | ||
''; | ||
aclConfigs = lib.pipe cfg.settings.realms [ | ||
(mapAttrs (name: { acl, ... }: lib.concatMapStringsSep "\n" ( | ||
{ principal, access, target, ... }: | ||
"${principal}\t${lib.concatStringsSep "," (lib.toList access)}\t${target}" | ||
) acl)) | ||
(lib.mapAttrsToList (name: text: | ||
{ | ||
dbname = "/var/lib/heimdal/heimdal"; | ||
acl_file = pkgs.writeText "${name}.acl" text; | ||
} | ||
)) | ||
]; | ||
|
||
finalConfig = cfg.settings // { | ||
realms = mapAttrs (_: v: removeAttrs v [ "acl" ]) (cfg.settings.realms or { }); | ||
kdc = (cfg.settings.kdc or { }) // { | ||
database = aclConfigs; | ||
}; | ||
}; | ||
|
||
format = import ../../../security/krb5/krb5-conf-format.nix { inherit pkgs lib; } { enableKdcACLEntries = true; }; | ||
|
||
kdcConfFile = format.generate "kdc.conf" finalConfig; | ||
in | ||
|
||
{ | ||
# No documentation about correct triggers, so guessing at them. | ||
config = lib.mkIf (cfg.enable && package.passthru.implementation == "heimdal") { | ||
environment.etc."heimdal-kdc/kdc.conf".source = kdcConfFile; | ||
|
||
systemd.tmpfiles.settings."10-heimdal" = let | ||
databases = lib.pipe finalConfig.kdc.database [ | ||
(map (dbAttrs: dbAttrs.dbname or null)) | ||
(lib.filter (x: x != null)) | ||
lib.unique | ||
]; | ||
in lib.genAttrs databases (_: { | ||
d = { | ||
user = "root"; | ||
group = "root"; | ||
mode = "0700"; | ||
}; | ||
}); | ||
|
||
config = mkIf (cfg.enable && kerberos == pkgs.heimdal) { | ||
systemd.services.kadmind = { | ||
description = "Kerberos Administration Daemon"; | ||
wantedBy = [ "multi-user.target" ]; | ||
preStart = '' | ||
mkdir -m 0755 -p ${stateDir} | ||
''; | ||
serviceConfig.ExecStart = | ||
"${kerberos}/libexec/kadmind --config-file=/etc/heimdal-kdc/kdc.conf"; | ||
partOf = [ "kerberos-server.target" ]; | ||
wantedBy = [ "kerberos-server.target" ]; | ||
serviceConfig = { | ||
ExecStart = "${package}/libexec/kadmind --config-file=/etc/heimdal-kdc/kdc.conf"; | ||
Slice = "system-kerberos-server.slice"; | ||
StateDirectory = "heimdal"; | ||
}; | ||
restartTriggers = [ kdcConfFile ]; | ||
}; | ||
|
||
systemd.services.kdc = { | ||
description = "Key Distribution Center daemon"; | ||
wantedBy = [ "multi-user.target" ]; | ||
preStart = '' | ||
mkdir -m 0755 -p ${stateDir} | ||
''; | ||
serviceConfig.ExecStart = | ||
"${kerberos}/libexec/kdc --config-file=/etc/heimdal-kdc/kdc.conf"; | ||
partOf = [ "kerberos-server.target" ]; | ||
wantedBy = [ "kerberos-server.target" ]; | ||
serviceConfig = { | ||
ExecStart = "${package}/libexec/kdc --config-file=/etc/heimdal-kdc/kdc.conf"; | ||
Slice = "system-kerberos-server.slice"; | ||
StateDirectory = "heimdal"; | ||
}; | ||
restartTriggers = [ kdcConfFile ]; | ||
}; | ||
|
||
systemd.services.kpasswdd = { | ||
description = "Kerberos Password Changing daemon"; | ||
wantedBy = [ "multi-user.target" ]; | ||
preStart = '' | ||
mkdir -m 0755 -p ${stateDir} | ||
''; | ||
serviceConfig.ExecStart = "${kerberos}/libexec/kpasswdd"; | ||
partOf = [ "kerberos-server.target" ]; | ||
wantedBy = [ "kerberos-server.target" ]; | ||
serviceConfig = { | ||
ExecStart = "${package}/libexec/kpasswdd"; | ||
Slice = "system-kerberos-server.slice"; | ||
StateDirectory = "heimdal"; | ||
}; | ||
restartTriggers = [ kdcConfFile ]; | ||
}; | ||
|
||
environment.etc = { | ||
# Can be set via the --config-file option to KDC | ||
"heimdal-kdc/kdc.conf".source = kdcConfFile; | ||
}; | ||
}; | ||
} |
Oops, something went wrong.