nixos/krb5: move to security.krb5

This commit is contained in:
Marco Rebhan 2023-07-24 23:12:29 +02:00
parent 92a541c0ed
commit fed77d1705
No known key found for this signature in database
14 changed files with 22 additions and 22 deletions

View file

@ -94,7 +94,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
- `services.zfs.zed.enableMail` now uses the global `sendmail` wrapper defined by an email module
(such as msmtp or Postfix). It no longer requires using a special ZFS build with email support.
- The `krb5` module has been rewritten, moving all options but `krb5.enable` and `krb5.package` into `krb5.settings`.
- The `krb5` module has been rewritten and moved to `security.krb5`, moving all options but `security.krb5.enable` and `security.krb5.package` into `security.krb5.settings`.
- Gitea 1.21 upgrade has several breaking changes, including:
- Custom themes and other assets that were previously stored in `custom/public/*` now belong in `custom/public/assets/*`

View file

@ -10,7 +10,6 @@
./config/gtk/gtk-icon-cache.nix
./config/i18n.nix
./config/iproute2.nix
./config/krb5/default.nix
./config/ldap.nix
./config/ldso.nix
./config/locale.nix
@ -308,6 +307,7 @@
./security/duosec.nix
./security/google_oslogin.nix
./security/ipa.nix
./security/krb5
./security/lock-kernel-modules.nix
./security/misc.nix
./security/oath.nix

View file

@ -117,8 +117,8 @@ in {
config = mkIf cfg.enable {
assertions = [
{
assertion = !config.krb5.enable;
message = "krb5 must be disabled through `krb5.enable` for FreeIPA integration to work.";
assertion = !config.security.krb5.enable;
message = "krb5 must be disabled through `security.krb5.enable` for FreeIPA integration to work.";
}
{
assertion = !config.users.ldap.enable;

View file

@ -5,11 +5,11 @@ let
mkRemovedOptionModule' = name: reason: mkRemovedOptionModule ["krb5" name] reason;
mkRemovedOptionModuleCfg = name: mkRemovedOptionModule' name ''
The option `krb5.${name}' has been removed. Use `krb5.settings.${name}' for
structured configuration.
The option `krb5.${name}' has been removed. Use
`security.krb5.settings.${name}' for structured configuration.
'';
cfg = config.krb5;
cfg = config.security.krb5;
format = import ./krb5-conf-format.nix { inherit pkgs lib; } { };
in {
imports = [
@ -22,12 +22,12 @@ in {
(mkRemovedOptionModuleCfg "config")
(mkRemovedOptionModuleCfg "extraConfig")
(mkRemovedOptionModule' "kerberos" ''
The option `krb5.kerberos' has been moved to `krb5.package'.
The option `krb5.kerberos' has been moved to `security.krb5.package'.
'')
];
options = {
krb5 = {
security.krb5 = {
enable = mkOption {
default = false;
description = mdDoc "Enable and configure Kerberos utilities";

View file

@ -1067,8 +1067,8 @@ in
security.pam.krb5 = {
enable = mkOption {
default = config.krb5.enable;
defaultText = literalExpression "config.krb5.enable";
default = config.security.krb5.enable;
defaultText = literalExpression "config.security.krb5.enable";
type = types.bool;
description = lib.mdDoc ''
Enables Kerberos PAM modules (`pam-krb5`,
@ -1076,7 +1076,7 @@ in
If set, users can authenticate with their Kerberos password.
This requires a valid Kerberos configuration
(`config.krb5.enable` should be set to
(`config.security.krb5.enable` should be set to
`true`).
Note that the Kerberos PAM modules are not necessary when using SSS

View file

@ -3,7 +3,7 @@
let
inherit (lib) mkOption mkIf types length attrNames;
cfg = config.services.kerberos_server;
kerberos = config.krb5.package;
kerberos = config.security.krb5.package;
aclEntry = {
options = {

View file

@ -4,7 +4,7 @@ let
inherit (lib) mkIf concatStringsSep concatMapStrings toList mapAttrs
mapAttrsToList;
cfg = config.services.kerberos_server;
kerberos = config.krb5.package;
kerberos = config.security.krb5.package;
stateDir = "/var/heimdal";
aclFiles = mapAttrs
(name: {acl, ...}: pkgs.writeText "${name}.acl" (concatMapStrings ((

View file

@ -4,7 +4,7 @@ let
inherit (lib) mkIf concatStrings concatStringsSep concatMapStrings toList
mapAttrs mapAttrsToList;
cfg = config.services.kerberos_server;
kerberos = config.krb5.package;
kerberos = config.security.krb5.package;
stateDir = "/var/lib/krb5kdc";
PIDFile = "/run/kdc.pid";
aclMap = {

View file

@ -7,7 +7,7 @@ import ../make-test-python.nix ({pkgs, ...}: {
"FOO.BAR".acl = [{principal = "admin"; access = ["add" "cpw"];}];
};
};
krb5 = {
security.krb5 = {
enable = true;
package = pkgs.heimdal;
settings = {

View file

@ -7,7 +7,7 @@ import ../make-test-python.nix ({pkgs, ...}: {
"FOO.BAR".acl = [{principal = "admin"; access = ["add" "cpw"];}];
};
};
krb5 = {
security.krb5 = {
enable = true;
package = pkgs.krb5;
settings = {

View file

@ -9,7 +9,7 @@ import ../make-test-python.nix ({ pkgs, ...} : {
nodes.machine =
{ pkgs, ... }: {
krb5 = {
security.krb5 = {
enable = true;
package = pkgs.krb5;
settings = {

View file

@ -1,7 +1,7 @@
import ../make-test-python.nix ({ pkgs, lib, ... }:
let
krb5 = {
security.krb5 = {
enable = true;
settings = {
domain_realm."nfs.test" = "NFS.TEST";
@ -34,7 +34,7 @@ in
nodes = {
client = { lib, ... }:
{ inherit krb5 users;
{ inherit security users;
networking.extraHosts = hosts;
networking.domain = "nfs.test";
@ -50,7 +50,7 @@ in
};
server = { lib, ...}:
{ inherit krb5 users;
{ inherit security users;
networking.extraHosts = hosts;
networking.domain = "nfs.test";

View file

@ -7,7 +7,7 @@ import ../make-test-python.nix ({ pkgs, ... }: {
nodes.machine = { ... }: {
imports = [ ../../modules/profiles/minimal.nix ];
krb5.enable = true;
security.krb5.enable = true;
users = {
mutableUsers = false;