Merge master into haskell-updates

NixOS · Jun 15, 2024 · 04a9fe9 · 04a9fe9
2 parents cadb3d1 + 49aefbf
commit 04a9fe9
Show file tree

Hide file tree

Showing 222 changed files with 4,234 additions and 3,098 deletions.
diff --git a/maintainers/scripts/copy-tarballs.pl b/maintainers/scripts/copy-tarballs.pl
@@ -1,5 +1,5 @@
 #! /usr/bin/env nix-shell
-#! nix-shell -i perl -p perl perlPackages.NetAmazonS3 perlPackages.FileSlurp perlPackages.JSON perlPackages.LWPProtocolHttps nixUnstable nixUnstable.perl-bindings
+#! nix-shell -i perl -p perl perlPackages.NetAmazonS3 perlPackages.FileSlurp perlPackages.JSON perlPackages.LWPProtocolHttps nix nix.perl-bindings
 
 # This command uploads tarballs to tarballs.nixos.org, the
 # content-addressed cache used by fetchurl as a fallback for when

diff --git a/nixos/modules/programs/wayland/hyprland.nix b/nixos/modules/programs/wayland/hyprland.nix
@@ -56,6 +56,7 @@ in
  services.displayManager.sessionPackages = [ cfg.package ];
 
  xdg.portal = {
+ enable = true;
  extraPortals = [ cfg.portalPackage ];
  configPackages = lib.mkDefault [ cfg.package ];
  };
@@ -70,7 +71,7 @@ in
  (import ./wayland-session.nix {
  inherit lib pkgs;
  enableXWayland = cfg.xwayland.enable;
- enableWlrPortal = false; # Hyprland has its own portal, wlr is not needed
+ enableWlrPortal = lib.mkDefault false; # Hyprland has its own portal, wlr is not needed
  })
  ]);
 

diff --git a/nixos/modules/security/krb5/default.nix b/nixos/modules/security/krb5/default.nix
@@ -77,8 +77,22 @@ in {
  };
  };
 
- config = mkIf cfg.enable {
- environment = {
+ config = {
+ assertions = mkIf (cfg.enable || config.services.kerberos_server.enable) [(let
+ implementation = cfg.package.passthru.implementation or "<NOT SET>";
+ in {
+ assertion = lib.elem implementation [ "krb5" "heimdal" ];
+ message = ''
+ `security.krb5.package` must be one of:
+
+ - krb5
+ - heimdal
+
+ Currently chosen implementation: ${implementation}
+ '';
+ })];
+
+ environment = mkIf cfg.enable {
  systemPackages = [ cfg.package ];
  etc."krb5.conf".source = format.generate "krb5.conf" cfg.settings;
  };

diff --git a/nixos/modules/security/krb5/krb5-conf-format.nix b/nixos/modules/security/krb5/krb5-conf-format.nix
@@ -7,17 +7,61 @@
 let
  inherit (lib) boolToString concatMapStringsSep concatStringsSep filter
  isAttrs isBool isList mapAttrsToList mkOption singleton splitString;
- inherit (lib.types) attrsOf bool coercedTo either int listOf oneOf path
- str submodule;
+ inherit (lib.types) attrsOf bool coercedTo either enum int listOf oneOf
+ path str submodule;
 in
-{ }: {
- type = let
- section = attrsOf relation;
- relation = either (attrsOf value) value;
+{
+ enableKdcACLEntries ? false
+}: rec {
+ sectionType = let
+ relation = oneOf [
+ (listOf (attrsOf value))
+ (attrsOf value)
+ value
+ ];
  value = either (listOf atom) atom;
  atom = oneOf [int str bool];
+ in attrsOf relation;
+
+ type = let
+ aclEntry = submodule {
+ options = {
+ principal = mkOption {
+ type = str;
+ description = "Which principal the rule applies to";
+ };
+ access = mkOption {
+ type = either
+ (listOf (enum ["add" "cpw" "delete" "get" "list" "modify"]))
+ (enum ["all"]);
+ default = "all";
+ description = "The changes the principal is allowed to make.";
+ };
+ target = mkOption {
+ type = str;
+ default = "*";
+ description = "The principals that 'access' applies to.";
+ };
+ };
+ };
+
+ realm = submodule ({ name, ... }: {
+ freeformType = sectionType;
+ options = {
+ acl = mkOption {
+ type = listOf aclEntry;
+ default = [
+ { principal = "*/admin"; access = "all"; }
+ { principal = "admin"; access = "all"; }
+ ];
+ description = ''
+ The privileges granted to a user.
+ '';
+ };
+ };
+ });
  in submodule {
- freeformType = attrsOf section;
+ freeformType = attrsOf sectionType;
  options = {
  include = mkOption {
  default = [ ];
@@ -40,7 +84,17 @@ in
  '';
  type = coercedTo path singleton (listOf path);
  };
- };
+
+ }
+ //
+ (lib.optionalAttrs enableKdcACLEntries {
+ realms = mkOption {
+ type = attrsOf realm;
+ description = ''
+ The realm(s) to serve keys for.
+ '';
+ };
+ });
  };
 
