From dfdd3482065c0b10b8bbd1955e74c8e092230a02 Mon Sep 17 00:00:00 2001 From: Kai Wohlfahrt Date: Mon, 6 Nov 2017 14:42:01 +0000 Subject: [PATCH 01/10] kerberos-server: Fix sbin paths tcpd doesn't have sbin anymore (so it was broken), and heimdal just symlinks to bin. --- nixos/modules/services/system/kerberos.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/nixos/modules/services/system/kerberos.nix b/nixos/modules/services/system/kerberos.nix index e2c45ed64ac0..e6cfd0a8289c 100644 --- a/nixos/modules/services/system/kerberos.nix +++ b/nixos/modules/services/system/kerberos.nix @@ -60,5 +60,4 @@ in script = "${heimdalFull}/libexec/heimdal/kpasswdd"; }; }; - } From ee3bd730d472b36bf620b0001519c5aab2073f09 Mon Sep 17 00:00:00 2001 From: Kai Wohlfahrt Date: Mon, 6 Nov 2017 16:08:41 +0000 Subject: [PATCH 02/10] kerberos-server: move kadmind to systemd Don't use socket activation, as inetd is discouraged by heimdal documentation. --- nixos/modules/services/system/kerberos.nix | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/nixos/modules/services/system/kerberos.nix b/nixos/modules/services/system/kerberos.nix index e6cfd0a8289c..5647281db983 100644 --- a/nixos/modules/services/system/kerberos.nix +++ b/nixos/modules/services/system/kerberos.nix @@ -34,16 +34,10 @@ in config = mkIf config.services.kerberos_server.enable { environment.systemPackages = [ heimdalFull ]; - - services.xinetd.enable = true; - services.xinetd.services = lib.singleton - { name = "kerberos-adm"; - flags = "REUSE NAMEINARGS"; - protocol = "tcp"; - user = "root"; - server = "${pkgs.tcp_wrappers}/bin/tcpd"; - serverArgs = "${pkgs.heimdalFull}/libexec/heimdal/kadmind"; - }; + systemd.services.kadmind = { + description = "Kerberos Administration Daemon"; + script = "${pkgs.heimdalFull}/libexec/heimdal/kadmind"; + }; systemd.services.kdc = { description = "Key Distribution Center daemon"; From 4f9af77287b518831ad1267228382705537bb39e Mon Sep 17 00:00:00 2001 From: Kai Wohlfahrt Date: Mon, 6 Nov 2017 17:17:24 +0000 Subject: [PATCH 03/10] kerberos-server: cleanup of kerberos.nix General cleanup before adding more options. --- nixos/modules/services/system/kerberos.nix | 19 +++++-------------- 1 file changed, 5 insertions(+), 14 deletions(-) diff --git a/nixos/modules/services/system/kerberos.nix b/nixos/modules/services/system/kerberos.nix index 5647281db983..950756aa8369 100644 --- a/nixos/modules/services/system/kerberos.nix +++ b/nixos/modules/services/system/kerberos.nix @@ -1,22 +1,15 @@ {pkgs, config, lib, ...}: let - inherit (lib) mkOption mkIf; - - inherit (pkgs) heimdalFull; - + cfg = config.services.kerberos_server; stateDir = "/var/heimdal"; in { - ###### interface - options = { - services.kerberos_server = { - enable = mkOption { default = false; description = '' @@ -25,15 +18,13 @@ in }; }; - }; ###### implementation - config = mkIf config.services.kerberos_server.enable { - - environment.systemPackages = [ heimdalFull ]; + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.heimdalFull ]; systemd.services.kadmind = { description = "Kerberos Administration Daemon"; script = "${pkgs.heimdalFull}/libexec/heimdal/kadmind"; @@ -45,13 +36,13 @@ in preStart = '' mkdir -m 0755 -p ${stateDir} ''; - script = "${heimdalFull}/libexec/heimdal/kdc"; + script = "${pkgs.heimdalFull}/libexec/heimdal/kdc"; }; systemd.services.kpasswdd = { description = "Kerberos Password Changing daemon"; wantedBy = [ "multi-user.target" ]; - script = "${heimdalFull}/libexec/heimdal/kpasswdd"; + script = "${pkgs.heimdalFull}/libexec/heimdal/kpasswdd"; }; }; } From fe8f2b8813e75ab8b20e133b60afaac6e955bca7 Mon Sep 17 00:00:00 2001 From: Kai Wohlfahrt Date: Wed, 8 Nov 2017 10:01:33 +0000 Subject: [PATCH 04/10] kerberos-server: switch to ExecStart script causes problems for forking services like MIT Kerberos. --- nixos/modules/services/system/kerberos.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nixos/modules/services/system/kerberos.nix b/nixos/modules/services/system/kerberos.nix index 950756aa8369..694dee8c2313 100644 --- a/nixos/modules/services/system/kerberos.nix +++ b/nixos/modules/services/system/kerberos.nix @@ -27,7 +27,7 @@ in environment.systemPackages = [ pkgs.heimdalFull ]; systemd.services.kadmind = { description = "Kerberos Administration Daemon"; - script = "${pkgs.heimdalFull}/libexec/heimdal/kadmind"; + serviceConfig.ExecStart = "${pkgs.heimdalFull}/libexec/heimdal/kadmind"; }; systemd.services.kdc = { @@ -36,13 +36,13 @@ in preStart = '' mkdir -m 0755 -p ${stateDir} ''; - script = "${pkgs.heimdalFull}/libexec/heimdal/kdc"; + serviceConfig.ExecStart = "${pkgs.heimdalFull}/libexec/heimdal/kdc"; }; systemd.services.kpasswdd = { description = "Kerberos Password Changing daemon"; wantedBy = [ "multi-user.target" ]; - script = "${pkgs.heimdalFull}/libexec/heimdal/kpasswdd"; + serviceConfig.ExecStart = "${pkgs.heimdalFull}/libexec/heimdal/kpasswdd"; }; }; } From 6cca9c0f9f2d7ed80ae52609160d2678e6fe38cd Mon Sep 17 00:00:00 2001 From: Kai Wohlfahrt Date: Mon, 6 Nov 2017 17:41:34 +0000 Subject: [PATCH 05/10] kerberos-server: add kerberos option Allow switching out kerberos server implementation. Sharing config is probably sensible, but implementation is different enough to be worth splitting into two files. Not sure this is the correct way to split an implementation, but it works for now. Uses the switch from config.krb5 to select implementation. --- nixos/modules/module-list.nix | 2 +- nixos/modules/services/system/kerberos.nix | 48 ------------ .../services/system/kerberos/default.nix | 76 +++++++++++++++++++ .../services/system/kerberos/heimdal.nix | 74 ++++++++++++++++++ .../modules/services/system/kerberos/mit.nix | 74 ++++++++++++++++++ nixos/tests/kerberos/default.nix | 5 ++ nixos/tests/kerberos/heimdal.nix | 53 +++++++++++++ nixos/tests/kerberos/mit.nix | 45 +++++++++++ 8 files changed, 328 insertions(+), 49 deletions(-) delete mode 100644 nixos/modules/services/system/kerberos.nix create mode 100644 nixos/modules/services/system/kerberos/default.nix create mode 100644 nixos/modules/services/system/kerberos/heimdal.nix create mode 100644 nixos/modules/services/system/kerberos/mit.nix create mode 100644 nixos/tests/kerberos/default.nix create mode 100644 nixos/tests/kerberos/heimdal.nix create mode 100644 nixos/tests/kerberos/mit.nix diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index e3e097dca26f..a02352a2b93c 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -690,7 +690,7 @@ ./services/system/dbus.nix ./services/system/earlyoom.nix ./services/system/localtime.nix - ./services/system/kerberos.nix + ./services/system/kerberos/default.nix ./services/system/nscd.nix ./services/system/saslauthd.nix ./services/system/uptimed.nix diff --git a/nixos/modules/services/system/kerberos.nix b/nixos/modules/services/system/kerberos.nix deleted file mode 100644 index 694dee8c2313..000000000000 --- a/nixos/modules/services/system/kerberos.nix +++ /dev/null @@ -1,48 +0,0 @@ -{pkgs, config, lib, ...}: - -let - inherit (lib) mkOption mkIf; - cfg = config.services.kerberos_server; - stateDir = "/var/heimdal"; -in - -{ - ###### interface - options = { - services.kerberos_server = { - enable = mkOption { - default = false; - description = '' - Enable the kerberos authentification server. - ''; - }; - - }; - }; - - - ###### implementation - - config = mkIf cfg.enable { - environment.systemPackages = [ pkgs.heimdalFull ]; - systemd.services.kadmind = { - description = "Kerberos Administration Daemon"; - serviceConfig.ExecStart = "${pkgs.heimdalFull}/libexec/heimdal/kadmind"; - }; - - systemd.services.kdc = { - description = "Key Distribution Center daemon"; - wantedBy = [ "multi-user.target" ]; - preStart = '' - mkdir -m 0755 -p ${stateDir} - ''; - serviceConfig.ExecStart = "${pkgs.heimdalFull}/libexec/heimdal/kdc"; - }; - - systemd.services.kpasswdd = { - description = "Kerberos Password Changing daemon"; - wantedBy = [ "multi-user.target" ]; - serviceConfig.ExecStart = "${pkgs.heimdalFull}/libexec/heimdal/kpasswdd"; - }; - }; -} diff --git a/nixos/modules/services/system/kerberos/default.nix b/nixos/modules/services/system/kerberos/default.nix new file mode 100644 index 000000000000..90be7e8d551a --- /dev/null +++ b/nixos/modules/services/system/kerberos/default.nix @@ -0,0 +1,76 @@ +{pkgs, config, lib, ...}: + +let + inherit (lib) mkOption mkIf types; + cfg = config.services.kerberos_server; + kerberos = config.krb5.kerberos; + + aclEntry = { + options = { + principal = mkOption { + type = types.str; + description = "Which principal the rule applies to"; + }; + access = mkOption { + type = types.either + (types.listOf (types.enum ["add" "cpw" "delete" "get" "list" "modify"])) + (types.enum ["all"]); + default = "all"; + description = "The changes the principal is allowed to make."; + }; + target = mkOption { + type = types.str; + default = "*"; + description = "The principals that 'access' applies to."; + }; + }; + }; + + realm = { + options = { + acl = mkOption { + type = types.listOf (types.submodule aclEntry); + default = [ + { principal = "*/admin"; access = "all"; } + { principal = "admin"; access = "all"; } + ]; + description = '' + The privileges granted to a user. + ''; + }; + }; + }; +in + +{ + imports = [ + ./mit.nix + ./heimdal.nix + ]; + + ###### interface + options = { + services.kerberos_server = { + enable = mkOption { + default = false; + description = '' + Enable the kerberos authentification server. + ''; + }; + + realms = mkOption { + type = types.attrsOf (types.submodule realm); + description = '' + The realm(s) to serve keys for. + ''; + }; + }; + }; + + + ###### implementation + + config = mkIf cfg.enable { + environment.systemPackages = [ kerberos ]; + }; +} diff --git a/nixos/modules/services/system/kerberos/heimdal.nix b/nixos/modules/services/system/kerberos/heimdal.nix new file mode 100644 index 000000000000..554b1580810a --- /dev/null +++ b/nixos/modules/services/system/kerberos/heimdal.nix @@ -0,0 +1,74 @@ +{ pkgs, config, lib, ... } : + +let + inherit (lib) mkIf concatStringsSep concatMapStrings toList mapAttrs' + nameValuePair attrNames attrValues; + cfg = config.services.kerberos_server; + kerberos = config.krb5.kerberos; + stateDir = "/var/heimdal"; + aclFiles = mapAttrs' + (name: {acl, ...}: nameValuePair "${name}.acl" ( + pkgs.writeText "${name}.acl" (concatMapStrings (( + {principal, access, target, ...} : + "${principal}\t${concatStringsSep "," (toList access)}\t${target}\n" + )) acl) + )) cfg.realms; + + kdcConfigs = map (name: '' + database = { + dbname = ${stateDir}/heimdal + acl_file = /etc/heimdal-kdc/${name}.acl + } + '') (attrNames cfg.realms); + kdcConfFile = pkgs.writeText "kdc.conf" '' + [kdc] + ${concatStringsSep "\n" kdcConfigs} + ''; +in + +{ + # No documentation about correct triggers, so guessing at them. + + config = mkIf (cfg.enable && kerberos == pkgs.heimdalFull) { + systemd.services.kadmind = { + description = "Kerberos Administration Daemon"; + wantedBy = [ "multi-user.target" ]; + preStart = '' + mkdir -m 0755 -p ${stateDir} + ''; + serviceConfig.ExecStart = + "${kerberos}/libexec/heimdal/kadmind --config-file=/etc/heimdal-kdc/kdc.conf"; + restartTriggers = [ kdcConfFile ] ++ (attrValues aclFiles); + }; + + systemd.services.kdc = { + description = "Key Distribution Center daemon"; + wantedBy = [ "multi-user.target" ]; + preStart = '' + mkdir -m 0755 -p ${stateDir} + ''; + serviceConfig.ExecStart = + "${kerberos}/libexec/heimdal/kdc --config-file=/etc/heimdal-kdc/kdc.conf"; + restartTriggers = [ kdcConfFile ]; + }; + + systemd.services.kpasswdd = { + description = "Kerberos Password Changing daemon"; + wantedBy = [ "multi-user.target" ]; + preStart = '' + mkdir -m 0755 -p ${stateDir} + ''; + serviceConfig.ExecStart = "${kerberos}/libexec/heimdal/kpasswdd"; + restartTriggers = [ kdcConfFile ] ++ (attrValues aclFiles); + }; + + environment.etc = { + # Can be set via the --config-file option to KDC + "heimdal-kdc/kdc.conf".source = kdcConfFile; + } // ( + mapAttrs' + (name: value: nameValuePair "heimdal-kdc/${name}" {source = value;}) + aclFiles + ); + }; +} diff --git a/nixos/modules/services/system/kerberos/mit.nix b/nixos/modules/services/system/kerberos/mit.nix new file mode 100644 index 000000000000..9ff67f647284 --- /dev/null +++ b/nixos/modules/services/system/kerberos/mit.nix @@ -0,0 +1,74 @@ +{ pkgs, config, lib, ... } : + +let + inherit (lib) mkIf concatStrings concatStringsSep concatMapStrings toList + mapAttrs' nameValuePair attrNames attrValues; + cfg = config.services.kerberos_server; + kerberos = config.krb5.kerberos; + stateDir = "/var/lib/krb5kdc"; + PIDFile = "/run/kdc.pid"; + aclMap = { + add = "a"; cpw = "c"; delete = "d"; get = "i"; list = "l"; modify = "m"; + all = "*"; + }; + aclFiles = mapAttrs' + (name: {acl, ...}: nameValuePair "${name}.acl" ( + pkgs.writeText "${name}.acl" (concatMapStrings ( + {principal, access, target, ...} : + let access_code = map (a: aclMap.