nix/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
nixos-config/lib/fudo/kdc.nix

139 lines
3.6 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.fudo.auth.kdc;
initialize-db = realm: key-file:
pkgs.writeShellScript "initialize-heimdal-db.sh" ''
if [ ! -e ${key-file} ]; then
${pkgs.heimdalFull}/bin/kadmin -l init --realm=${realm} --realm-max-ticket-life=1d --realm-max-renewable-life=2w ${realm}
fi
'';
in {
options.fudo.auth.kdc = with types; {
enable = mkEnableOption "Fudo KDC";
realm = mkOption {
type = str;
description = "The realm for which we are the acting KDC.";
};
config-file = mkOption {
type = str;
description = "Path to configuartion file.";
default = "/etc/krb5.conf";
};
master-key-file = mkOption {
type = str;
description = "The path to the master key file.";
default = "/var/heimdal/master.key";
};
acl-file = mkOption {
type = str;
description = "The path to the Access Control file.";
};
bind-addresses = mkOption {
type = listOf str;
description = "A list of IP addresses on which to bind.";
default = [ ];
};
user = mkOption {
type = str;
description = "User as which to run Heimdal servers.";
default = "kerberos";
};
group = mkOption {
type = str;
description = "Group as which to run Heimdal servers.";
default = "kerberos";
};
state-directory = mkOption {
type = str;
description = "Path at which to store kerberos database.";
default = "/srv/kerberos";
};
};
config = mkIf cfg.enable {
users = {
users.${cfg.user} = {
isSystemUser = true;
home = "/var/heimdal";
group = cfg.group;
};
groups.${cfg.group} = { members = [ cfg.user ]; };
};
environment = {
systemPackages = [ pkgs.heimdalFull ];
etc."krb5.conf" = {
text = mkAfter ''
[kdc]
database = {
realm = ${cfg.realm}
mkey_file = ${cfg.master-key-file}
acl_file = ${cfg.acl-file}
}
addresses = ${concatStringsSep " " cfg.bind-addresses}
# Binds to port 80!
enable-http = false
'';
};
};
systemd = {
tmpfiles.rules = [ "L /var/heimdal - - - - ${cfg.state-directory}" ];
};
fudo.system = {
ensure-directories = {
"${cfg.state-directory}" = {
user = cfg.user;
group = cfg.group;
};
};
services = {
heimdal-kdc = {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
description =
"Heimdal Kerberos Key Distribution Center (ticket server).";
execStart =
"${pkgs.heimdalFull}/libexec/heimdal/kdc --config-file=${cfg.config-file}";
privateNetwork = false;
user = cfg.user;
group = cfg.group;
workingDirectory = cfg.state-directory;
preStart = "${initialize-db cfg.realm cfg.master-key-file}";
};
heimdal-admin-server = {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
description = "Heimdal Kerberos Remote Administration Server.";
execStart =
"${pkgs.heimdalFull}/libexec/heimdal/kadmind --config-file=${cfg.config-file} --key-file=${cfg.master-key-file}";
privateNetwork = false;
user = cfg.user;
group = cfg.group;
workingDirectory = cfg.state-directory;
preStart = "${initialize-db cfg.realm cfg.master-key-file}";
};
};
};
};
}
Reference in New Issue View Git Blame Copy Permalink