nixos-config/config/profile-config/host/kerberos.nix

{ config, lib, pkgs, ... }:

with lib;
let
  hostname = config.instance.hostname;
  has-secret-files = hasAttr "files" config.fudo.secrets;
  try-attr = attr: set: if (hasAttr attr set) then set.${attr} else null;

in {
  config = mkIf has-secret-files (let
    keytab-file = try-attr hostname config.fudo.secrets.files.host-keytabs;
  in mkIf (keytab-file != null) {
    ## This doesn't seem to work...timing?
    # environment.etc."krb5.keytab" = mkIf (keytab-file != null) {
    #   source =
    #     config.fudo.secrets.host-secrets.${hostname}.host-keytab.target-file;
    #   user = "root";
    #   group = "root";
    #   mode = "0400";
    # };

    systemd = let
      host-keytab = config.fudo.secrets.host-secrets.${hostname}.host-keytab.target-file;
    in {
      paths."${hostname}-keytab-watcher" = {
        wantedBy = [ "default.target" ];
        description = "Watch host keytab for changes.";
        pathConfig = {
          PathChanged = host-keytab;
          Unit = "${hostname}-keytab-watcher.service";
        };
      };

      services = {
        "${hostname}-keytab-watcher" = {
          description = "When host keytab is available or changed, activate copy job.";
          path = with pkgs; [ systemd ];
          serviceConfig = {
            Type = "oneshot";
          };
          script = "systemctl restart ${hostname}-copy-keytab.service";
        };

        "${hostname}-copy-keytab" = {
          description = "Copy the host krb5.keytab into place once it's available.";
          serviceConfig = {
            Type = "oneshot";
            RemainAfterExit = true;
            ExecStart = pkgs.writeShellScript "${hostname}-copy-keytab.sh" ''
              [ -f ${host-keytab} ] || exit 1
              [ -f /etc/krb5.keytab ] && rm /etc/krb5.keytab
              cp ${host-keytab} /etc/krb5.keytab
              chown root:root /etc/krb5.keytab
              chmod 0400 /etc/krb5.keytab
            '';
            ExecStop = pkgs.writeShellScript "${hostname}-remove-keytab.sh" ''
              rm -f /etc/krb5.keytab
            '';
          };
        };
      };
    };

    fudo.secrets.host-secrets.${hostname}.host-keytab = mkIf (keytab-file != null) {
      source-file = keytab-file;
      target-file = "/run/kerberos/krb5.keytab";
      user = "root";
    };
  });
}