diff --git a/config/hosts/clunk.nix b/config/hosts/clunk.nix index d81387b..5cd326f 100644 --- a/config/hosts/clunk.nix +++ b/config/hosts/clunk.nix @@ -6,14 +6,15 @@ let dns-proxy-port = 5335; + host-packages = with pkgs; [ + nixops + ]; + site-name = config.fudo.hosts.${config.instance.hostname}.site; site = config.fudo.site.${site-name}; in { system = { - # Don't do unsupervised upgrades... - # autoUpgrade.enable = mkForce false; - # # DO force all DNS traffic to use the local server # activationScripts.force-local-dns = let # wifi-ip = @@ -24,6 +25,8 @@ in { # ''; }; + environment.systemPackages = host-packages; + fudo.local-network = let host-config = config.fudo.hosts.${config.instance.hostname}; site-name = host-config.site; diff --git a/config/profiles/common.nix b/config/profiles/common.nix index 45fbe59..19df54d 100644 --- a/config/profiles/common.nix +++ b/config/profiles/common.nix @@ -50,6 +50,8 @@ in { extraConfig = '' GSSAPIAuthentication yes GSSAPICleanupCredentials yes + GSSAPIKeyExchange yes + GSSAPIStoreCredentialsOnRekey yes ''; # FIXME: add all the hosts we know about knownHosts = { diff --git a/lib/fudo/kdc.nix b/lib/fudo/kdc.nix index 3715a37..3e274c7 100644 --- a/lib/fudo/kdc.nix +++ b/lib/fudo/kdc.nix @@ -231,6 +231,15 @@ in { environment = { systemPackages = [ pkgs.heimdalFull (kadmin-local kdc-conf cfg.kadmin-keytab) ]; + + etc = { + "krb5.keytab" = { + user = "root"; + group = "root"; + mode = "0400"; + source = cfg.primary-keytab; + }; + }; }; fudo.system = { @@ -283,8 +292,9 @@ in { }; }; - systemd.tmpfiles.rules = mkIf (cfg.primary-keytab != "/etc/krb5.keytab") - [ "L /etc/krb5.keytab - - - - ${cfg.primary-keytab}" ]; + # FIXME: is this even allowed to be a link? + # systemd.tmpfiles.rules = mkIf (cfg.primary-keytab != "/etc/krb5.keytab") + # [ "L /etc/krb5.keytab - - - - ${cfg.primary-keytab}" ]; services.xinetd = { enable = true;