${a}) (toList access); in + "${principal} ${concatStrings access_code} ${target}\n" + ) acl) + )) cfg.realms; + kdcConfigs = map (name: '' + ${name} = { + acl_file = /etc/krb5kdc/${name}.acl + } + '') (attrNames cfg.realms); + kdcConfFile = pkgs.writeText "kdc.conf" '' + [realms] + ${concatStringsSep "\n" kdcConfigs} + ''; + env = { + # What Debian uses, could possibly link directly to Nix store? + KRB5_KDC_PROFILE = "/etc/krb5kdc/kdc.conf"; + }; +in + +{ + config = mkIf (cfg.enable && kerberos == pkgs.krb5Full) { + systemd.services.kadmind = { + description = "Kerberos Administration Daemon"; + wantedBy = [ "multi-user.target" ]; + preStart = '' + mkdir -m 0755 -p ${stateDir} + ''; + serviceConfig.ExecStart = "${kerberos}/bin/kadmind -nofork"; + restartTriggers = [ kdcConfFile ] ++ (attrValues aclFiles); + environment = env; + }; + + systemd.services.kdc = { + description = "Key Distribution Center daemon"; + wantedBy = [ "multi-user.target" ]; + preStart = '' + mkdir -m 0755 -p ${stateDir} + ''; + serviceConfig = { + Type = "forking"; + PIDFile = PIDFile; + ExecStart = "${kerberos}/bin/krb5kdc -P ${PIDFile}"; + }; + restartTriggers = [ kdcConfFile ]; + environment = env; + }; + + environment.etc = { + "krb5kdc/kdc.conf".source = kdcConfFile; + } // ( + mapAttrs' + (name: value: nameValuePair "krb5kdc/${name}" {source = value;}) + aclFiles + ); + environment.variables = env; + }; +} diff --git a/nixos/tests/kerberos/default.nix b/nixos/tests/kerberos/default.nix new file mode 100644 index 000000000000..ae8bdb8bbc82 --- /dev/null +++ b/nixos/tests/kerberos/default.nix @@ -0,0 +1,5 @@ +{ system ? builtins.currentSystem }: +{ + mit = import ./mit.nix { inherit system; }; + heimdal = import ./heimdal.nix { inherit system; }; +} diff --git a/nixos/tests/kerberos/heimdal.nix b/nixos/tests/kerberos/heimdal.nix new file mode 100644 index 000000000000..a0551b131e91 --- /dev/null +++ b/nixos/tests/kerberos/heimdal.nix @@ -0,0 +1,53 @@ +import ../make-test.nix ({pkgs, ...}: { + name = "kerberos_server-heimdal"; + machine = { config, libs, pkgs, ...}: + { services.kerberos_server = + { enable = true; + realms = { + "FOO.BAR".acl = [{principal = "admin"; access = ["add" "cpw"];}]; + }; + }; + krb5 = { + enable = true; + kerberos = pkgs.heimdalFull; + libdefaults = { + default_realm = "FOO.BAR"; + }; + realms = { + "FOO.BAR" = { + admin_server = "machine"; + kdc = "machine"; + }; + }; + }; + }; + + testScript = '' + $machine->start; + + $machine->succeed( + "kadmin -l init --realm-max-ticket-life='8 day' \\ + --realm-max-renewable-life='10 day' FOO.BAR" + ); + + $machine->succeed("systemctl restart kadmind.service kdc.service"); + $machine->waitForUnit("kadmind.service"); + $machine->waitForUnit("kdc.service"); + $machine->waitForUnit("kpasswdd.service"); + + $machine->succeed( + "kadmin -l add --password=admin_pw --use-defaults admin" + ); + $machine->succeed( + "kadmin -l ext_keytab --keytab=admin.keytab admin" + ); + $machine->succeed( + "kadmin -p admin -K admin.keytab add --password=alice_pw --use-defaults \\ + alice" + ); + $machine->succeed( + "kadmin -l ext_keytab --keytab=alice.keytab alice" + ); + $machine->succeed("kinit -kt alice.keytab alice"); + ''; +}) diff --git a/nixos/tests/kerberos/mit.nix b/nixos/tests/kerberos/mit.nix new file mode 100644 index 000000000000..6da3a384aa99 --- /dev/null +++ b/nixos/tests/kerberos/mit.nix @@ -0,0 +1,45 @@ +import ../make-test.nix ({pkgs, ...