nixos/krb5: move to security.krb5

2024-08-16 02:30:42 +03:00 · 2023-07-24 23:12:29 +02:00 · 2023-07-24 23:12:29 +02:00 · fed77d1705
commit fed77d1705
parent 92a541c0ed
14 changed files with 22 additions and 22 deletions
--- a/nixos/doc/manual/release-notes/rl-2405.section.md
+++ b/nixos/doc/manual/release-notes/rl-2405.section.md
@ -94,7 +94,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 - `services.zfs.zed.enableMail` now uses the global `sendmail` wrapper defined by an email module
  (such as msmtp or Postfix). It no longer requires using a special ZFS build with email support.

- The `krb5` module has been rewritten, moving all options but `krb5.enable` and `krb5.package` into `krb5.settings`.
+- The `krb5` module has been rewritten and moved to `security.krb5`, moving all options but `security.krb5.enable` and `security.krb5.package` into `security.krb5.settings`.

 - Gitea 1.21 upgrade has several breaking changes, including:
  - Custom themes and other assets that were previously stored in `custom/public/*` now belong in `custom/public/assets/*`
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -10,7 +10,6 @@
  ./config/gtk/gtk-icon-cache.nix
  ./config/i18n.nix
  ./config/iproute2.nix
-  ./config/krb5/default.nix
  ./config/ldap.nix
  ./config/ldso.nix
  ./config/locale.nix
@ -308,6 +307,7 @@
  ./security/duosec.nix
  ./security/google_oslogin.nix
  ./security/ipa.nix
+  ./security/krb5
  ./security/lock-kernel-modules.nix
  ./security/misc.nix
  ./security/oath.nix
--- a/nixos/modules/security/ipa.nix
+++ b/nixos/modules/security/ipa.nix
@ -117,8 +117,8 @@ in {
  config = mkIf cfg.enable {
    assertions = [
      {
-        assertion = !config.krb5.enable;
-        message = "krb5 must be disabled through `krb5.enable` for FreeIPA integration to work.";
+        assertion = !config.security.krb5.enable;
+        message = "krb5 must be disabled through `security.krb5.enable` for FreeIPA integration to work.";
      }
      {
        assertion = !config.users.ldap.enable;
--- a/nixos/modules/security/krb5/default.nix
+++ b/nixos/modules/security/krb5/default.nix
@ -5,11 +5,11 @@ let

  mkRemovedOptionModule' = name: reason: mkRemovedOptionModule ["krb5" name] reason;
  mkRemovedOptionModuleCfg = name: mkRemovedOptionModule' name ''
-    The option `krb5.${name}' has been removed. Use `krb5.settings.${name}' for
-    structured configuration.
+    The option `krb5.${name}' has been removed. Use
+    `security.krb5.settings.${name}' for structured configuration.
  '';

-  cfg = config.krb5;
+  cfg = config.security.krb5;
  format = import ./krb5-conf-format.nix { inherit pkgs lib; } { };
 in {
  imports = [
@ -22,12 +22,12 @@ in {
    (mkRemovedOptionModuleCfg "config")
    (mkRemovedOptionModuleCfg "extraConfig")
    (mkRemovedOptionModule' "kerberos" ''
-      The option `krb5.kerberos' has been moved to `krb5.package'.
+      The option `krb5.kerberos' has been moved to `security.krb5.package'.
    '')
  ];

  options = {
-    krb5 = {
+    security.krb5 = {
      enable = mkOption {
        default = false;
        description = mdDoc "Enable and configure Kerberos utilities";
--- a/nixos/modules/security/krb5/krb5-conf-format.nix
+++ b/nixos/modules/security/krb5/krb5-conf-format.nix
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@ -1067,8 +1067,8 @@ in

    security.pam.krb5 = {
      enable = mkOption {
-        default = config.krb5.enable;
-        defaultText = literalExpression "config.krb5.enable";
+        default = config.security.krb5.enable;
+        defaultText = literalExpression "config.security.krb5.enable";
        type = types.bool;
        description = lib.mdDoc ''
          Enables Kerberos PAM modules (`pam-krb5`,
@ -1076,7 +1076,7 @@ in

          If set, users can authenticate with their Kerberos password.
          This requires a valid Kerberos configuration
-          (`config.krb5.enable` should be set to
+          (`config.security.krb5.enable` should be set to
          `true`).

