WIP: init buskerud/salsa

2025-12-14 06:07:15 +01:00 · 2024-01-17 00:25:22 +01:00
parent 7fd9a1e646
commit c16238a88f
15 changed files with 1136 additions and 16 deletions
--- a/hosts/buskerud/containers/salsa/modules/kerberos/default.nix
+++ b/hosts/buskerud/containers/salsa/modules/kerberos/default.nix
@@ -0,0 +1,101 @@
+{ config, pkgs, lib, ... }:
+
+let
+  inherit (lib) mkOption types;
+  cfg = config.services.kerberos_server;
+  inherit (config.security.krb5) package;
+
+  format = import ../krb5/krb5-conf-format.nix { inherit pkgs lib; } { };
+in
+
+{
+  imports = [
+    (lib.mkRenamedOptionModule [ "services" "kerberos_server" "realms" ] [ "services" "kerberos_server" "settings" "realms" ])
+
+    ./mit.nix
+    ./heimdal.nix
+  ];
+
+  options = {
+    services.kerberos_server = {
+      enable = lib.mkEnableOption (lib.mdDoc "the kerberos authentication server");
+
+      settings = let
+        aclEntry = types.submodule {
+          options = {
+            principal = mkOption {
+              type = types.str;
+              description = lib.mdDoc "Which principal the rule applies to";
+            };
+            access = mkOption {
+              type = types.either
+                (types.listOf (types.enum ["add" "cpw" "delete" "get" "list" "modify"]))
+                (types.enum ["all"]);
+              default = "all";
+              description = lib.mdDoc "The changes the principal is allowed to make.";
+            };
+            target = mkOption {
+              type = types.str;
+              default = "*";
+              description = lib.mdDoc "The principals that 'access' applies to.";
+            };
+          };
+        };
+
+        realm = types.submodule ({ name, ... }: {
+          freeformType = format.sectionType;
+          options = {
+            acl = mkOption {
+              type = types.listOf aclEntry;
+              default = [
+                { principal = "*/admin"; access = "all"; }
+                { principal = "admin"; access = "all"; }
+              ];
+              description = lib.mdDoc ''
+                The privileges granted to a user.
+              '';
+            };
+          };
+        });
+      in mkOption {
+        type = types.submodule (format.type.getSubModules ++ [{
+          options = {
+            realms = mkOption {
+              type = types.attrsOf realm;
+              description = lib.mdDoc ''
+                The realm(s) to serve keys for.
+              '';
+            };
+          };
+        }]);
+        description = ''
+          Settings for the kerberos server of choice.
+
+          See the following documentation:
+          - Heimdal: {manpage}`kdc.conf(5)`
+          - MIT Kerberos: <https://web.mit.edu/kerberos/krb5-1.21/doc/admin/conf_files/kdc_conf.html>
+        '';
+        default = { };
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    environment.systemPackages = [ package ];
+    assertions = [
+      {
+        assertion = cfg.settings.realms != { };
+        message = "The server needs at least one realm";
+      }
+      {
+        assertion = lib.length (lib.attrNames cfg.settings.realms) <= 1;
+        message = "Only one realm per server is currently supported.";
+      }
+    ];
+
+    systemd.slices.system-kerberos-server = { };
+    systemd.targets.kerberos-server = {
+      wantedBy = [ "multi-user.target" ];
+    };
+  };
+}
--- a/hosts/buskerud/containers/salsa/modules/kerberos/heimdal.nix
+++ b/hosts/buskerud/containers/salsa/modules/kerberos/heimdal.nix
@@ -0,0 +1,87 @@
+{ pkgs, config, lib, ... } :
+
+let
+  inherit (lib)  mapAttrs;
+  cfg = config.services.kerberos_server;
+  package = config.security.krb5.package;
+
+  aclConfigs = lib.pipe cfg.settings.realms [
+    (mapAttrs (name: { acl, ... }: lib.concatMapStringsSep "\n" (
+      { principal, access, target, ... }:
+      "${principal}\t${lib.concatStringsSep "," (lib.toList access)}\t${target}"
+    ) acl))
+    (lib.mapAttrsToList (name: text:
+      {
+        dbname = "/var/lib/heimdal/heimdal";
+        acl_file = pkgs.writeText "${name}.acl" text;
+      }
+    ))
+  ];
+
+  finalConfig = cfg.settings // {
+    realms = mapAttrs (_: v: removeAttrs v [ "acl" ]) (cfg.settings.realms or { });
+    kdc = (cfg.settings.kdc or { }) // {
+      database = aclConfigs;
+    };
+  };
+
