2017-09-23 04:18:44 +01:00
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
|
|
|
|
with lib;
|
|
|
|
|
|
|
|
let
|
|
|
|
|
|
|
|
cfg = config.krb5;
|
|
|
|
|
|
|
|
# This is to provide support for old configuration options (as much as is
|
2017-10-03 11:01:05 +01:00
|
|
|
# reasonable). This can be removed after 18.03 was released.
|
2017-09-23 04:18:44 +01:00
|
|
|
defaultConfig = {
|
|
|
|
libdefaults = optionalAttrs (cfg.defaultRealm != null)
|
|
|
|
{ default_realm = cfg.defaultRealm; };
|
|
|
|
|
|
|
|
realms = optionalAttrs (lib.all (value: value != null) [
|
|
|
|
cfg.defaultRealm cfg.kdc cfg.kerberosAdminServer
|
|
|
|
]) {
|
2019-08-13 22:52:01 +01:00
|
|
|
${cfg.defaultRealm} = {
|
2017-09-23 04:18:44 +01:00
|
|
|
kdc = cfg.kdc;
|
|
|
|
admin_server = cfg.kerberosAdminServer;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
domain_realm = optionalAttrs (lib.all (value: value != null) [
|
|
|
|
cfg.domainRealm cfg.defaultRealm
|
|
|
|
]) {
|
|
|
|
".${cfg.domainRealm}" = cfg.defaultRealm;
|
2019-08-13 22:52:01 +01:00
|
|
|
${cfg.domainRealm} = cfg.defaultRealm;
|
2017-09-23 04:18:44 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
mergedConfig = (recursiveUpdate defaultConfig {
|
|
|
|
inherit (config.krb5)
|
|
|
|
kerberos libdefaults realms domain_realm capaths appdefaults plugins
|
|
|
|
extraConfig config;
|
|
|
|
});
|
|
|
|
|
|
|
|
filterEmbeddedMetadata = value: if isAttrs value then
|
|
|
|
(filterAttrs
|
|
|
|
(attrName: attrValue: attrName != "_module" && attrValue != null)
|
|
|
|
value)
|
|
|
|
else value;
|
|
|
|
|
2020-06-07 15:07:47 +01:00
|
|
|
indent = " ";
|
2017-09-23 04:18:44 +01:00
|
|
|
|
2020-06-07 15:10:35 +01:00
|
|
|
mkRelation = name: value:
|
|
|
|
if (isList value) then
|
|
|
|
concatMapStringsSep "\n" (mkRelation name) value
|
|
|
|
else "${name} = ${mkVal value}";
|
2017-09-23 04:18:44 +01:00
|
|
|
|
2020-06-07 15:07:47 +01:00
|
|
|
mkVal = value:
|
2017-09-23 04:18:44 +01:00
|
|
|
if (value == true) then "true"
|
|
|
|
else if (value == false) then "false"
|
|
|
|
else if (isInt value) then (toString value)
|
|
|
|
else if (isAttrs value) then
|
2020-06-07 15:07:47 +01:00
|
|
|
let configLines = concatLists
|
|
|
|
(map (splitString "\n")
|
|
|
|
(mapAttrsToList mkRelation value));
|
|
|
|
in
|
|
|
|
(concatStringsSep "\n${indent}"
|
|
|
|
([ "{" ] ++ configLines))
|
|
|
|
+ "\n}"
|
2017-09-23 04:18:44 +01:00
|
|
|
else value;
|
|
|
|
|
|
|
|
mkMappedAttrsOrString = value: concatMapStringsSep "\n"
|
|
|
|
(line: if builtins.stringLength line > 0
|
2020-06-07 15:07:47 +01:00
|
|
|
then "${indent}${line}"
|
2017-09-23 04:18:44 +01:00
|
|
|
else line)
|
|
|
|
(splitString "\n"
|
|
|
|
(if isAttrs value then
|
|
|
|
concatStringsSep "\n"
|
|
|
|
(mapAttrsToList mkRelation value)
|
|
|
|
else value));
|
|
|
|
|
|
|
|
in {
|
|
|
|
|
|
|
|
###### interface
|
|
|
|
|
|
|
|
options = {
|
|
|
|
krb5 = {
|
2022-08-28 20:18:44 +01:00
|
|
|
enable = mkEnableOption (lib.mdDoc "building krb5.conf, configuration file for Kerberos V");
|
2017-09-23 04:18:44 +01:00
|
|
|
|
|
|
|
kerberos = mkOption {
|
|
|
|
type = types.package;
|
2022-11-18 01:13:16 +00:00
|
|
|
default = pkgs.krb5;
|
|
|
|
defaultText = literalExpression "pkgs.krb5";
|
2021-10-03 17:06:03 +01:00
|
|
|
example = literalExpression "pkgs.heimdal";
|
2022-07-28 22:19:15 +01:00
|
|
|
description = lib.mdDoc ''
|
2017-09-23 04:18:44 +01:00
|
|
|
The Kerberos implementation that will be present in
|
2022-07-28 22:19:15 +01:00
|
|
|
`environment.systemPackages` after enabling this
|
2017-09-23 04:18:44 +01:00
|
|
|
service.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
libdefaults = mkOption {
|
|
|
|
type = with types; either attrs lines;
|
|
|
|
default = {};
|
|
|
|
apply = attrs: filterEmbeddedMetadata attrs;
|
2021-10-03 17:06:03 +01:00
