Ahh, maybe it's the fact that it's a path

2024-01-07 09:22:44 -08:00 · 2024-01-07 09:22:44 -08:00 · 4196468cf8
parent 1186de6c36
commit 4196468cf8
1 changed files with 10 additions and 8 deletions
--- a/lib/fudo/auth/kerberos/kdc.nix
+++ b/lib/fudo/auth/kerberos/kdc.nix
@ -323,20 +323,22 @@ let
                ProtectKernelLogs = true;
                MemoryDenyWriteExecute = true;
                RestrictRealtime = true;
-                # LimitNOFILE = 4096;
+                LimitNOFILE = 4096;
                User = cfg.user;
                Group = cfg.group;
                # Server will retry -- this results in stacking
                Restart = "never";
                AmbientCapabilities = "CAP_NET_BIND_SERVICE";
                SecureBits = "keep-caps";
-                # ReadWritePaths = [ "${dirOf cfg.kdc.database}" ];
-                ExecStart = pkgs.writeShellScript "launch-heimdal-hpropd.sh"
-                  (concatStringsSep " " [
-                    "${pkgs.heimdal}/libexec/heimdal/hpropd"
-                    "--database=sqlite:${cfg.kdc.database}"
-                    "--keytab=${cfg.kdc.secondary.keytabs.hpropd}"
-                  ]);
+                ReadWritePaths = [ "${dirOf cfg.kdc.database}" ];
+                ExecStart = let
+                  startScript = pkgs.writeShellScript "launch-heimdal-hpropd.sh"
+                    (concatStringsSep " " [
+                      "${pkgs.heimdal}/libexec/heimdal/hpropd"
+                      "--database=sqlite:${cfg.kdc.database}"
+                      "--keytab=${cfg.kdc.secondary.keytabs.hpropd}"
+                    ]);
+                in "${startScript}";
              };
              unitConfig.ConditionPathExists =
                [ cfg.kdc.database cfg.kdc.secondary.keytabs.hpropd ];