Why is nixops missing

config/hosts/clunk.nix

@@ -6,14 +6,15 @@ let
 
   dns-proxy-port = 5335;
 
+  host-packages = with pkgs; [
+    nixops
+  ];
+
   site-name = config.fudo.hosts.${config.instance.hostname}.site;
   site = config.fudo.site.${site-name};
 
 in {
   system = {
-    # Don't do unsupervised upgrades...
-    # autoUpgrade.enable = mkForce false;
-
     # # DO force all DNS traffic to use the local server
     # activationScripts.force-local-dns = let
     #   wifi-ip =
@@ -24,6 +25,8 @@ in {
     # '';
   };
 
+  environment.systemPackages = host-packages;
+
   fudo.local-network = let
     host-config = config.fudo.hosts.${config.instance.hostname};
     site-name = host-config.site;

config/profiles/common.nix

@@ -50,6 +50,8 @@ in {
       extraConfig = ''
         GSSAPIAuthentication yes
         GSSAPICleanupCredentials yes
+        GSSAPIKeyExchange yes
+        GSSAPIStoreCredentialsOnRekey yes
       '';
       # FIXME: add all the hosts we know about
       knownHosts = {

lib/fudo/kdc.nix

@@ -231,6 +231,15 @@ in {
     environment = {
       systemPackages =
         [ pkgs.heimdalFull (kadmin-local kdc-conf cfg.kadmin-keytab) ];
+
+      etc = {
+        "krb5.keytab" = {
+          user = "root";
+          group = "root";
+          mode = "0400";
+          source = cfg.primary-keytab;
+        };
+      };
     };
 
     fudo.system = {
@@ -283,8 +292,9 @@ in {
       };
     };
 
-    systemd.tmpfiles.rules = mkIf (cfg.primary-keytab != "/etc/krb5.keytab")
+    # FIXME: is this even allowed to be a link?
-      [ "L /etc/krb5.keytab - - - - ${cfg.primary-keytab}" ];
+    # systemd.tmpfiles.rules = mkIf (cfg.primary-keytab != "/etc/krb5.keytab")
+    #   [ "L /etc/krb5.keytab - - - - ${cfg.primary-keytab}" ];
 
     services.xinetd = {
       enable = true;