|
|
|
example = literalExpression ''
|
2017-09-23 04:18:44 +01:00
|
|
|
{
|
|
|
|
default_realm = "ATHENA.MIT.EDU";
|
|
|
|
};
|
|
|
|
'';
|
2022-07-28 22:19:15 +01:00
|
|
|
description = lib.mdDoc ''
|
2017-09-23 04:18:44 +01:00
|
|
|
Settings used by the Kerberos V5 library.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
realms = mkOption {
|
|
|
|
type = with types; either attrs lines;
|
|
|
|
default = {};
|
2021-10-03 17:06:03 +01:00
|
|
|
example = literalExpression ''
|
2017-09-23 04:18:44 +01:00
|
|
|
{
|
|
|
|
"ATHENA.MIT.EDU" = {
|
|
|
|
admin_server = "athena.mit.edu";
|
2020-08-25 16:18:56 +01:00
|
|
|
kdc = [
|
|
|
|
"athena01.mit.edu"
|
|
|
|
"athena02.mit.edu"
|
|
|
|
];
|
2017-09-23 04:18:44 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
'';
|
|
|
|
apply = attrs: filterEmbeddedMetadata attrs;
|
2022-07-28 22:19:15 +01:00
|
|
|
description = lib.mdDoc "Realm-specific contact information and settings.";
|
2017-09-23 04:18:44 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
domain_realm = mkOption {
|
|
|
|
type = with types; either attrs lines;
|
|
|
|
default = {};
|
2021-10-03 17:06:03 +01:00
|
|
|
example = literalExpression ''
|
2017-09-23 04:18:44 +01:00
|
|
|
{
|
|
|
|
"example.com" = "EXAMPLE.COM";
|
|
|
|
".example.com" = "EXAMPLE.COM";
|
|
|
|
};
|
|
|
|
'';
|
|
|
|
apply = attrs: filterEmbeddedMetadata attrs;
|
2022-07-28 22:19:15 +01:00
|
|
|
description = lib.mdDoc ''
|
2017-09-23 04:18:44 +01:00
|
|
|
Map of server hostnames to Kerberos realms.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
capaths = mkOption {
|
|
|
|
type = with types; either attrs lines;
|
|
|
|
default = {};
|
2021-10-03 17:06:03 +01:00
|
|
|
example = literalExpression ''
|
2017-09-23 04:18:44 +01:00
|
|
|
{
|
|
|
|
"ATHENA.MIT.EDU" = {
|
|
|
|
"EXAMPLE.COM" = ".";
|
|
|
|
};
|
|
|
|
"EXAMPLE.COM" = {
|
|
|
|
"ATHENA.MIT.EDU" = ".";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
'';
|
|
|
|
apply = attrs: filterEmbeddedMetadata attrs;
|
2022-07-28 22:19:15 +01:00
|
|
|
description = lib.mdDoc ''
|
2017-09-23 04:18:44 +01:00
|
|
|
Authentication paths for non-hierarchical cross-realm authentication.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
appdefaults = mkOption {
|
|
|
|
type = with types; either attrs lines;
|
|
|
|
default = {};
|
2021-10-03 17:06:03 +01:00
|
|
|
example = literalExpression ''
|
2017-09-23 04:18:44 +01:00
|
|
|
{
|
|
|
|
pam = {
|
|
|
|
debug = false;
|
|
|
|
ticket_lifetime = 36000;
|
|
|
|
renew_lifetime = 36000;
|
|
|
|
max_timeout = 30;
|
|
|
|
timeout_shift = 2;
|
|
|
|
initial_timeout = 1;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
'';
|
|
|
|
apply = attrs: filterEmbeddedMetadata attrs;
|
2022-07-28 22:19:15 +01:00
|
|
|
description = lib.mdDoc ''
|
2017-09-23 04:18:44 +01:00
|
|
|
Settings used by some Kerberos V5 applications.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
plugins = mkOption {
|
|
|
|
type = with types; either attrs lines;
|
|
|
|
default = {};
|
2021-10-03 17:06:03 +01:00
|
|
|
example = literalExpression ''
|
2017-09-23 04:18:44 +01:00
|
|
|
{
|
|
|
|
ccselect = {
|
|
|
|
disable = "k5identity";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
'';
|
|
|
|
apply = attrs: filterEmbeddedMetadata attrs;
|
2022-07-28 22:19:15 +01:00
|
|
|
description = lib.mdDoc ''
|
2017-09-23 04:18:44 +01:00
|
|
|
Controls plugin module registration.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
extraConfig = mkOption {
|
|
|
|
type = with types; nullOr lines;
|
|
|
|
default = null;
|
|
|
|
example = ''
|
|
|
|
[logging]
|
|
|
|
kdc = SYSLOG:NOTICE
|
|
|
|
admin_server = SYSLOG:NOTICE
|
|
|
|
default = SYSLOG:NOTICE
|
|
|
|
'';
|
2022-08-15 06:16:25 +01:00
|
|
|
description = lib.mdDoc ''
|
|
|
|
These lines go to the end of `krb5.conf` verbatim.
