From 32e7d99292d9a2f89c82c6a471591e3763601f42 Mon Sep 17 00:00:00 2001
From: Jan-Bulthuis <git@bulthuis.dev>
Date: Mon, 9 Jun 2025 13:54:31 +0200
Subject: [PATCH] Set up request-key.conf

---
 hosts/vm-oddjob/configuration.nix | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/hosts/vm-oddjob/configuration.nix b/hosts/vm-oddjob/configuration.nix
index a9e0a84..0d2cd2c 100644
--- a/hosts/vm-oddjob/configuration.nix
+++ b/hosts/vm-oddjob/configuration.nix
@@ -24,6 +24,26 @@
     samba
     keyutils
   ];
+  environment.etc."request-key.conf".text =
+    let
+      upcall = "${pkgs.cifs-utils}/bin/cifs.upcall";
+      keyctl = "${pkgs.keyutils}/bin/keyctl";
+    in
+    ''
+      #OP    TYPE         DESCRIPTION  CALLOUT_INFO PROGRAM
+      # -t is required for DFS share servers...
+      create cifs.spnego  *            *            ${upcall} -t %k
+      create dns_resolver *            *            ${upcall} %k
+      # Everything below this is essentially the
+      # defualt configuration
+      create user         debug:*      negate       ${keyctl} negate %k 30 %S
+      create user         debug:*      rejected     ${keyctl} reject %k 30 %c %S
+      create user         debug:*      expired      ${keyctl} reject %k 30 %c %S
+      create user         debug:*      revoked      ${keyctl} reject %k 30 %c %S
+      create user         debug:loop:* *            |${pkgs.coreutils}/bin/cat
+      create user         debug:*      *            ${pkgs.keyutils}/share/keyutils/request-key-debug.sh %k %d %c %S
+      negate *            *            *            ${keyctl} negate %k 30 %S
+    '';
   sops.secrets."smb-credentials" = {
     sopsFile = "${inputs.secrets}/secrets/vm-oddjob.enc.yaml";
   };