felixalb/pvv-nixos-config
1
0
Fork 0
mirror of https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git synced 2025-12-13 05:37:14 +01:00
Code Issues Projects Releases Wiki Activity

WIP: Move krb5 realm to pvv.local, make sane ldap structure

Browse Source
This commit is contained in:
Felix Albrigtsen
2024-07-07 00:07:59 +02:00
committed by h7x4
parent 735d590f85
commit 051dd82f57
4 changed files with 66 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
hosts/dagali/services/heimdal.nix
View File

@@ -1,22 +1,15 @@
{ config, pkgs, lib, ... }:
let
realm = "PVV.NTNU.NO";
realm = "PVV.LOCAL";
cfg = config.security.krb5;
in
{
security.krb5 = {
enable = true;
# NOTE: This has a small edit that moves an include header to $dev/include.
# It is required in order to build smbk5pwd, because of some nested includes.
# NOTE: This is required in order to build smbk5pwd, because of some nested includes.
# We should open an issue upstream (heimdal, not nixpkgs), but this patch
# will do for now.
# package = pkgs.callPackage ./package.nix {
# inherit (pkgs.apple_sdk.frameworks)
# CoreFoundation Security SystemConfiguration;
# };
package = pkgs.heimdal.overrideAttrs (prev: {
postInstall = prev.postInstall + ''
cp include/heim_threads.h $dev/include
@@ -24,10 +17,12 @@ in
});
settings = {
# logging.kdc = "CONSOLE";
realms.${realm} = {
admin_server = "dagali.pvv.ntnu.no";
kdc = [ "localhost" ];
kdc = [ "dagali.${lib.toLower realm}" ];
admin_server = "dagali.${lib.toLower realm}";
kpasswd_server = "dagali.${lib.toLower realm}";
default_domain = lib.toLower realm;
primary_kdc = "dagali.${lib.toLower realm}";
};
kadmin.default_keys = lib.concatStringsSep " " [
@@ -42,14 +37,17 @@ in
libdefaults = {
default_realm = realm;
dns_lookup_kdc = false;
dns_lookup_realm = false;
};
domain_realm = {
"pvv.ntnu.no" = realm;
".pvv.ntnu.no" = realm;
"${lib.toLower realm}" = realm;
".${lib.toLower realm}" = realm;
};
logging = {
# kdc = "CONSOLE";
kdc = "SYSLOG:DEBUG:AUTH";
admin_server = "SYSLOG:DEBUG:AUTH";
default = "SYSLOG:DEBUG:AUTH";
@@ -61,8 +59,22 @@ in
enable = true;
settings = {
realms.${realm} = {
dbname = "/var/heimdal/heimdal";
mkey = "/var/heimdal/mkey";
dbname = "/var/lib/heimdal/heimdal";
mkey = "/var/lib/heimdal/m-key";
acl = [
{
principal = "kadmin/admin";
access = "all";
}
{
principal = "felixalb/admin";
access = "all";
}
{
principal = "oysteikt/admin";
access = "all";
}
];
};
# kadmin.default_keys = lib.concatStringsSep " " [
# "aes256-cts-hmac-sha1-96:pw-salt"
@@ -77,4 +89,12 @@ in
# password_quality.min_length = 8;
};
};
networking.firewall.allowedTCPPorts = [ 88 464 749 ];
networking.firewall.allowedUDPPorts = [ 88 464 749 ];
networking.hosts = {
"127.0.0.2" = lib.mkForce [ ];
"::1" = lib.mkForce [ ];
};
}

10
hosts/dagali/services/openldap.nix
View File

@@ -1,7 +1,7 @@
{ config, pkgs, lib, ... }:
{
services.openldap = let
dn = "dc=kerberos,dc=pvv,dc=ntnu,dc=no";
dn = "dc=pvv,dc=ntnu,dc=no";
cfg = config.services.openldap;
heimdal = config.security.krb5.package;
@@ -80,7 +80,7 @@
objectClass = [ "olcOverlayConfig" "olcSmbK5PwdConfig" ];
olcOverlay = "{0}smbk5pwd";
olcSmbK5PwdEnable = [ "krb5" "samba" ];
olcSmbK5PwdMustChange = toString (60 * 60 * 24 * 30);
olcSmbK5PwdMustChange = toString (60 * 60 * 24 * 10000);
};
"olcDatabase={1}mdb".attrs = {
@@ -91,7 +91,7 @@
olcSuffix = dn;
# TODO: PW is supposed to be a secret, but it's probably fine for testing
olcRootDN = "cn=admin,${dn}";
olcRootDN = "cn=users,${dn}";
# TODO: replace with proper secret
olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
@@ -101,7 +101,7 @@
olcAccess = [
''{0}to attrs=userPassword,shadowLastChange
by dn.exact=cn=admin,${dn} write
by dn.exact=cn=users,${dn} write
by self write
by anonymous auth
by * none''
@@ -111,7 +111,7 @@
/* allow read on anything else */
# ''{2}to *
# by cn=admin,${dn} write by dn.exact=gidNumber=0+uidNumber=0+cn=peercred,cn=external write
# by cn=users,${dn} write by dn.exact=gidNumber=0+uidNumber=0+cn=peercred,cn=external write
# by * read''
];
};