|
|
|
|
`krb5.conf` may include any of the relations that are
|
|
|
|
valid for `kdc.conf` (see `man kdc.conf`),
|
2022-08-13 10:35:46 +01:00
|
|
|
but it is not a recommended practice.
|
2017-09-23 04:18:44 +01:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
config = mkOption {
|
|
|
|
type = with types; nullOr lines;
|
|
|
|
default = null;
|
|
|
|
example = ''
|
|
|
|
[libdefaults]
|
|
|
|
default_realm = EXAMPLE.COM
|
|
|
|
|
|
|
|
[realms]
|
|
|
|
EXAMPLE.COM = {
|
|
|
|
admin_server = kerberos.example.com
|
|
|
|
kdc = kerberos.example.com
|
|
|
|
default_principal_flags = +preauth
|
|
|
|
}
|
|
|
|
|
|
|
|
[domain_realm]
|
|
|
|
example.com = EXAMPLE.COM
|
|
|
|
.example.com = EXAMPLE.COM
|
|
|
|
|
|
|
|
[logging]
|
|
|
|
kdc = SYSLOG:NOTICE
|
|
|
|
admin_server = SYSLOG:NOTICE
|
|
|
|
default = SYSLOG:NOTICE
|
|
|
|
'';
|
2022-07-28 22:19:15 +01:00
|
|
|
description = lib.mdDoc ''
|
|
|
|
Verbatim `krb5.conf` configuration. Note that this
|
2017-09-23 04:18:44 +01:00
|
|
|
is mutually exclusive with configuration via
|
2022-07-28 22:19:15 +01:00
|
|
|
`libdefaults`, `realms`,
|
|
|
|
`domain_realm`, `capaths`,
|
|
|
|
`appdefaults`, `plugins` and
|
|
|
|
`extraConfig` configuration options. Consult
|
|
|
|
`man krb5.conf` for documentation.
|
2017-09-23 04:18:44 +01:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
defaultRealm = mkOption {
|
|
|
|
type = with types; nullOr str;
|
|
|
|
default = null;
|
|
|
|
example = "ATHENA.MIT.EDU";
|
2022-07-28 22:19:15 +01:00
|
|
|
description = lib.mdDoc ''
|
2017-09-23 04:18:44 +01:00
|
|
|
DEPRECATED, please use
|
2022-07-28 22:19:15 +01:00
|
|
|
`krb5.libdefaults.default_realm`.
|
2017-09-23 04:18:44 +01:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
domainRealm = mkOption {
|
|
|
|
type = with types; nullOr str;
|
|
|
|
default = null;
|
|
|
|
example = "athena.mit.edu";
|
2022-07-28 22:19:15 +01:00
|
|
|
description = lib.mdDoc ''
|
2017-09-23 04:18:44 +01:00
|
|
|
DEPRECATED, please create a map of server hostnames to Kerberos realms
|
2022-07-28 22:19:15 +01:00
|
|
|
in `krb5.domain_realm`.
|
2017-09-23 04:18:44 +01:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
kdc = mkOption {
|
|
|
|
type = with types; nullOr str;
|
|
|
|
default = null;
|
|
|
|
example = "kerberos.mit.edu";
|
2022-07-28 22:19:15 +01:00
|
|
|
description = lib.mdDoc ''
|
|
|
|
DEPRECATED, please pass a `kdc` attribute to a realm
|
|
|
|
in `krb5.realms`.
