diff options
| author | Kai Wohlfahrt <kjw53@cam.ac.uk> | 2017-11-13 13:09:35 +0000 |
|---|---|---|
| committer | Kai Wohlfahrt <kai@prodo.ai> | 2018-12-11 13:33:10 +0000 |
| commit | 4e4a599e7e20cf04b6dd8dbb10173cea742085c5 (patch) | |
| tree | fdfcddd95e123d66a0e0ad6a488101c9aaa1e790 /nixos/modules/services/system | |
| parent | 6cca9c0f9f2d7ed80ae52609160d2678e6fe38cd (diff) | |
| download | nixpkgs-4e4a599e7e20cf04b6dd8dbb10173cea742085c5.tar nixpkgs-4e4a599e7e20cf04b6dd8dbb10173cea742085c5.tar.gz nixpkgs-4e4a599e7e20cf04b6dd8dbb10173cea742085c5.tar.bz2 nixpkgs-4e4a599e7e20cf04b6dd8dbb10173cea742085c5.tar.lz nixpkgs-4e4a599e7e20cf04b6dd8dbb10173cea742085c5.tar.xz nixpkgs-4e4a599e7e20cf04b6dd8dbb10173cea742085c5.tar.zst nixpkgs-4e4a599e7e20cf04b6dd8dbb10173cea742085c5.zip | |
kerberos_server: Keep ACL file in store
Could also move kdc.conf, but this makes it inconvenient to use command line utilities with heimdal, as it would require specifying --config-file with every command.
Diffstat (limited to 'nixos/modules/services/system')
| -rw-r--r-- | nixos/modules/services/system/kerberos/heimdal.nix | 32 | ||||
| -rw-r--r-- | nixos/modules/services/system/kerberos/mit.nix | 30 |
2 files changed, 25 insertions, 37 deletions
diff --git a/nixos/modules/services/system/kerberos/heimdal.nix b/nixos/modules/services/system/kerberos/heimdal.nix index 554b1580810..d0f470f836e 100644 --- a/nixos/modules/services/system/kerberos/heimdal.nix +++ b/nixos/modules/services/system/kerberos/heimdal.nix @@ -1,25 +1,23 @@ { pkgs, config, lib, ... } : let - inherit (lib) mkIf concatStringsSep concatMapStrings toList mapAttrs' - nameValuePair attrNames attrValues; + inherit (lib) mkIf concatStringsSep concatMapStrings toList mapAttrs + mapAttrsToList attrValues; cfg = config.services.kerberos_server; kerberos = config.krb5.kerberos; stateDir = "/var/heimdal"; - aclFiles = mapAttrs' - (name: {acl, ...}: nameValuePair "${name}.acl" ( - pkgs.writeText "${name}.acl" (concatMapStrings (( - {principal, access, target, ...} : - "${principal}\t${concatStringsSep "," (toList access)}\t${target}\n" - )) acl) - )) cfg.realms; + aclFiles = mapAttrs + (name: {acl, ...}: pkgs.writeText "${name}.acl" (concatMapStrings (( + {principal, access, target, ...} : + "${principal}\t${concatStringsSep "," (toList access)}\t${target}\n" + )) acl)) cfg.realms; - kdcConfigs = map (name: '' + kdcConfigs = mapAttrsToList (name: value: '' database = { dbname = ${stateDir}/heimdal - acl_file = /etc/heimdal-kdc/${name}.acl + acl_file = ${value} } - '') (attrNames cfg.realms); + '') aclFiles; kdcConfFile = pkgs.writeText "kdc.conf" '' [kdc] ${concatStringsSep "\n" kdcConfigs} @@ -38,7 +36,7 @@ in ''; serviceConfig.ExecStart = "${kerberos}/libexec/heimdal/kadmind --config-file=/etc/heimdal-kdc/kdc.conf"; - restartTriggers = [ kdcConfFile ] ++ (attrValues aclFiles); + restartTriggers = [ kdcConfFile ]; }; systemd.services.kdc = { @@ -59,16 +57,12 @@ in mkdir -m 0755 -p ${stateDir} ''; serviceConfig.ExecStart = "${kerberos}/libexec/heimdal/kpasswdd"; - restartTriggers = [ kdcConfFile ] ++ (attrValues aclFiles); + restartTriggers = [ kdcConfFile ]; }; environment.etc = { # Can be set via the --config-file option to KDC "heimdal-kdc/kdc.conf".source = kdcConfFile; - } // ( - mapAttrs' - (name: value: nameValuePair "heimdal-kdc/${name}" {source = value;}) - aclFiles - ); + }; }; } diff --git a/nixos/modules/services/system/kerberos/mit.nix b/nixos/modules/services/system/kerberos/mit.nix index 9ff67f64728..a53d9dd0c6b 100644 --- a/nixos/modules/services/system/kerberos/mit.nix +++ b/nixos/modules/services/system/kerberos/mit.nix @@ -2,7 +2,7 @@ let inherit (lib) mkIf concatStrings concatStringsSep concatMapStrings toList - mapAttrs' nameValuePair attrNames attrValues; + mapAttrs mapAttrsToList attrValues; cfg = config.services.kerberos_server; kerberos = config.krb5.kerberos; stateDir = "/var/lib/krb5kdc"; @@ -11,19 +11,17 @@ let add = "a"; cpw = "c"; delete = "d"; get = "i"; list = "l"; modify = "m"; all = "*"; }; - aclFiles = mapAttrs' - (name: {acl, ...}: nameValuePair "${name}.acl" ( - pkgs.writeText "${name}.acl" (concatMapStrings ( - {principal, access, target, ...} : - let access_code = map (a: aclMap.${a}) (toList access); in - "${principal} ${concatStrings access_code} ${target}\n" - ) acl) - )) cfg.realms; - kdcConfigs = map (name: '' + aclFiles = mapAttrs + (name: {acl, ...}: (pkgs.writeText "${name}.acl" (concatMapStrings ( + {principal, access, target, ...} : + let access_code = map (a: aclMap.${a}) (toList access); in + "${principal} ${concatStrings access_code} ${target}\n" + ) acl))) cfg.realms; + kdcConfigs = mapAttrsToList (name: value: '' ${name} = { - acl_file = /etc/krb5kdc/${name}.acl + acl_file = ${value} } - '') (attrNames cfg.realms); + '') aclFiles; kdcConfFile = pkgs.writeText "kdc.conf" '' [realms] ${concatStringsSep "\n" kdcConfigs} @@ -43,7 +41,7 @@ in mkdir -m 0755 -p ${stateDir} ''; serviceConfig.ExecStart = "${kerberos}/bin/kadmind -nofork"; - restartTriggers = [ kdcConfFile ] ++ (attrValues aclFiles); + restartTriggers = [ kdcConfFile ]; environment = env; }; @@ -64,11 +62,7 @@ in environment.etc = { "krb5kdc/kdc.conf".source = kdcConfFile; - } // ( - mapAttrs' - (name: value: nameValuePair "krb5kdc/${name}" {source = value;}) - aclFiles - ); + }; environment.variables = env; }; } |