nix/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Whenever keytab is modded, copy.

Browse Source
This commit is contained in:
niten 2021-12-02 18:02:01 -08:00
parent c7b01f3ea3
commit c7fd2d15c7
1 changed files with 50 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
config/profile-config/host/kerberos.nix
View File

@ -9,13 +9,56 @@ let
in { in {
config = mkIf has-secret-files (let config = mkIf has-secret-files (let
keytab-file = try-attr hostname config.fudo.secrets.files.host-keytabs; keytab-file = try-attr hostname config.fudo.secrets.files.host-keytabs;
in { in mkIf (keytab-file != null) {
environment.etc."krb5.keytab" = mkIf (keytab-file != null) { ## This doesn't seem to work...timing?
source = # environment.etc."krb5.keytab" = mkIf (keytab-file != null) {
config.fudo.secrets.host-secrets.${hostname}.host-keytab.target-file; # source =
user = "root"; # config.fudo.secrets.host-secrets.${hostname}.host-keytab.target-file;
group = "root"; # user = "root";
mode = "0400"; # group = "root";
# mode = "0400";
# };
systemd = let
host-keytab = config.fudo.secrets.host-secrets.${hostname}.host-keytab.target-file;
in {
paths."${hostname}-keytab-watcher" = {
wantedBy = [ "default.target" ];
description = "Watch host keytab for changes.";
pathConfig = {
PathChanged = host-keytab;
Unit = "${hostname}-keytab-watcher.service";
};
};
services = {
"${hostname}-keytab-watcher" = {
description = "When host keytab is available or changed, activate copy job.";
path = with pkgs; [ systemd ];
serviceConfig = {
Type = "oneshot";
};
script = "systemctl restart ${hostname}-copy-keytab.service";
};
"${hostname}-copy-keytab" = {
description = "Copy the host krb5.keytab into place once it's available.";
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = pkgs.writeShellScript "${hostname}-copy-keytab.sh" ''
[ -f ${host-keytab} ] || exit 1
[ -f /etc/krb5.keytab ] && rm /etc/krb5.keytab
cp ${host-keytab} /etc/krb5.keytab
chown root:root /etc/krb5.keytab
chmod 0400 /etc/krb5.keytab
'';
ExecStop = pkgs.writeShellScript "${hostname}-remove-keytab.sh" ''
rm -f /etc/krb5.keytab
'';
};
};
};
}; };
fudo.secrets.host-secrets.${hostname}.host-keytab = mkIf (keytab-file != null) { fudo.secrets.host-secrets.${hostname}.host-keytab = mkIf (keytab-file != null) {