{ config, lib, pkgs, ... }: with lib; let cfg = config.fudo.auth.kdc; stringJoin = joiner: attrList: if (length attrList) == 0 then "" else foldr(lAttr: rAttr: "${lAttr}${joiner}${rAttr}") (last attrList) (init attrList); in { options.fudo.auth.kdc = { enable = mkEnableOption "Fudo KDC"; database-path = mkOption { type = types.str; description = '' The path at which to store the database files. ''; default = "/var/heimdal/heimdal"; }; realm = mkOption { type = types.str; description = '' The realm for which we are the acting KDC. ''; }; mkey-file = mkOption { type = types.str; description = '' The path to the master key file. ''; }; acl-file = mkOption { type = types.str; description = '' The path to the Access Control file. ''; }; bind-addresses = mkOption { type = with types; listOf str; description = '' A list of IP addresses on which to bind. ''; default = []; }; }; config = mkIf cfg.enable { environment = { systemPackages = [ pkgs.heimdalFull ]; etc."krb5.conf" = { text = mkAfter '' [kdc] database = { realm = ${cfg.realm} mkey_file = ${cfg.mkey-file} acl_file = ${cfg.acl-file} } addresses = ${stringJoin " " cfg.bind-addresses} # Binds to port 80! enable-http = false ''; }; }; systemd.services = { heimdal-kdc = { enable = true; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; description = "Heimdal Kerberos Key Distribution Center (ticket server)"; serviceConfig = { ExecStart = ''${pkgs.heimdalFull}/libexec/heimdal/kdc''; }; }; heimdal-admin-server = { enable = true; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; description = "Heimdal Kerberos Remote Administration Server"; serviceConfig = { ExecStart = ''${pkgs.heimdalFull}/libexec/heimdal/kadmind''; }; }; }; }; }