From 960262a6fb02d148a5a50165ff13a4701e9d907b Mon Sep 17 00:00:00 2001
From: "quentin@aristote.fr" <quentin@aristote.fr>
Date: Wed, 31 Dec 2025 23:40:37 +0100
Subject: services: add kerberos

---
 config/services/default.nix          |  5 ++++-
 config/services/kerberos/default.nix | 39 ++++++++++++++++++++++++++++++++++++
 2 files changed, 43 insertions(+), 1 deletion(-)
 create mode 100644 config/services/kerberos/default.nix

(limited to 'config')

diff --git a/config/services/default.nix b/config/services/default.nix
index b0df600..a58f2a7 100644
--- a/config/services/default.nix
+++ b/config/services/default.nix
@@ -1,5 +1,8 @@
 { ... }:
 
 {
-  imports = [ ./git ];
+  imports = [
+    ./git
+    ./kerberos
+  ];
 }
diff --git a/config/services/kerberos/default.nix b/config/services/kerberos/default.nix
new file mode 100644
index 0000000..e36ab40
--- /dev/null
+++ b/config/services/kerberos/default.nix
@@ -0,0 +1,39 @@
+{
+  config,
+  ...
+}:
+let
+  realm = "aristote.mesh";
+in
+{
+  # client
+  security.krb5 = {
+    enable = true;
+    settings = {
+      libdefaults.default_realm = realm;
+      realms."${realm}" =
+        let
+          server = "${config.networking.hostName}.${realm}";
+        in
+        {
+          kdc = server;
+          admin_server = server;
+        };
+    };
+  };
+
+  # server
+  networking.firewall.allowedTCPPorts = [
+    88
+    749
+  ];
+  services.kerberos_server = {
+    enable = true;
+    settings.realms."${realm}" = { };
+    # initialization procedure
+    # https://github.com/NixOS/nixpkgs/issues/72722#issuecomment-557658883
+    # > kdb5_util create -s -r ${realm}
+    # > systemctl restart kadmind.service kdc.service
+  };
+
+}
-- 
cgit v1.2.3