          Note that the Kerberos PAM modules are not necessary when using SSS
--- a/nixos/modules/services/system/kerberos/default.nix
+++ b/nixos/modules/services/system/kerberos/default.nix
@ -3,7 +3,7 @@
 let
  inherit (lib) mkOption mkIf types length attrNames;
  cfg = config.services.kerberos_server;
-  kerberos = config.krb5.package;
+  kerberos = config.security.krb5.package;

  aclEntry = {
    options = {
--- a/nixos/modules/services/system/kerberos/heimdal.nix
+++ b/nixos/modules/services/system/kerberos/heimdal.nix
@ -4,7 +4,7 @@ let
  inherit (lib) mkIf concatStringsSep concatMapStrings toList mapAttrs
    mapAttrsToList;
  cfg = config.services.kerberos_server;
-  kerberos = config.krb5.package;
+  kerberos = config.security.krb5.package;
  stateDir = "/var/heimdal";
  aclFiles = mapAttrs
    (name: {acl, ...}: pkgs.writeText "${name}.acl" (concatMapStrings ((
--- a/nixos/modules/services/system/kerberos/mit.nix
+++ b/nixos/modules/services/system/kerberos/mit.nix
@ -4,7 +4,7 @@ let
  inherit (lib) mkIf concatStrings concatStringsSep concatMapStrings toList
    mapAttrs mapAttrsToList;
  cfg = config.services.kerberos_server;
-  kerberos = config.krb5.package;
+  kerberos = config.security.krb5.package;
  stateDir = "/var/lib/krb5kdc";
  PIDFile = "/run/kdc.pid";
  aclMap = {
--- a/nixos/tests/kerberos/heimdal.nix
+++ b/nixos/tests/kerberos/heimdal.nix
@ -7,7 +7,7 @@ import ../make-test-python.nix ({pkgs, ...}: {
        "FOO.BAR".acl = [{principal = "admin"; access = ["add" "cpw"];}];
      };
    };
-    krb5 = {
+    security.krb5 = {
      enable = true;
      package = pkgs.heimdal;
      settings = {
--- a/nixos/tests/kerberos/mit.nix
+++ b/nixos/tests/kerberos/mit.nix
@ -7,7 +7,7 @@ import ../make-test-python.nix ({pkgs, ...}: {
        "FOO.BAR".acl = [{principal = "admin"; access = ["add" "cpw"];}];
      };
    };
-    krb5 = {
+    security.krb5 = {
      enable = true;
      package = pkgs.krb5;
      settings = {
--- a/nixos/tests/krb5/example-config.nix
+++ b/nixos/tests/krb5/example-config.nix
@ -9,7 +9,7 @@ import ../make-test-python.nix ({ pkgs, ...} : {

  nodes.machine =
    { pkgs, ... }: {
-      krb5 = {
+      security.krb5 = {
        enable = true;
        package = pkgs.krb5;
        settings = {
--- a/nixos/tests/nfs/kerberos.nix
+++ b/nixos/tests/nfs/kerberos.nix
@ -1,7 +1,7 @@
 import ../make-test-python.nix ({ pkgs, lib, ... }:

 let
-  krb5 = {
+  security.krb5 = {
    enable = true;
    settings = {
      domain_realm."nfs.test" = "NFS.TEST";
@ -34,7 +34,7 @@ in

  nodes = {
    client = { lib, ... }:
-      { inherit krb5 users;
+      { inherit security users;

        networking.extraHosts = hosts;
        networking.domain = "nfs.test";
@ -50,7 +50,7 @@ in
      };

    server = { lib, ...}:
-      { inherit krb5 users;
+      { inherit security users;

        networking.extraHosts = hosts;
        networking.domain = "nfs.test";
--- a/nixos/tests/pam/pam-file-contents.nix
+++ b/nixos/tests/pam/pam-file-contents.nix
@ -7,7 +7,7 @@ import ../make-test-python.nix ({ pkgs, ... }: {
  nodes.machine = { ... }: {
    imports = [ ../../modules/profiles/minimal.nix ];

-    krb5.enable = true;
+    security.krb5.enable = true;

    users = {
      mutableUsers = false;