nix/lib
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

KDC - Ensure database exists and is readable

Browse Source
This commit is contained in:
niten 2023-10-15 23:00:48 -07:00
parent 356c452d66
commit 56f4e49df0
1 changed files with 7 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
lib/fudo/auth/kerberos/kdc.nix
View File

@ -68,6 +68,9 @@ let
environment.systemPackages = [ kadminLocal ]; environment.systemPackages = [ kadminLocal ];
systemd = { systemd = {
tmpfiles.rules =
[ "f ${cfg.database} 0700 ${cfg.user} ${cfg.group} - -" ];
services = { services = {
heimdal-kdc = { heimdal-kdc = {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
@ -116,22 +119,15 @@ let
description = "Heimdal Kerberos Administration Server."; description = "Heimdal Kerberos Administration Server.";
path = with pkgs; [ heimdal ]; path = with pkgs; [ heimdal ];
serviceConfig = { serviceConfig = {
# StandardInput = "socket";
# StandardOutput = "socket";
PrivateDevices = true; PrivateDevices = true;
PrivateTmp = true; PrivateTmp = true;
# PrivateMounts = true;
ProtectControlGroups = true; ProtectControlGroups = true;
ProtectKernelTunables = true; ProtectKernelTunables = true;
# ProtectSystem = true;
ProtectHostname = true; ProtectHostname = true;
# ProtectHome = true;
ProtectClock = true; ProtectClock = true;
ProtectKernelLogs = true; ProtectKernelLogs = true;
MemoryDenyWriteExecute = true; MemoryDenyWriteExecute = true;
RestrictRealtime = true; RestrictRealtime = true;
# LockPersonality = true;
# PermissionsStartOnly = true;
LimitNOFILE = 4096; LimitNOFILE = 4096;
User = cfg.user; User = cfg.user;
Group = cfg.group; Group = cfg.group;
@ -154,12 +150,8 @@ let
description = "Heimdal Kerberos Password Server."; description = "Heimdal Kerberos Password Server.";
path = with pkgs; [ heimdal ]; path = with pkgs; [ heimdal ];
serviceConfig = { serviceConfig = {
# This wasn't working:
# StandardInput = "socket";
# StandardOutput = "socket";
PrivateDevices = true; PrivateDevices = true;
PrivateTmp = true; PrivateTmp = true;
# PrivateMounts = true;
ProtectControlGroups = true; ProtectControlGroups = true;
ProtectKernelTunables = true; ProtectKernelTunables = true;
ProtectSystem = true; ProtectSystem = true;
@ -199,20 +191,6 @@ let
Group = cfg.group; Group = cfg.group;
Type = "oneshot"; Type = "oneshot";
RuntimeDirectory = "heimdal-hprop"; RuntimeDirectory = "heimdal-hprop";
# ExecStartPre = let
# convertCmd = concatStringsSep " " [
# "${pkgs.kdcConvertDatabase}/bin/kdc-convert-database"
# "--config-file=${kdcConf}"
# "--key=${cfg.kdc.master-key-file}"
# "--format=db3"
# "--realm=${cfg.realm}"
# "--output=${staging-db}"
# "--verbose"
# ];
# in pkgs.writeShellScript "convert-kdc-database.sh" ''
# ${convertCmd}
# ls $RUNTIME_DIRECTORY
# '';
ExecStartPre = pkgs.writeShellScript "kdc-prepare-hprop-dump.sh" ExecStartPre = pkgs.writeShellScript "kdc-prepare-hprop-dump.sh"
(concatStringsSep " " [ (concatStringsSep " " [
"${pkgs.heimdal}/bin/kadmin" "${pkgs.heimdal}/bin/kadmin"
@ -292,6 +270,10 @@ let
}; };
systemd = { systemd = {
tmpfiles.rules =
[ "f ${cfg.database} 0700 ${cfg.user} ${cfg.group} - -" ];
services = { services = {
heimdal-kdc-secondary = { heimdal-kdc-secondary = {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
@ -302,18 +284,13 @@ let
serviceConfig = { serviceConfig = {
PrivateDevices = true; PrivateDevices = true;
PrivateTmp = true; PrivateTmp = true;
# PrivateMounts = true;
ProtectControlGroups = true; ProtectControlGroups = true;
ProtectKernelTunables = true; ProtectKernelTunables = true;
# ProtectSystem = true;
ProtectHostname = true; ProtectHostname = true;
# ProtectHome = true;
ProtectClock = true; ProtectClock = true;
ProtectKernelLogs = true; ProtectKernelLogs = true;
MemoryDenyWriteExecute = true; MemoryDenyWriteExecute = true;
RestrictRealtime = true; RestrictRealtime = true;
# LockPersonality = true;
# PermissionsStartOnly = true;
LimitNOFILE = 4096; LimitNOFILE = 4096;
User = cfg.user; User = cfg.user;
Group = cfg.group; Group = cfg.group;
@ -335,9 +312,6 @@ let
}; };
"heimdal-hpropd@" = { "heimdal-hpropd@" = {
# wantedBy = [ "heimdal-kdc-secondary.service" ];
# after = [ "heimdal-kdc-secondary.service" ];
# bindsTo = [ "heimdal-kdc-secondary.service" ];
description = "Heimdal propagation listener server."; description = "Heimdal propagation listener server.";
path = with pkgs; [ heimdal ]; path = with pkgs; [ heimdal ];
serviceConfig = { serviceConfig = {
@ -345,18 +319,13 @@ let
StandardOutput = "socket"; StandardOutput = "socket";
PrivateDevices = true; PrivateDevices = true;
PrivateTmp = true; PrivateTmp = true;
# PrivateMounts = true;
ProtectControlGroups = true; ProtectControlGroups = true;
ProtectKernelTunables = true; ProtectKernelTunables = true;
# ProtectSystem = true;
ProtectHostname = true; ProtectHostname = true;
# ProtectHome = true;
ProtectClock = true; ProtectClock = true;
ProtectKernelLogs = true; ProtectKernelLogs = true;
MemoryDenyWriteExecute = true; MemoryDenyWriteExecute = true;
RestrictRealtime = true; RestrictRealtime = true;
# LockPersonality = true;
# PermissionsStartOnly = true;
LimitNOFILE = 4096; LimitNOFILE = 4096;
User = cfg.user; User = cfg.user;
Group = cfg.group; Group = cfg.group;