nix/lib
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fuckin copy the primary job def

Browse Source
This commit is contained in:
niten 2024-01-13 14:19:08 -08:00
parent 168dc68251
commit 16a105a24e
1 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
lib/fudo/auth/kerberos/kdc.nix
View File

@ -288,6 +288,7 @@ let
ProtectKernelLogs = true; ProtectKernelLogs = true;
MemoryDenyWriteExecute = true; MemoryDenyWriteExecute = true;
RestrictRealtime = true; RestrictRealtime = true;
PermissionsStartOnly = false;
LimitNOFILE = 4096; LimitNOFILE = 4096;
User = cfg.user; User = cfg.user;
Group = cfg.group; Group = cfg.group;
@ -295,7 +296,12 @@ let
RestartSec = "5s"; RestartSec = "5s";
AmbientCapabilities = "CAP_NET_BIND_SERVICE"; AmbientCapabilities = "CAP_NET_BIND_SERVICE";
SecureBits = "keep-caps"; SecureBits = "keep-caps";
RuntimeDirectory = "heimdal-kdc-secondary"; ExecStartPre = let
chownScript = pkgs.writeShellScript "kerberos-chown.sh" ''
${pkgs.coreutils}/bin/chown ${cfg.user}:${cfg.group} ${cfg.kdc.database}
${pkgs.coreutils}/bin/chown ${cfg.user}:${cfg.group} ${cfg.kdc.state-directory}/kerberos.log
'';
in "+${chownScript}";
ExecStart = let ExecStart = let
ips = if (cfg.kdc.bind-addresses != [ ]) then ips = if (cfg.kdc.bind-addresses != [ ]) then
cfg.kdc.bind-addresses cfg.kdc.bind-addresses
@ -304,8 +310,7 @@ let
bindClause = "--addresses=${concatStringsSep "," ips}"; bindClause = "--addresses=${concatStringsSep "," ips}";
in "${pkgs.heimdal}/libexec/heimdal/kdc --config-file=${kdcConf} --ports=88 ${bindClause}"; in "${pkgs.heimdal}/libexec/heimdal/kdc --config-file=${kdcConf} --ports=88 ${bindClause}";
}; };
unitConfig.ConditionPathExists = unitConfig.ConditionPathExists = [ cfg.kdc.database ];
[ cfg.kdc.database cfg.kdc.secondary.keytabs.hpropd ];
}; };
"heimdal-hpropd@" = { "heimdal-hpropd@" = {