281 lines
8.9 KiB
Nix
281 lines
8.9 KiB
Nix
{ config, pkgs, ... }:
|
|
|
|
with pkgs.lib;
|
|
let
|
|
hostname = config.instance.hostname;
|
|
domain-name = config.fudo.services.auth.domain;
|
|
domain = config.fudo.domains.${domain-name};
|
|
|
|
realm = domain.gssapi-realm;
|
|
|
|
zone-name = domain.zone;
|
|
|
|
ldap-server = elem hostname domain.ldap-servers;
|
|
|
|
kerberos-master = hostname == domain.kerberos-master;
|
|
kerberos-slave = elem hostname domain.kerberos-slaves;
|
|
|
|
kerberized-domain = domain.kerberos-master != null;
|
|
|
|
optionalOrNull = pred: val: if pred then val else null;
|
|
|
|
cfg = config.fudo.services.auth;
|
|
|
|
host-secrets = config.fudo.secrets.host-secrets."${hostname}";
|
|
|
|
krb-user = config.fudo.auth.kerberos.user;
|
|
krb-group = config.fudo.auth.kerberos.group;
|
|
|
|
in {
|
|
options.fudo.services.auth = with types; {
|
|
domain = mkOption {
|
|
type = str;
|
|
description = "Domain for which authentication server will operate.";
|
|
default = config.fudo.hosts.${hostname}.domain;
|
|
};
|
|
|
|
ldap = {
|
|
hostname = mkOption {
|
|
type = str;
|
|
description =
|
|
"Fully-qualified (and public-addressable) domain name of this host.";
|
|
default = config.instance.host-fqdn;
|
|
};
|
|
|
|
state-directory = mkOption {
|
|
type = str;
|
|
description =
|
|
"Directory at which to store peristent ldap-related data.";
|
|
};
|
|
};
|
|
|
|
kerberos = {
|
|
hostname = mkOption {
|
|
type = str;
|
|
description =
|
|
"Fully-qualified (and public-addressable) domain name of this host.";
|
|
default = config.instance.host-fqdn;
|
|
};
|
|
|
|
state-directory = mkOption {
|
|
type = str;
|
|
description = "Directory at which to store peristent KDC-related data.";
|
|
};
|
|
|
|
master-key-file = mkOption {
|
|
type = str;
|
|
description = "Path (on the build server) to the KDC master key file.";
|
|
};
|
|
};
|
|
};
|
|
|
|
config = {
|
|
systemd = {
|
|
tmpfiles.rules = mkIf (kerberos-master || kerberos-slave) [
|
|
"d ${cfg.kerberos.state-directory} 0700 ${krb-user} ${krb-group} - -"
|
|
];
|
|
|
|
paths.heimdal-kdc-initialize = mkIf kerberos-master {
|
|
wantedBy = [ "heimdal-kdc.service" ];
|
|
pathConfig = {
|
|
PathModified = host-secrets.kdc-principals.target-file;
|
|
};
|
|
};
|
|
|
|
services = {
|
|
heimdal-kdc-initialize = mkIf (kerberos-master || kerberos-slave) {
|
|
requires = [
|
|
host-secrets.kdc-principals.service
|
|
host-secrets.realm-master-key.service
|
|
];
|
|
description = "Initialize and update the Heimdal KDC database.";
|
|
path = with pkgs; [ kdcMergePrincipals coreutils ];
|
|
serviceConfig = {
|
|
User = krb-user;
|
|
Group = krb-group;
|
|
ExecStart = let
|
|
db = config.fudo.auth.kerberos.kdc.database;
|
|
principals = host-secrets.kdc-principals.target-file;
|
|
master-key = host-secrets.realm-master-key.target-file;
|
|
init-db-cmd = concatStringsSep " " [
|
|
"${pkgs.kdcMergePrincipals}/bin/kdc-merge-principals"
|
|
"--create"
|
|
"--database=${db}"
|
|
"--principals=${principals}"
|
|
"--key=${master-key}"
|
|
"--realm=${realm}"
|
|
"--verbose"
|
|
];
|
|
in pkgs.writeShellScript "heimdal-kdc-initialize.sh" ''
|
|
${init-db-cmd}
|
|
chown ${krb-user}:${krb-group} ${db}
|
|
chmod 0700 ${db}
|
|
'';
|
|
};
|
|
};
|
|
heimdal-kdc = mkIf kerberos-master {
|
|
requires = [ "heimdal-kdc-initialize.service" ];
|
|
after = [ "heimdal-kdc-initialize.service" ];
|
|
};
|
|
heimdal-kdc-secondary = mkIf kerberos-slave {
|
|
requires = [ "heimdal-kdc-initialize.service" ];
|
|
after = [ "heimdal-kdc-initialize.service" ];
|
|
};
|
|
};
|
|
};
|
|
|
|
fudo = {
|
|
acme.host-domains.${hostname} = mkIf (ldap-server) {
|
|
${cfg.ldap.hostname}.local-copies.openldap = {
|
|
user = config.services.openldap.user;
|
|
part-of = [ config.fudo.auth.ldap-server.systemd-target ];
|
|
};
|
|
};
|
|
|
|
secrets.host-secrets."${hostname}" = let
|
|
realm-key =
|
|
config.fudo.secrets.files.kerberos.realm-master-keys."${realm}";
|
|
in {
|
|
realm-master-key = mkIf (kerberos-master || kerberos-slave) {
|
|
source-file = realm-key;
