Loading nixos/modules/security/krb5/krb5-conf-format.nix +26 −9 Original line number Diff line number Diff line Loading @@ -61,16 +61,33 @@ rec { description = "Which principal the rule applies to"; }; access = mkOption { type = either (listOf (enum [ type = coercedTo str singleton ( listOf (enum [ "all" "add" "cpw" "delete" "get-keys" "get" "list" "modify" ])) (enum [ "all" ]); ]) ); default = "all"; description = "The changes the principal is allowed to make."; description = '' The changes the principal is allowed to make. :::{.important} The "all" permission does not imply the "get-keys" permission. This is consistent with the behavior of both MIT Kerberos and Heimdal. ::: :::{.warning} Value "all" is allowed as a list member only if it appears alone or accompanied by "get-keys". Any other combination involving "all" will raise an exception. ::: ''; }; target = mkOption { type = str; Loading nixos/modules/services/system/kerberos/default.nix +11 −0 Original line number Diff line number Diff line Loading @@ -55,6 +55,17 @@ in assertion = lib.length (lib.attrNames cfg.settings.realms) <= 1; message = "Only one realm per server is currently supported."; } { assertion = let inherit (builtins) attrValues elem length; realms = attrValues cfg.settings.realms; accesses = lib.concatMap (r: map (a: a.access) r.acl) realms; property = a: !elem "all" a || (length a <= 1) || (length a <= 2 && elem "get-keys" a); in builtins.all property accesses; message = "Cannot specify \"all\" in a list with additional permissions other than \"get-keys\""; } ]; systemd.slices.system-kerberos-server = { }; Loading nixos/modules/services/system/kerberos/mit.nix +2 −1 Original line number Diff line number Diff line Loading @@ -19,10 +19,11 @@ let add = "a"; cpw = "c"; delete = "d"; get-keys = "e"; get = "i"; list = "l"; modify = "m"; all = "*"; all = "x"; }; aclConfigs = lib.pipe cfg.settings.realms [ Loading Loading
nixos/modules/security/krb5/krb5-conf-format.nix +26 −9 Original line number Diff line number Diff line Loading @@ -61,16 +61,33 @@ rec { description = "Which principal the rule applies to"; }; access = mkOption { type = either (listOf (enum [ type = coercedTo str singleton ( listOf (enum [ "all" "add" "cpw" "delete" "get-keys" "get" "list" "modify" ])) (enum [ "all" ]); ]) ); default = "all"; description = "The changes the principal is allowed to make."; description = '' The changes the principal is allowed to make. :::{.important} The "all" permission does not imply the "get-keys" permission. This is consistent with the behavior of both MIT Kerberos and Heimdal. ::: :::{.warning} Value "all" is allowed as a list member only if it appears alone or accompanied by "get-keys". Any other combination involving "all" will raise an exception. ::: ''; }; target = mkOption { type = str; Loading
nixos/modules/services/system/kerberos/default.nix +11 −0 Original line number Diff line number Diff line Loading @@ -55,6 +55,17 @@ in assertion = lib.length (lib.attrNames cfg.settings.realms) <= 1; message = "Only one realm per server is currently supported."; } { assertion = let inherit (builtins) attrValues elem length; realms = attrValues cfg.settings.realms; accesses = lib.concatMap (r: map (a: a.access) r.acl) realms; property = a: !elem "all" a || (length a <= 1) || (length a <= 2 && elem "get-keys" a); in builtins.all property accesses; message = "Cannot specify \"all\" in a list with additional permissions other than \"get-keys\""; } ]; systemd.slices.system-kerberos-server = { }; Loading
nixos/modules/services/system/kerberos/mit.nix +2 −1 Original line number Diff line number Diff line Loading @@ -19,10 +19,11 @@ let add = "a"; cpw = "c"; delete = "d"; get-keys = "e"; get = "i"; list = "l"; modify = "m"; all = "*"; all = "x"; }; aclConfigs = lib.pipe cfg.settings.realms [ Loading
