public
/
paris-container
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add kerberos configuration

This commit is contained in:
niten 2024-06-05 13:47:11 -07:00
parent bb84ade958
commit 3d4e281d8c
1 changed files with 38 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
paris-container.nix
View File

@ -212,6 +212,10 @@ in {
"LDAP_DEFAULT_AUTHTOKEN=${readFile cfg.ldap.bind-token-file}"; "LDAP_DEFAULT_AUTHTOKEN=${readFile cfg.ldap.bind-token-file}";
target-file = "/run/paris/sssd.env"; target-file = "/run/paris/sssd.env";
}; };
parisKeytab = {
source-file = cfg.kerberos.keytab;
target-file = "/run/paris/keytab";
};
} // (listToAttrs (map (keypair: } // (listToAttrs (map (keypair:
nameValuePair (keypairFilename keypair) { nameValuePair (keypairFilename keypair) {
source-file = keypair.private-key; source-file = keypair.private-key;
@ -226,6 +230,9 @@ in {
environmentFiles = [ hostSecrets.parisLdapEnv.target-file ]; environmentFiles = [ hostSecrets.parisLdapEnv.target-file ];
}; };
systemd.services."container@paris".after =
config.fudo.secrets.secret-target;
containers.paris = { containers.paris = {
autoStart = true; autoStart = true;
macvlans = macvlans =
@ -239,6 +246,16 @@ in {
hostPath = hostSecrets.parisSssdEnv.target-file; hostPath = hostSecrets.parisSssdEnv.target-file;
isReadOnly = true; isReadOnly = true;
}; };
"/etc/krb5.keytab" = {
hostPath = hostSecrets.parisKeytab.target-file;
isReadOnly = true;
};
"/etc/krb5.conf" = {
hostPath = "/etc/krb5.conf";
isReadOnly = true;
};
} // (listToAttrs (map (keypair: } // (listToAttrs (map (keypair:
nameValuePair "/run/openssh/keys/${keypairFilename keypair}" { nameValuePair "/run/openssh/keys/${keypairFilename keypair}" {
hostPath = "/run/paris/openssh/${keypairFilename keypair}"; hostPath = "/run/paris/openssh/${keypairFilename keypair}";
@ -250,6 +267,23 @@ in {
environment.systemPackages = packages; environment.systemPackages = packages;
programs.ssh = {
extraConfig = ''
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
'';
};
security.pam.krb5.enable = true;
krb5 = {
enable = true;
kerberos = pkgs.heimdal;
libdefaults = config.krb5.libdefaults;
appdefaults = config.krb5.appdefaults;
domain_realm = config.krb5.domain_realm;
};
services = { services = {
openssh = { openssh = {
enable = true; enable = true;
@ -262,6 +296,10 @@ in {
UseDns = true; UseDns = true;
PermitRootLogin = "no"; PermitRootLogin = "no";
}; };
extraConfig = ''
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
'';
}; };
sssd = { sssd = {