+  format = import ../krb5/krb5-conf-format.nix { inherit pkgs lib; } { };
+
+  kdcConfFile = format.generate "kdc.conf" finalConfig;
+in
+
+{
+  config = lib.mkIf (cfg.enable && package.passthru.implementation == "heimdal") {
+    environment.etc."heimdal-kdc/kdc.conf".source = kdcConfFile;
+
+    systemd.tmpfiles.settings."10-heimdal" = let
+      databases = lib.pipe finalConfig.kdc.database [
+        (map (dbAttrs: dbAttrs.dbname or null))
+        (lib.filter (x: x != null))
+        lib.unique
+      ];
+    in lib.genAttrs databases (_: {
+      d = {
+        user = "root";
+        group = "root";
+        mode = "0700";
+      };
+    });
+
+    systemd.services.kadmind = {
+      description = "Kerberos Administration Daemon";
+      partOf = [ "kerberos-server.target" ];
+      wantedBy = [ "kerberos-server.target" ];
+      serviceConfig = {
+        ExecStart = "${package}/libexec/kadmind --config-file=/etc/heimdal-kdc/kdc.conf";
+        Slice = "system-kerberos-server.slice";
+        StateDirectory = "heimdal";
+      };
+      restartTriggers = [ kdcConfFile ];
+    };
+
+    systemd.services.kdc = {
+      description = "Key Distribution Center daemon";
+      partOf = [ "kerberos-server.target" ];
+      wantedBy = [ "kerberos-server.target" ];
+      serviceConfig = {
+        ExecStart = "${package}/libexec/kdc --config-file=/etc/heimdal-kdc/kdc.conf";
+        Slice = "system-kerberos-server.slice";
+        StateDirectory = "heimdal";
+      };
+      restartTriggers = [ kdcConfFile ];
+    };
+
+    systemd.services.kpasswdd = {
+      description = "Kerberos Password Changing daemon";
+      partOf = [ "kerberos-server.target" ];
+      wantedBy = [ "kerberos-server.target" ];
+      serviceConfig = {
+        ExecStart = "${package}/libexec/kpasswdd";
+        Slice = "system-kerberos-server.slice";
+        StateDirectory = "heimdal";
+      };
+      restartTriggers = [ kdcConfFile ];
+    };
+  };
+}
--- a/hosts/buskerud/containers/salsa/modules/kerberos/mit.nix
+++ b/hosts/buskerud/containers/salsa/modules/kerberos/mit.nix
@@ -0,0 +1,77 @@
+{ pkgs, config, lib, ... } :
+
+let
+  inherit (lib) mapAttrs;
+  cfg = config.services.kerberos_server;
+  package = config.security.krb5.package;
+  PIDFile = "/run/kdc.pid";
+
+  format = import ../krb5/krb5-conf-format.nix { inherit pkgs lib; } { };
+
+  aclMap = {
+    add = "a"; cpw = "c"; delete = "d"; get = "i"; list = "l"; modify = "m";
+    all = "*";
+  };
+
+  aclConfigs = lib.pipe cfg.settings.realms [
+    (mapAttrs (name: { acl, ... }: lib.concatMapStringsSep "\n" (
+      { principal, access, target, ... }: let
+        access_code = map (a: aclMap.${a}) (lib.toList access);
+      in "${principal} ${lib.concatStrings access_code} ${target}"
+    ) acl))
+
+    (lib.concatMapAttrs (name: text: {
+      ${name} = {
+        acl_file = pkgs.writeText "${name}.acl" text;
+      };
+    }))
+  ];
+
+  finalConfig = cfg.settings // {
+    realms = mapAttrs (n: v: (removeAttrs v [ "acl" ]) // aclConfigs.${n}) (cfg.settings.realms or { });
+  };
+
+  kdcConfFile = format.generate "kdc.conf" finalConfig;
+  env = {
+    # What Debian uses, could possibly link directly to Nix store?
+    KRB5_KDC_PROFILE = "/etc/krb5kdc/kdc.conf";
+  };
+in
+
+{
+  config = lib.mkIf (cfg.enable && package.passthru.implementation == "krb5") {
+    environment = {
+      etc."krb5kdc/kdc.conf".source = kdcConfFile;
+      variables = env;
+    };
+
+    systemd.services.kadmind = {
+      description = "Kerberos Administration Daemon";
+      partOf = [ "kerberos-server.target" ];
+      wantedBy = [ "kerberos-server.target" ];
+      serviceConfig = {
+        ExecStart = "${package}/bin/kadmind -nofork";
+        Slice = "system-kerberos-server.slice";
+        StateDirectory = "krb5kdc";
+      };
+      restartTriggers = [ kdcConfFile ];
+      environment = env;
+    };
+
+    systemd.services.kdc = {
+      description = "Key Distribution Center daemon";
+      partOf = [ "kerberos-server.target" ];
+      wantedBy = [ "kerberos-server.target" ];
+      serviceConfig = {
+        Type = "forking";
+        PIDFile = PIDFile;
+        ExecStart = "${package}/bin/krb5kdc -P ${PIDFile}";
+        Slice = "system-kerberos-server.slice";
+        StateDirectory = "krb5kdc";
+      };
+      restartTriggers = [ kdcConfFile ];
+      environment = env;
+    };
+  };
+}
+