114 lines
3.4 KiB
Nix
114 lines
3.4 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
let
|
|
hostname = config.instance.hostname;
|
|
domain-name = config.instance.local-domain;
|
|
site-name = config.instance.local-site;
|
|
fqdn = "${hostname}.${domain-name}";
|
|
|
|
# same as genAttr, but takes back attrsets and merges them
|
|
concatGenAttrs = lst: f:
|
|
foldr (a0: a1: a0 // a1) {} (map f lst);
|
|
|
|
secrets = config.fudo.secrets.host-secrets.${hostname};
|
|
|
|
cfg = config.fudo.france;
|
|
|
|
in {
|
|
options.fudo.france = with types; {
|
|
ldap = {
|
|
ssl-certificate = mkOption {
|
|
type = str;
|
|
description = "SSL certificate to use for the LDAP server.";
|
|
};
|
|
ssl-private-key = mkOption {
|
|
type = str;
|
|
description = "SSL private key to use for the LDAP server.";
|
|
};
|
|
ssl-ca-certificate = mkOption {
|
|
type = str;
|
|
description = "SSL certificate authority to use for the LDAP server.";
|
|
};
|
|
keytab = mkOption {
|
|
type = str;
|
|
description = "Path to the LDAP service keytab.";
|
|
};
|
|
root-password-file = mkOption {
|
|
type = str;
|
|
description = "Path to the file containing the LDAP root password.";
|
|
};
|
|
};
|
|
|
|
kdc = {
|
|
state-directory = mkOption {
|
|
type = str;
|
|
description = "Path at which to store kerberos state.";
|
|
default = "/state/kerberos";
|
|
};
|
|
|
|
master-key-file = mkOption {
|
|
type = str;
|
|
description = "Heimdal database master key file.";
|
|
};
|
|
|
|
listen-ips = mkOption {
|
|
type = listOf str;
|
|
description = "IP addresses on which to listen for connections.";
|
|
};
|
|
};
|
|
};
|
|
|
|
config = {
|
|
fudo = {
|
|
secrets.host-secrets.${hostname}.kdc-master-key = {
|
|
source-file = cfg.kdc.master-key-file;
|
|
target-file = "/run/kerberos/kdc/master.key";
|
|
user = config.fudo.auth.kdc.user;
|
|
};
|
|
|
|
# auth = {
|
|
# ldap-server = {
|
|
# enable = true;
|
|
# base = "dc=fudo,dc=org";
|
|
# organization = "Fudo";
|
|
# rootpw-file = cfg.ldap.root-password-file;
|
|
# kerberos-host = fqdn;
|
|
# kerberos-keytab = cfg.ldap.keytab;
|
|
# ssl-certificate = cfg.ldap.ssl-certificate;
|
|
# ssl-private-key = cfg.ldap.ssl-private-key;
|
|
# ssl-ca-certificate = cfg.ldap.ssl-ca-certificate;
|
|
|
|
# listen-uris = [ "ldap:///" "ldaps:///" "ldapi:///" ];
|
|
|
|
# users = config.fudo.users;
|
|
# groups = config.fudo.groups;
|
|
# system-users = config.fudo.system-users;
|
|
|
|
# database-directory = "/state/openldap";
|
|
# };
|
|
|
|
# # TODO: let build hosts create keys?
|
|
# kdc = {
|
|
# enable = true;
|
|
# realm = config.fudo.domains.${domain-name}.gssapi-realm;
|
|
# state-directory = cfg.kdc.state-directory;
|
|
# master-key-file = secrets.kdc-master-key.target-file;
|
|
# acl = let
|
|
# admin-entries = concatGenAttrs
|
|
# config.instance.local-admins
|
|
# (admin: {
|
|
# "${admin}" = { perms = [ "add" "list" "change-password" ]; };
|
|
# "${admin}/root" = { perms = [ "all" ]; };
|
|
# });
|
|
# in {
|
|
# "host/*.fudo.org" = { perms = [ "add" ]; };
|
|
# "pam_migrate/*.fudo.org" = { perms = [ "add" "change-password" ]; };
|
|
# } // admin-entries;
|
|
# bind-addresses = cfg.kdc.listen-ips;
|
|
# };
|
|
# };o
|
|
};
|
|
};
|
|
}
|