nix
/
lib
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Wait, is it ReadWritePaths?

This commit is contained in:
niten 2024-01-07 14:48:42 -08:00
parent dd2df768f1
commit 7e533a6d6f
1 changed files with 15 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
lib/fudo/auth/kerberos/kdc.nix
View File

@ -312,25 +312,25 @@ let
description = "Heimdal propagation listener server.";
path = with pkgs; [ heimdal ];
serviceConfig = {
# StandardInput = "socket";
# StandardOutput = "socket";
# PrivateDevices = true;
# PrivateTmp = true;
# ProtectControlGroups = true;
# ProtectKernelTunables = true;
# ProtectHostname = true;
# ProtectClock = true;
# ProtectKernelLogs = true;
# MemoryDenyWriteExecute = true;
# RestrictRealtime = true;
# LimitNOFILE = "4096";
StandardInput = "socket";
StandardOutput = "socket";
PrivateDevices = true;
PrivateTmp = true;
ProtectControlGroups = true;
ProtectKernelTunables = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelLogs = true;
MemoryDenyWriteExecute = true;
RestrictRealtime = true;
LimitNOFILE = "4096";
User = cfg.user;
Group = cfg.group;
# Server will retry -- this results in stacking
Restart = "never";
# AmbientCapabilities = "CAP_NET_BIND_SERVICE";
# SecureBits = "keep-caps";
ReadWritePaths = [ "${dirOf cfg.kdc.database}" ];
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
SecureBits = "keep-caps";
#ReadWritePaths = [ "${dirOf cfg.kdc.database}" ];
ExecStart = let
startScript = pkgs.writeShellScript "launch-heimdal-hpropd.sh"
(concatStringsSep " " [