}: { + name = "kerberos_server-mit"; + machine = { config, libs, pkgs, ...}: + { services.kerberos_server = + { enable = true; + realms = { + "FOO.BAR".acl = [{principal = "admin"; access = ["add" "cpw"];}]; + }; + }; + krb5 = { + enable = true; + kerberos = pkgs.krb5Full; + libdefaults = { + default_realm = "FOO.BAR"; + }; + realms = { + "FOO.BAR" = { + admin_server = "machine"; + kdc = "machine"; + }; + }; + }; + users.extraUsers.alice = { isNormalUser = true; }; + }; + + testScript = '' + $machine->start; + + $machine->succeed( + "kdb5_util create -s -r FOO.BAR -P master_key" + ); + + $machine->succeed("systemctl restart kadmind.service kdc.service"); + $machine->waitForUnit("kadmind.service"); + $machine->waitForUnit("kdc.service"); + + $machine->succeed( + "kadmin.local add_principal -pw admin_pw admin" + ); + $machine->succeed( + "kadmin -p admin -w admin_pw addprinc -pw alice_pw alice" + ); + $machine->succeed("echo alice_pw | sudo -u alice kinit"); + ''; +}) From 4e4a599e7e20cf04b6dd8dbb10173cea742085c5 Mon Sep 17 00:00:00 2001 From: Kai Wohlfahrt Date: Mon, 13 Nov 2017 13:09:35 +0000 Subject: [PATCH 06/10] kerberos_server: Keep ACL file in store Could also move kdc.conf, but this makes it inconvenient to use command line utilities with heimdal, as it would require specifying --config-file with every command. --- .../services/system/kerberos/heimdal.nix | 32 ++++++++----------- .../modules/services/system/kerberos/mit.nix | 30 +++++++---------- 2 files changed, 25 insertions(+), 37 deletions(-) diff --git a/nixos/modules/services/system/kerberos/heimdal.nix b/nixos/modules/services/system/kerberos/heimdal.nix index 554b1580810a..d0f470f836ed 100644 --- a/nixos/modules/services/system/kerberos/heimdal.nix +++ b/nixos/modules/services/system/kerberos/heimdal.nix @@ -1,25 +1,23 @@ { pkgs, config, lib, ... } : let - inherit (lib) mkIf concatStringsSep concatMapStrings toList mapAttrs' - nameValuePair attrNames attrValues; + inherit (lib) mkIf concatStringsSep concatMapStrings toList mapAttrs + mapAttrsToList attrValues; cfg = config.services.kerberos_server; kerberos = config.krb5.kerberos; stateDir = "/var/heimdal"; - aclFiles = mapAttrs' - (name: {acl, ...}: nameValuePair "${name}.acl" ( - pkgs.writeText "${name}.acl" (concatMapStrings (( - {principal, access, target, ...} : - "${principal}\t${concatStringsSep "," (toList access)}\t${target}\n" - )) acl) - )) cfg.realms; + aclFiles = mapAttrs + (name: {acl, ...}: pkgs.writeText "${name}.acl" (concatMapStrings (( + {principal, access, target, ...} : + "${principal}\t${concatStringsSep "," (toList access)}\t${target}\n" + )) acl)) cfg.realms; - kdcConfigs = map (name: '' + kdcConfigs = mapAttrsToList (name: value: '' database = { dbname = ${stateDir}/heimdal - acl_file = /etc/heimdal-kdc/${name}.acl + acl_file = ${value} } - '') (attrNames cfg.realms); + '') aclFiles; kdcConfFile = pkgs.writeText "kdc.conf" '' [kdc] ${concatStringsSep "\n" kdcConfigs} @@ -38,7 +36,7 @@ in ''; serviceConfig.ExecStart = "${kerberos}/libexec/heimdal/kadmind --config-file=/etc/heimdal-kdc/kdc.conf"; - restartTriggers = [ kdcConfFile ] ++ (attrValues aclFiles); + restartTriggers = [ kdcConfFile ]; }; systemd.services.kdc = { @@ -59,16 +57,12 @@ in mkdir -m 0755 -p ${stateDir} ''; serviceConfig.ExecStart = "${kerberos}/libexec/heimdal/kpasswdd"; - restartTriggers = [ kdcConfFile ] ++ (attrValues aclFiles); + restartTriggers = [ kdcConfFile ]; }; environment.etc = { # Can be set via the --config-file option to KDC "heimdal-kdc/kdc.conf".source = kdcConfFile; - } // ( - mapAttrs' - (name: value: nameValuePair "heimdal-kdc/${name}" {source = value;}) - aclFiles - ); + }; }; } diff --git a/nixos/modules/services/system/kerberos/mit.nix b/nixos/modules/services/system/kerberos/mit.nix index 9ff67f647284..a53d9dd0c6b5 100644 --- a/nixos/modules/services/system/kerberos/mit.nix +++ b/nixos/modules/services/system/kerberos/mit.nix @@ -2,7 +2,7 @@ let inherit (lib) mkIf concatStrings concatStringsSep concatMapStrings toList - mapAttrs' nameValuePair attrNames attrValues; + mapAttrs mapAttrsToList attrValues; cfg = config.services.kerberos_server; kerberos = config.krb5.kerberos; stateDir = "/var/lib/krb5kdc"; @@ -11,19 +11,17 @@ let add = "a"; cpw = "c"; delete = "d"; get = "i"; list = "l"; modify = "m"; all = "*"; }; - aclFiles = mapAttrs' - (name: {acl, ...}: nameValuePair "${name}.acl" ( - pkgs.writeText "${name}.acl" (concatMapStrings ( - {principal, access, target, ...} : - let access_code = map (a: aclMap.${a}) (toList access); in - "${principal} ${concatStrings access_code} ${target}\n" - ) acl) - )) cfg.realms; - kdcConfigs = map (name: '' + aclFiles = mapAttrs + (name: {acl, ...}: (pkgs.writeText "${name}.acl" (concatMapStrings ( + {principal, access, target, ...} : + let access_code = map (a: aclMap.${a}) (toList access); in + "${principal} ${concatStrings access_code} ${target}\n" + ) acl))) cfg.realms; + kdcConfigs = mapAttrsToList (name: value: '' ${name} = { - acl_file = /etc/krb5kdc/${name}.acl + acl_file = ${value} } - '') (attrNames cfg.realms); + '') aclFiles; kdcConfFile = pkgs.writeText "kdc.conf" '' [realms] ${concatStringsSep "\n" kdcConfigs} @@ -43,7 +41,7 @@ in mkdir -m 0755 -p ${stateDir} ''; serviceConfig.ExecStart = "${kerberos}/bin/kadmind -nofork"; - restartTriggers = [ kdcConfFile ] ++ (attrValues aclFiles); + restartTriggers = [ kdcConfFile ]; environment = env; }; @@ -64,11 +62,7 @@ in environment.etc = { "krb5kdc/kdc.conf".source = kdcConfFile; - } // ( - mapAttrs' - (name: value: nameValuePair "krb5kdc/${name}" {source = value;}) - aclFiles - ); + }; environment.variables = env; }; } From f5b4918de42917469d359d3f2e019a7d174e9c1e Mon Sep 17 00:00:00 2001 From: Kai Wohlfahrt Date: Sun, 19 Nov 2017 15:13:48 +0000 Subject: [PATCH 07/10] kerberos_server: ensure only one realm configured Leave options for multiple realms for similarity to krb5, and future expansion. Currently not tested because I can't make it work and don't need it. --- nixos/modules/services/system/kerberos/default.nix | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/nixos/modules/services/system/kerberos/default.nix b/nixos/modules/services/system/kerberos/default.nix index 90be7e8d551a..26ac85de402f 100644 --- a/nixos/modules/services/system/kerberos/default.nix +++ b/nixos/modules/services/system/kerberos/default.nix @@ -1,7 +1,7 @@ {pkgs, config, lib, ...