Add kerberos configuration

2024-06-05 13:47:11 -07:00 · 2024-06-05 13:47:11 -07:00 · 3d4e281d8c
parent bb84ade958
commit 3d4e281d8c
1 changed files with 38 additions and 0 deletions
--- a/paris-container.nix
+++ b/paris-container.nix
@ -212,6 +212,10 @@ in {
          "LDAP_DEFAULT_AUTHTOKEN=${readFile cfg.ldap.bind-token-file}";
        target-file = "/run/paris/sssd.env";
      };
+      parisKeytab = {
+        source-file = cfg.kerberos.keytab;
+        target-file = "/run/paris/keytab";
+      };
    } // (listToAttrs (map (keypair:
      nameValuePair (keypairFilename keypair) {
        source-file = keypair.private-key;
@ -226,6 +230,9 @@ in {
      environmentFiles = [ hostSecrets.parisLdapEnv.target-file ];
    };

+    systemd.services."container@paris".after =
+      config.fudo.secrets.secret-target;
+
    containers.paris = {
      autoStart = true;
      macvlans =
@ -239,6 +246,16 @@ in {
          hostPath = hostSecrets.parisSssdEnv.target-file;
          isReadOnly = true;
        };
+
+        "/etc/krb5.keytab" = {
+          hostPath = hostSecrets.parisKeytab.target-file;
+          isReadOnly = true;
+        };
+
+        "/etc/krb5.conf" = {
+          hostPath = "/etc/krb5.conf";
+          isReadOnly = true;
+        };
      } // (listToAttrs (map (keypair:
        nameValuePair "/run/openssh/keys/${keypairFilename keypair}" {
          hostPath = "/run/paris/openssh/${keypairFilename keypair}";
@ -250,6 +267,23 @@ in {

        environment.systemPackages = packages;

+        programs.ssh = {
+          extraConfig = ''
+            GSSAPIAuthentication yes
+            GSSAPIDelegateCredentials yes
+          '';
+        };
+
+        security.pam.krb5.enable = true;
+
+        krb5 = {
+          enable = true;
+          kerberos = pkgs.heimdal;
+          libdefaults = config.krb5.libdefaults;
+          appdefaults = config.krb5.appdefaults;
+          domain_realm = config.krb5.domain_realm;
+        };
+
        services = {
          openssh = {
            enable = true;
@ -262,6 +296,10 @@ in {
              UseDns = true;
              PermitRootLogin = "no";
            };
+            extraConfig = ''
+              GSSAPIAuthentication yes
+              GSSAPICleanupCredentials yes
+            '';
          };

          sssd = {