diff --git a/paris-container.nix b/paris-container.nix index 5d50300..945296b 100644 --- a/paris-container.nix +++ b/paris-container.nix @@ -212,6 +212,10 @@ in { "LDAP_DEFAULT_AUTHTOKEN=${readFile cfg.ldap.bind-token-file}"; target-file = "/run/paris/sssd.env"; }; + parisKeytab = { + source-file = cfg.kerberos.keytab; + target-file = "/run/paris/keytab"; + }; } // (listToAttrs (map (keypair: nameValuePair (keypairFilename keypair) { source-file = keypair.private-key; @@ -226,6 +230,9 @@ in { environmentFiles = [ hostSecrets.parisLdapEnv.target-file ]; }; + systemd.services."container@paris".after = + config.fudo.secrets.secret-target; + containers.paris = { autoStart = true; macvlans = @@ -239,6 +246,16 @@ in { hostPath = hostSecrets.parisSssdEnv.target-file; isReadOnly = true; }; + + "/etc/krb5.keytab" = { + hostPath = hostSecrets.parisKeytab.target-file; + isReadOnly = true; + }; + + "/etc/krb5.conf" = { + hostPath = "/etc/krb5.conf"; + isReadOnly = true; + }; } // (listToAttrs (map (keypair: nameValuePair "/run/openssh/keys/${keypairFilename keypair}" { hostPath = "/run/paris/openssh/${keypairFilename keypair}"; @@ -250,6 +267,23 @@ in { environment.systemPackages = packages; + programs.ssh = { + extraConfig = '' + GSSAPIAuthentication yes + GSSAPIDelegateCredentials yes + ''; + }; + + security.pam.krb5.enable = true; + + krb5 = { + enable = true; + kerberos = pkgs.heimdal; + libdefaults = config.krb5.libdefaults; + appdefaults = config.krb5.appdefaults; + domain_realm = config.krb5.domain_realm; + }; + services = { openssh = { enable = true; @@ -262,6 +296,10 @@ in { UseDns = true; PermitRootLogin = "no"; }; + extraConfig = '' + GSSAPIAuthentication yes + GSSAPICleanupCredentials yes + ''; }; sssd = {