  generate = let
@@ -71,6 +125,9 @@ in
  ${name} = {
  ${indent (concatStringsSep "\n" (mapAttrsToList formatValue relation))}
  }''
+ else if isList relation
+ then
+ concatMapStringsSep "\n" (formatRelation name) relation
  else formatValue name relation;
 
  formatValue = name: value:

diff --git a/nixos/modules/services/system/kerberos/default.nix b/nixos/modules/services/system/kerberos/default.nix
@@ -1,75 +1,59 @@
-{config, lib, ...}:
+{ config, pkgs, lib, ... }:
 
 let
- inherit (lib) mkOption mkIf types length attrNames;
+ inherit (lib) mkOption types;
  cfg = config.services.kerberos_server;
- kerberos = config.security.krb5.package;
+ inherit (config.security.krb5) package;
 
- aclEntry = {
- options = {
- principal = mkOption {
- type = types.str;
- description = "Which principal the rule applies to";
- };
- access = mkOption {
- type = types.either
- (types.listOf (types.enum ["add" "cpw" "delete" "get" "list" "modify"]))
- (types.enum ["all"]);
- default = "all";
- description = "The changes the principal is allowed to make.";
- };
- target = mkOption {
- type = types.str;
- default = "*";
- description = "The principals that 'access' applies to.";
- };
- };
- };
-
- realm = {
- options = {
- acl = mkOption {
- type = types.listOf (types.submodule aclEntry);
- default = [
- { principal = "*/admin"; access = "all"; }
- { principal = "admin"; access = "all"; }
- ];
- description = ''
- The privileges granted to a user.
- '';
- };
- };
- };
+ format = import ../../../security/krb5/krb5-conf-format.nix { inherit pkgs lib; } { enableKdcACLEntries = true; };
 in
 
 {
  imports = [
+ (lib.mkRenamedOptionModule [ "services" "kerberos_server" "realms" ] [ "services" "kerberos_server" "settings" "realms" ])
+
  ./mit.nix
  ./heimdal.nix
  ];
 
- ###### interface
  options = {
  services.kerberos_server = {
  enable = lib.mkEnableOption "the kerberos authentication server";
 
- realms = mkOption {
- type = types.attrsOf (types.submodule realm);
+ settings = mkOption {
+ type = format.type;
  description = ''
- The realm(s) to serve keys for.
+ Settings for the kerberos server of choice.
+
+ See the following documentation:
+ - Heimdal: {manpage}`kdc.conf(5)`
+ - MIT Kerberos: <https://web.mit.edu/kerberos/krb5-1.21/doc/admin/conf_files/kdc_conf.html>
  '';
+ default = { };
  };
  };
  };
 
+ config = lib.mkIf cfg.enable {
+ environment.systemPackages = [ package ];
+ assertions = [
+ {
+ assertion = cfg.settings.realms != { };
+ message = "The server needs at least one realm";
+ }
+ {
+ assertion = lib.length (lib.attrNames cfg.settings.realms) <= 1;
+ message = "Only one realm per server is currently supported.";
+ }
+ ];
+
+ systemd.slices.system-kerberos-server = { };
+ systemd.targets.kerberos-server = {
+ wantedBy = [ "multi-user.target" ];
+ };
+ };
 
- ###### implementation
-
- config = mkIf cfg.enable {
- environment.systemPackages = [ kerberos ];
- assertions = [{
- assertion = length (attrNames cfg.realms) <= 1;
- message = "Only one realm per server is currently supported.";
- }];
+ meta = {
+ doc = ./kerberos-server.md;
  };
 }
diff --git a/nixos/modules/services/system/kerberos/heimdal.nix b/nixos/modules/services/system/kerberos/heimdal.nix
@@ -1,68 +1,87 @@
 { pkgs, config, lib, ... } :
 
 let
- inherit (lib) mkIf concatStringsSep concatMapStrings toList mapAttrs
- mapAttrsToList;
+ inherit (lib) mapAttrs;
  cfg = config.services.kerberos_server;
- kerberos = config.security.krb5.package;
- stateDir = "/var/heimdal";
- aclFiles = mapAttrs
- (name: {acl, ...}: pkgs.writeText "${name}.acl" (concatMapStrings ((
- {principal, access, target, ...} :
- "${principal}\t${concatStringsSep "," (toList access)}\t${target}\n"
- )) acl)) cfg.realms;
+ package = config.security.krb5.package;
 
