nixos-config/config/profile-config/host/kerberos.nix

{ config, lib, pkgs, ... }:

with lib;
let
  hostname = config.instance.hostname;
  has-secret-files = hasAttr "files" config.fudo.secrets;
  try-attr = attr: set: if (hasAttr attr set) then set.${attr} else null;

in {
  config = mkIf has-secret-files (let
    keytab-file =
      try-attr hostname config.fudo.secrets.files.kerberos.host-keytabs;
  in mkIf (keytab-file != null) {
    ## This doesn't seem to work...timing?
    # environment.etc."krb5.keytab" = mkIf (keytab-file != null) {
    #   source =
    #     config.fudo.secrets.host-secrets.${hostname}.host-keytab.target-file;
    #   user = "root";
    #   group = "root";
    #   mode = "0400";
    # };

    krb5 = {
      domain_realm = let
        krbDoms = filterAttrs (_: domCfg: domCfg.gssapi-realm != null)
          config.fudo.domains;
        domClauses = dom: domCfg: [
          (nameValuePair dom domCfg.gssapi-realm)
          (nameValuePair ".${dom}" domCfg.gssapi-realm)
        ];
        concatMapAttrs = f: lst:
          listToAttrs (concatMap (i: i) (mapAttrsToList f lst));
      in concatMapAttrs domClauses krbDoms;

      libdefaults.default_etypes =
        "aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96";
    };

    systemd = let
      host-keytab =
        config.fudo.secrets.host-secrets.${hostname}.host-keytab.target-file;
    in {
      paths."${hostname}-keytab-watcher" = {
        wantedBy = [ "default.target" ];
        description = "Watch host keytab for changes.";
        pathConfig = {
          PathChanged = host-keytab;
          Unit = "${hostname}-keytab-watcher.service";
        };
      };

      services = {
        "${hostname}-keytab-watcher" = {
          description =
            "When host keytab is available or changed, activate copy job.";
          path = with pkgs; [ systemd ];
          serviceConfig = { Type = "oneshot"; };
          script = "systemctl restart ${hostname}-copy-keytab.service";
        };

        "${hostname}-copy-keytab" = {
          description =
            "Copy the host krb5.keytab into place once it's available.";
          serviceConfig = {
            Type = "simple";
            RemainAfterExit = true;
            ExecStart = pkgs.writeShellScript "${hostname}-copy-keytab.sh" ''
              [ -f ${host-keytab} ] || exit 1
              [ -f /etc/krb5.keytab ] && rm /etc/krb5.keytab
              cp ${host-keytab} /etc/krb5.keytab
              chown root:root /etc/krb5.keytab
              chmod 0400 /etc/krb5.keytab
            '';
            ExecStop = pkgs.writeShellScript "${hostname}-remove-keytab.sh" ''
              rm -f /etc/krb5.keytab
            '';
          };
        };
      };
    };

    fudo.secrets.host-secrets.${hostname}.host-keytab =
      mkIf (keytab-file != null) {
        source-file = keytab-file;
        target-file = "/run/kerberos/krb5.keytab";
        user = "root";
      };
  });
}
Tons of changes, I guess? 2021-11-05 07:06:08 -07:00			`{ config, lib, pkgs, ... }:`

			`with lib;`
			`let`
			`hostname = config.instance.hostname;`
			`has-secret-files = hasAttr "files" config.fudo.secrets;`
			`try-attr = attr: set: if (hasAttr attr set) then set.${attr} else null;`

			`in {`
Commit to move 2023-05-16 22:40:08 -07:00			`config = mkIf has-secret-files (let`
			`keytab-file =`
			`try-attr hostname config.fudo.secrets.files.kerberos.host-keytabs;`
			`in mkIf (keytab-file != null) {`
			`## This doesn't seem to work...timing?`
			`# environment.etc."krb5.keytab" = mkIf (keytab-file != null) {`
			`# source =`
			`# config.fudo.secrets.host-secrets.${hostname}.host-keytab.target-file;`
			`# user = "root";`
			`# group = "root";`
			`# mode = "0400";`
			`# };`
Whenever keytab is modded, copy. 2021-12-02 18:02:01 -08:00
Commit to move 2023-05-16 22:40:08 -07:00			`krb5 = {`
			`domain_realm = let`
			`krbDoms = filterAttrs (_: domCfg: domCfg.gssapi-realm != null)`
			`config.fudo.domains;`
			`domClauses = dom: domCfg: [`
			`(nameValuePair dom domCfg.gssapi-realm)`
			`(nameValuePair ".${dom}" domCfg.gssapi-realm)`
			`];`
			`concatMapAttrs = f: lst:`
			`listToAttrs (concatMap (i: i) (mapAttrsToList f lst));`
			`in concatMapAttrs domClauses krbDoms;`

			`libdefaults.default_etypes =`
			`"aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96";`
			`};`

			`systemd = let`
			`host-keytab =`
			`config.fudo.secrets.host-secrets.${hostname}.host-keytab.target-file;`
			`in {`
			`paths."${hostname}-keytab-watcher" = {`
			`wantedBy = [ "default.target" ];`
			`description = "Watch host keytab for changes.";`
			`pathConfig = {`
			`PathChanged = host-keytab;`
			`Unit = "${hostname}-keytab-watcher.service";`
Whenever keytab is modded, copy. 2021-12-02 18:02:01 -08:00			`};`
Commit to move 2023-05-16 22:40:08 -07:00			`};`
Whenever keytab is modded, copy. 2021-12-02 18:02:01 -08:00
Commit to move 2023-05-16 22:40:08 -07:00			`services = {`
			`"${hostname}-keytab-watcher" = {`
			`description =`
			`"When host keytab is available or changed, activate copy job.";`
			`path = with pkgs; [ systemd ];`
			`serviceConfig = { Type = "oneshot"; };`
			`script = "systemctl restart ${hostname}-copy-keytab.service";`
			`};`
Whenever keytab is modded, copy. 2021-12-02 18:02:01 -08:00
Commit to move 2023-05-16 22:40:08 -07:00			`"${hostname}-copy-keytab" = {`
			`description =`
			`"Copy the host krb5.keytab into place once it's available.";`
			`serviceConfig = {`
			`Type = "simple";`
			`RemainAfterExit = true;`
			`ExecStart = pkgs.writeShellScript "${hostname}-copy-keytab.sh" ''`
			`[ -f ${host-keytab} ] \|\| exit 1`
			`[ -f /etc/krb5.keytab ] && rm /etc/krb5.keytab`
			`cp ${host-keytab} /etc/krb5.keytab`
			`chown root:root /etc/krb5.keytab`
			`chmod 0400 /etc/krb5.keytab`
			`'';`
			`ExecStop = pkgs.writeShellScript "${hostname}-remove-keytab.sh" ''`
			`rm -f /etc/krb5.keytab`
			`'';`
Whenever keytab is modded, copy. 2021-12-02 18:02:01 -08:00			`};`
			`};`
			`};`
Commit to move 2023-05-16 22:40:08 -07:00			`};`
Added nutboy3 and nuttyclub 2021-11-13 10:30:58 -08:00
Commit to move 2023-05-16 22:40:08 -07:00			`fudo.secrets.host-secrets.${hostname}.host-keytab =`
			`mkIf (keytab-file != null) {`
			`source-file = keytab-file;`
			`target-file = "/run/kerberos/krb5.keytab";`
			`user = "root";`
			`};`
			`});`
Tons of changes, I guess? 2021-11-05 07:06:08 -07:00			`}`