}: let - inherit (lib) mkOption mkIf types; + inherit (lib) mkOption mkIf types length attrNames; cfg = config.services.kerberos_server; kerberos = config.krb5.kerberos; @@ -72,5 +72,9 @@ in config = mkIf cfg.enable { environment.systemPackages = [ kerberos ]; + assertions = [{ + assertion = length (attrNames cfg.realms) <= 1; + message = "Only one realm per server is currently supported."; + }]; }; } From d752677b1b2b8af93b1a6dc0532826aa29e1827f Mon Sep 17 00:00:00 2001 From: Kai Wohlfahrt Date: Mon, 26 Feb 2018 15:43:37 +0000 Subject: [PATCH 08/10] kerberos: explicitly install krb5Full.dev for tests This contains all of the user binaries as of 13e6a5c. --- nixos/tests/kerberos/mit.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nixos/tests/kerberos/mit.nix b/nixos/tests/kerberos/mit.nix index 6da3a384aa99..df13992a8360 100644 --- a/nixos/tests/kerberos/mit.nix +++ b/nixos/tests/kerberos/mit.nix @@ -21,6 +21,7 @@ import ../make-test.nix ({pkgs, ...}: { }; }; users.extraUsers.alice = { isNormalUser = true; }; + environment.systemPackages = [ pkgs.krb5Full.dev ]; }; testScript = '' From ade842f51a709e542872dce24fcbe20aa993dff7 Mon Sep 17 00:00:00 2001 From: Kai Wohlfahrt Date: Thu, 1 Mar 2018 09:20:51 +0000 Subject: [PATCH 09/10] kerberos: move user binaries to default output The intention of the previous change was to move krb5-config to .dev (it gives the locations of headers), but it grabbed all of the user-facing binaries too. This puts them back. --- nixos/tests/kerberos/mit.nix | 1 - pkgs/development/libraries/kerberos/krb5.nix | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/nixos/tests/kerberos/mit.nix b/nixos/tests/kerberos/mit.nix index df13992a8360..6da3a384aa99 100644 --- a/nixos/tests/kerberos/mit.nix +++ b/nixos/tests/kerberos/mit.nix @@ -21,7 +21,6 @@ import ../make-test.nix ({pkgs, ...}: { }; }; users.extraUsers.alice = { isNormalUser = true; }; - environment.systemPackages = [ pkgs.krb5Full.dev ]; }; testScript = '' diff --git a/pkgs/development/libraries/kerberos/krb5.nix b/pkgs/development/libraries/kerberos/krb5.nix index 165f9139ff1f..50a669b053f9 100644 --- a/pkgs/development/libraries/kerberos/krb5.nix +++ b/pkgs/development/libraries/kerberos/krb5.nix @@ -65,7 +65,7 @@ stdenv.mkDerivation rec { # not via outputBin, due to reference from libkrb5.so postInstall = '' - moveToOutput bin "$dev" + moveToOutput bin/krb5-config "$dev" ''; enableParallelBuilding = true; From 337bc20e5f00113329940da0fb5516f58e73ab3b Mon Sep 17 00:00:00 2001 From: Kai Wohlfahrt Date: Tue, 24 Apr 2018 11:20:32 +0100 Subject: [PATCH 10/10] kerberos: Add tests/kerberos to release.nix --- nixos/tests/all-tests.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index feffdb97c18f..eddd6496bf47 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -107,6 +107,7 @@ in ipv6 = handleTest ./ipv6.nix {}; jenkins = handleTest ./jenkins.nix {}; kafka = handleTest ./kafka.nix {}; + kerberos = handleTest tests/kerberos/default.nix {}; kernel-latest = handleTest ./kernel-latest.nix {}; kernel-lts = handleTest ./kernel-lts.nix {}; keymap = handleTest ./keymap.nix {};