- kdcConfigs = mapAttrsToList (name: value: ''
- database = {
- dbname = ${stateDir}/heimdal
- acl_file = ${value}
- }
- '') aclFiles;
- kdcConfFile = pkgs.writeText "kdc.conf" ''
- [kdc]
- ${concatStringsSep "\n" kdcConfigs}
- '';
+ aclConfigs = lib.pipe cfg.settings.realms [
+ (mapAttrs (name: { acl, ... }: lib.concatMapStringsSep "\n" (
+ { principal, access, target, ... }:
+ "${principal}\t${lib.concatStringsSep "," (lib.toList access)}\t${target}"
+ ) acl))
+ (lib.mapAttrsToList (name: text:
+ {
+ dbname = "/var/lib/heimdal/heimdal";
+ acl_file = pkgs.writeText "${name}.acl" text;
+ }
+ ))
+ ];
+
+ finalConfig = cfg.settings // {
+ realms = mapAttrs (_: v: removeAttrs v [ "acl" ]) (cfg.settings.realms or { });
+ kdc = (cfg.settings.kdc or { }) // {
+ database = aclConfigs;
+ };
+ };
+
+ format = import ../../../security/krb5/krb5-conf-format.nix { inherit pkgs lib; } { enableKdcACLEntries = true; };
+
+ kdcConfFile = format.generate "kdc.conf" finalConfig;
 in
 
 {
- # No documentation about correct triggers, so guessing at them.
+ config = lib.mkIf (cfg.enable && package.passthru.implementation == "heimdal") {
+ environment.etc."heimdal-kdc/kdc.conf".source = kdcConfFile;
+
+ systemd.tmpfiles.settings."10-heimdal" = let
+ databases = lib.pipe finalConfig.kdc.database [
+ (map (dbAttrs: dbAttrs.dbname or null))
+ (lib.filter (x: x != null))
+ lib.unique
+ ];
+ in lib.genAttrs databases (_: {
+ d = {
+ user = "root";
+ group = "root";
+ mode = "0700";
+ };
+ });
 
- config = mkIf (cfg.enable && kerberos == pkgs.heimdal) {
  systemd.services.kadmind = {
  description = "Kerberos Administration Daemon";
- wantedBy = [ "multi-user.target" ];
- preStart = ''
- mkdir -m 0755 -p ${stateDir}
- '';
- serviceConfig.ExecStart =
- "${kerberos}/libexec/kadmind --config-file=/etc/heimdal-kdc/kdc.conf";
+ partOf = [ "kerberos-server.target" ];
+ wantedBy = [ "kerberos-server.target" ];
+ serviceConfig = {
+ ExecStart = "${package}/libexec/kadmind --config-file=/etc/heimdal-kdc/kdc.conf";
+ Slice = "system-kerberos-server.slice";
+ StateDirectory = "heimdal";
+ };
  restartTriggers = [ kdcConfFile ];
  };
 
  systemd.services.kdc = {
  description = "Key Distribution Center daemon";
- wantedBy = [ "multi-user.target" ];
- preStart = ''
- mkdir -m 0755 -p ${stateDir}
- '';
- serviceConfig.ExecStart =
- "${kerberos}/libexec/kdc --config-file=/etc/heimdal-kdc/kdc.conf";
+ partOf = [ "kerberos-server.target" ];
+ wantedBy = [ "kerberos-server.target" ];
+ serviceConfig = {
+ ExecStart = "${package}/libexec/kdc --config-file=/etc/heimdal-kdc/kdc.conf";
+ Slice = "system-kerberos-server.slice";
+ StateDirectory = "heimdal";
+ };
  restartTriggers = [ kdcConfFile ];
  };
 
  systemd.services.kpasswdd = {
  description = "Kerberos Password Changing daemon";
- wantedBy = [ "multi-user.target" ];
- preStart = ''
- mkdir -m 0755 -p ${stateDir}
- '';
- serviceConfig.ExecStart = "${kerberos}/libexec/kpasswdd";
+ partOf = [ "kerberos-server.target" ];
+ wantedBy = [ "kerberos-server.target" ];
+ serviceConfig = {
+ ExecStart = "${package}/libexec/kpasswdd";
+ Slice = "system-kerberos-server.slice";
+ StateDirectory = "heimdal";
+ };
  restartTriggers = [ kdcConfFile ];
  };
-
- environment.etc = {
- # Can be set via the --config-file option to KDC
- "heimdal-kdc/kdc.conf".source = kdcConfFile;
- };
  };
 }