Loading nixos/modules/security/krb5/krb5-conf-format.nix +18 −10 Original line number Diff line number Diff line Loading @@ -61,7 +61,8 @@ rec { description = "Which principal the rule applies to"; }; access = mkOption { type = either (listOf (enum [ type = coercedTo str singleton ( listOf (enum [ "all" "add" "cpw" Loading @@ -70,7 +71,8 @@ rec { "get" "list" "modify" ])) (enum [ "all" ]); ]) ); default = "all"; description = '' The changes the principal is allowed to make. Loading @@ -79,6 +81,12 @@ rec { The "all" permission does not imply the "get-keys" permission. This is consistent with the behavior of both MIT Kerberos and Heimdal. ::: :::{.warning} Value "all" is allowed as a list member only if it appears alone or accompanied by "get-keys". Any other combination involving "all" will raise an exception. ::: ''; }; target = mkOption { Loading nixos/modules/services/system/kerberos/default.nix +11 −0 Original line number Diff line number Diff line Loading @@ -55,6 +55,17 @@ in assertion = lib.length (lib.attrNames cfg.settings.realms) <= 1; message = "Only one realm per server is currently supported."; } { assertion = let inherit (builtins) attrValues elem length; realms = attrValues cfg.settings.realms; accesses = lib.concatMap (r: map (a: a.access) r.acl) realms; property = a: !elem "all" a || (length a <= 1) || (length a <= 2 && elem "get-keys" a); in builtins.all property accesses; message = "Cannot specify \"all\" in a list with additional permissions other than \"get-keys\""; } ]; systemd.slices.system-kerberos-server = { }; Loading Loading
nixos/modules/security/krb5/krb5-conf-format.nix +18 −10 Original line number Diff line number Diff line Loading @@ -61,7 +61,8 @@ rec { description = "Which principal the rule applies to"; }; access = mkOption { type = either (listOf (enum [ type = coercedTo str singleton ( listOf (enum [ "all" "add" "cpw" Loading @@ -70,7 +71,8 @@ rec { "get" "list" "modify" ])) (enum [ "all" ]); ]) ); default = "all"; description = '' The changes the principal is allowed to make. Loading @@ -79,6 +81,12 @@ rec { The "all" permission does not imply the "get-keys" permission. This is consistent with the behavior of both MIT Kerberos and Heimdal. ::: :::{.warning} Value "all" is allowed as a list member only if it appears alone or accompanied by "get-keys". Any other combination involving "all" will raise an exception. ::: ''; }; target = mkOption { Loading
nixos/modules/services/system/kerberos/default.nix +11 −0 Original line number Diff line number Diff line Loading @@ -55,6 +55,17 @@ in assertion = lib.length (lib.attrNames cfg.settings.realms) <= 1; message = "Only one realm per server is currently supported."; } { assertion = let inherit (builtins) attrValues elem length; realms = attrValues cfg.settings.realms; accesses = lib.concatMap (r: map (a: a.access) r.acl) realms; property = a: !elem "all" a || (length a <= 1) || (length a <= 2 && elem "get-keys" a); in builtins.all property accesses; message = "Cannot specify \"all\" in a list with additional permissions other than \"get-keys\""; } ]; systemd.slices.system-kerberos-server = { }; Loading