|
|
target-file = "/run/kdc/realm.key";
|
|
user = krb-user;
|
|
group = krb-group;
|
|
};
|
|
|
|
kdc-principals = mkIf (kerberos-master || kerberos-slave) {
|
|
source-file =
|
|
config.fudo.secrets.files.kerberos.realm-principals."${realm}";
|
|
target-file = "/run/kdc/realm.principals";
|
|
user = krb-user;
|
|
group = krb-group;
|
|
};
|
|
kadmind-keytab = mkIf kerberos-master {
|
|
source-file = extractFudoKeytab {
|
|
inherit realm;
|
|
principals = [ "kadmin/admin" ];
|
|
};
|
|
target-file = "/run/kdc/kadmind.keytab";
|
|
user = krb-user;
|
|
group = krb-group;
|
|
};
|
|
kpasswdd-keytab = mkIf kerberos-master {
|
|
source-file = extractFudoKeytab {
|
|
inherit realm;
|
|
principals = [ "kadmin/changepw" ];
|
|
};
|
|
target-file = "/run/kdc/kpasswdd.keytab";
|
|
user = krb-user;
|
|
group = krb-group;
|
|
};
|
|
hprop-keytab =
|
|
mkIf (kerberos-master && (domain.kerberos-slaves != [ ])) {
|
|
source-file = extractFudoKeytab {
|
|
inherit realm;
|
|
principals = [ "kadmin/hprop" ];
|
|
};
|
|
target-file = "/run/kdc/hprop.keytab";
|
|
user = krb-user;
|
|
group = krb-group;
|
|
};
|
|
|
|
hpropd-keytab = mkIf kerberos-slave {
|
|
source-file = extractFudoHostKeytab {
|
|
inherit hostname realm;
|
|
services = [ "hprop" ];
|
|
};
|
|
target-file = "/run/kdc/hpropd.keytab";
|
|
user = krb-user;
|
|
group = krb-group;
|
|
};
|
|
};
|
|
|
|
auth = {
|
|
ldap-server = mkIf ldap-server (let
|
|
ldap-cert-copy =
|
|
config.fudo.acme.host-domains.${hostname}.${cfg.ldap.hostname}.local-copies.openldap;
|
|
in {
|
|
enable = ldap-server;
|
|
base = "dc=fudo,dc=org";
|
|
organization = "Fudo";
|
|
listen-uris = [ "ldap:///" "ldaps:///" ];
|
|
required-services = [ ldap-cert-copy.service ];
|
|
|
|
# TODO: Maybe filter to Fudo-only?
|
|
users = config.fudo.users;
|
|
groups = config.fudo.groups;
|
|
system-users = config.fudo.system-users;
|
|
|
|
state-directory = "${cfg.ldap.state-directory}";
|
|
|
|
ssl-chain = ldap-cert-copy.chain;
|
|
ssl-certificate = ldap-cert-copy.certificate;
|
|
ssl-private-key = ldap-cert-copy.private-key;
|
|
ssl-ca-certificate = "${pkgs.letsencrypt-ca}";
|
|
});
|
|
|
|
kerberos = {
|
|
inherit realm;
|
|
kdc = mkIf (kerberos-master || kerberos-slave) {
|
|
state-directory = cfg.kerberos.state-directory;
|
|
master-key-file = host-secrets.realm-master-key.target-file;
|
|
primary = mkIf kerberos-master {
|
|
enable = true;
|
|
acl = let
|
|
adminEntries = genAttrs config.instance.local-admins
|
|
(admin: { perms = [ "add" "change-password" "list" ]; });
|
|
in adminEntries // { "*/root".perms = [ "all" ]; };
|
|
secondary-servers = map getHostFqdn domain.kerberos-slaves;
|
|
keytabs = {
|
|
kadmind = host-secrets.kadmind-keytab.target-file;
|
|
kpasswdd = host-secrets.kpasswdd-keytab.target-file;
|
|
hprop = host-secrets.hprop-keytab.target-file;
|
|
};
|
|
};
|
|
secondary = mkIf kerberos-slave {
|
|
enable = true;
|
|
keytabs.hpropd = host-secrets.hpropd-keytab.target-file;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
zones.${zone-name} = let
|
|
make-srv-record = port: hostname: {
|
|
port = port;
|
|
host = hostname;
|
|
};
|
|
|
|
get-fqdn = host: "${host}.${config.fudo.hosts.${host}.domain}";
|
|
|
|
kerberos-master-hosts =
|
|
optional (kerberized-domain) domain.kerberos-master;
|
|
|
|
kerberos-servers =
|
|
map get-fqdn (kerberos-master-hosts ++ domain.kerberos-slaves);
|
|
|
|
kerberos-masters = map get-fqdn kerberos-master-hosts;
|
|
|
|
ldap-servers = map get-fqdn domain.ldap-servers;
|
|
in {
|
|
gssapi-realm = realm;
|
|
|
|
srv-records = {
|
|
tcp = {
|
|
kerberos = map (make-srv-record 88) kerberos-servers;
|
|
kerberos-adm = map (make-srv-record 749) kerberos-masters;
|
|
ldap = map (make-srv-record 389) ldap-servers;
|
|
ldaps = map (make-srv-record 636) ldap-servers;
|
|
};
|
|
|
|
udp = {
|
|
kerberos = map (make-srv-record 88) kerberos-servers;
|
|
kerberos-master = map (make-srv-record 88) kerberos-masters;
|
|
kpasswd = map (make-srv-record 464) kerberos-masters;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|