nix/os/devices/steveej-t480s-work: krb5 redhat setup

nix/os/devices/steveej-t480s-work/system.nix

@@ -94,4 +94,45 @@ in {
 
   services.xserver.videoDrivers = [ "modesetting" ];
   boot.kernelPackages = lib.mkForce pkgs.linuxPackages;
+
+  krb5 = {
+    enable = true;
+    config = let
+      pkinit_crt = pkgs.fetchurl {
+        url = "https://password.corp.redhat.com/ipa.crt";
+        sha256 = "0cflhkb7szzlakjmz2rmw8l8j5jqsyy2rl7ciclmi5fdfjrrx1cd";
+      };
+    in ''
+      [libdefaults]
+      default_realm = IPA.REDHAT.COM
+      dns_lookup_realm = true
+      dns_lookup_kdc = true
+      rdns = false
+      dns_canonicalize_hostname = true
+      ticket_lifetime = 24h
+      forwardable = true
+      udp_preference_limit = 0
+      default_ccache_name = KEYRING:persistent:%{uid}
+
+      [realms]
+        REDHAT.COM = {
+            default_domain = redhat.com
+            dns_lookup_kdc = true
+            master_kdc = kerberos.corp.redhat.com
+            admin_server = kerberos.corp.redhat.com
+        }
+
+        #make sure to save the IPA CA cert
+        #mkdir /etc/ipa && curl -o /etc/ipa/ca.crt https://password.corp.redhat.com/ipa.crt
+        IPA.REDHAT.COM = {
+           pkinit_anchors = FILE:${pkinit_crt}
+           pkinit_pool = FILE:${pkinit_crt}
+           default_domain = ipa.redhat.com
+           dns_lookup_kdc = true
+           # Trust tickets issued by legacy realm on this host
+           auth_to_local = RULE:[1:$1@$0](.*@REDHAT\.COM)s/@.*//
+           auth_to_local = DEFAULT
+        }
+      '';
+  };
 }