6cca9c0f9f
Allow switching out kerberos server implementation. Sharing config is probably sensible, but implementation is different enough to be worth splitting into two files. Not sure this is the correct way to split an implementation, but it works for now. Uses the switch from config.krb5 to select implementation.
77 lines
1.6 KiB
Nix
77 lines
1.6 KiB
Nix
{pkgs, config, lib, ...}:
|
|
|
|
let
|
|
inherit (lib) mkOption mkIf types;
|
|
cfg = config.services.kerberos_server;
|
|
kerberos = config.krb5.kerberos;
|
|
|
|
aclEntry = {
|
|
options = {
|
|
principal = mkOption {
|
|
type = types.str;
|
|
description = "Which principal the rule applies to";
|
|
};
|
|
access = mkOption {
|
|
type = types.either
|
|
(types.listOf (types.enum ["add" "cpw" "delete" "get" "list" "modify"]))
|
|
(types.enum ["all"]);
|
|
default = "all";
|
|
description = "The changes the principal is allowed to make.";
|
|
};
|
|
target = mkOption {
|
|
type = types.str;
|
|
default = "*";
|
|
description = "The principals that 'access' applies to.";
|
|
};
|
|
};
|
|
};
|
|
|
|
realm = {
|
|
options = {
|
|
acl = mkOption {
|
|
type = types.listOf (types.submodule aclEntry);
|
|
default = [
|
|
{ principal = "*/admin"; access = "all"; }
|
|
{ principal = "admin"; access = "all"; }
|
|
];
|
|
description = ''
|
|
The privileges granted to a user.
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
in
|
|
|
|
{
|
|
imports = [
|
|
./mit.nix
|
|
./heimdal.nix
|
|
];
|
|
|
|
###### interface
|
|
options = {
|
|
services.kerberos_server = {
|
|
enable = mkOption {
|
|
default = false;
|
|
description = ''
|
|
Enable the kerberos authentification server.
|
|
'';
|
|
};
|
|
|
|
realms = mkOption {
|
|
type = types.attrsOf (types.submodule realm);
|
|
description = ''
|
|
The realm(s) to serve keys for.
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
|
|
###### implementation
|
|
|
|
config = mkIf cfg.enable {
|
|
environment.systemPackages = [ kerberos ];
|
|
};
|
|
}
|