|
2017-09-23 04:18:44 +01:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
kerberosAdminServer = mkOption {
|
|
|
|
type = with types; nullOr str;
|
|
|
|
default = null;
|
|
|
|
example = "kerberos.mit.edu";
|
2022-07-28 22:19:15 +01:00
|
|
|
description = lib.mdDoc ''
|
|
|
|
DEPRECATED, please pass an `admin_server` attribute
|
|
|
|
to a realm in `krb5.realms`.
|
2017-09-23 04:18:44 +01:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
###### implementation
|
|
|
|
|
|
|
|
config = mkIf cfg.enable {
|
|
|
|
|
|
|
|
environment.systemPackages = [ cfg.kerberos ];
|
|
|
|
|
|
|
|
environment.etc."krb5.conf".text = if isString cfg.config
|
|
|
|
then cfg.config
|
|
|
|
else (''
|
|
|
|
[libdefaults]
|
|
|
|
${mkMappedAttrsOrString mergedConfig.libdefaults}
|
|
|
|
|
|
|
|
[realms]
|
|
|
|
${mkMappedAttrsOrString mergedConfig.realms}
|
|
|
|
|
|
|
|
[domain_realm]
|
|
|
|
${mkMappedAttrsOrString mergedConfig.domain_realm}
|
|
|
|
|
|
|
|
[capaths]
|
|
|
|
${mkMappedAttrsOrString mergedConfig.capaths}
|
|
|
|
|
|
|
|
[appdefaults]
|
|
|
|
${mkMappedAttrsOrString mergedConfig.appdefaults}
|
|
|
|
|
|
|
|
[plugins]
|
|
|
|
${mkMappedAttrsOrString mergedConfig.plugins}
|
|
|
|
'' + optionalString (mergedConfig.extraConfig != null)
|
|
|
|
("\n" + mergedConfig.extraConfig));
|
|
|
|
|
|
|
|
warnings = flatten [
|
|
|
|
(optional (cfg.defaultRealm != null) ''
|
|
|
|
The option krb5.defaultRealm is deprecated, please use
|
|
|
|
krb5.libdefaults.default_realm.
|
|
|
|
'')
|
|
|
|
(optional (cfg.domainRealm != null) ''
|
|
|
|
The option krb5.domainRealm is deprecated, please use krb5.domain_realm.
|
|
|
|
'')
|
|
|
|
(optional (cfg.kdc != null) ''
|
|
|
|
The option krb5.kdc is deprecated, please pass a kdc attribute to a
|
|
|
|
realm in krb5.realms.
|
|
|
|
'')
|
|
|
|
(optional (cfg.kerberosAdminServer != null) ''
|
|
|
|
The option krb5.kerberosAdminServer is deprecated, please pass an
|
|
|
|
admin_server attribute to a realm in krb5.realms.
|
|
|
|
'')
|
|
|
|
];
|
|
|
|
|
|
|
|
assertions = [
|
|
|
|
{ assertion = !((builtins.any (value: value != null) [
|
|
|
|
cfg.defaultRealm cfg.domainRealm cfg.kdc cfg.kerberosAdminServer
|
|
|
|
]) && ((builtins.any (value: value != {}) [
|
|
|
|
cfg.libdefaults cfg.realms cfg.domain_realm cfg.capaths
|
|
|
|
cfg.appdefaults cfg.plugins
|
|
|
|
]) || (builtins.any (value: value != null) [
|
|
|
|
cfg.config cfg.extraConfig
|
|
|
|
])));
|
|
|
|
message = ''
|
|
|
|
Configuration of krb5.conf by deprecated options is mutually exclusive
|
|
|
|
with configuration by section. Please migrate your config using the
|
|
|
|
attributes suggested in the warnings.
|
|
|
|
'';
|
|
|
|
}
|
|
|
|
{ assertion = !(cfg.config != null
|
|
|
|
&& ((builtins.any (value: value != {}) [
|
|
|
|
cfg.libdefaults cfg.realms cfg.domain_realm cfg.capaths
|
|
|
|
cfg.appdefaults cfg.plugins
|
|
|
|
]) || (builtins.any (value: value != null) [
|
|
|
|
cfg.extraConfig cfg.defaultRealm cfg.domainRealm cfg.kdc
|
|
|
|
cfg.kerberosAdminServer
|
|
|
|
])));
|
|
|
|
message = ''
|
|
|
|
Configuration of krb5.conf using krb.config is mutually exclusive with
|
|
|
|
configuration by section. If you want to mix the two, you can pass
|
|
|
|
lines to any configuration section or lines to krb5.extraConfig.
|
|
|
|
'';
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
}
|