From 7e533a6d6fdf702fa7cfc3da272aa87a1fe7c00f Mon Sep 17 00:00:00 2001 From: niten Date: Sun, 7 Jan 2024 14:48:42 -0800 Subject: [PATCH] Wait, is it ReadWritePaths? --- lib/fudo/auth/kerberos/kdc.nix | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/lib/fudo/auth/kerberos/kdc.nix b/lib/fudo/auth/kerberos/kdc.nix index 64d9cb6..d9d9d1d 100644 --- a/lib/fudo/auth/kerberos/kdc.nix +++ b/lib/fudo/auth/kerberos/kdc.nix @@ -312,25 +312,25 @@ let description = "Heimdal propagation listener server."; path = with pkgs; [ heimdal ]; serviceConfig = { - # StandardInput = "socket"; - # StandardOutput = "socket"; - # PrivateDevices = true; - # PrivateTmp = true; - # ProtectControlGroups = true; - # ProtectKernelTunables = true; - # ProtectHostname = true; - # ProtectClock = true; - # ProtectKernelLogs = true; - # MemoryDenyWriteExecute = true; - # RestrictRealtime = true; - # LimitNOFILE = "4096"; + StandardInput = "socket"; + StandardOutput = "socket"; + PrivateDevices = true; + PrivateTmp = true; + ProtectControlGroups = true; + ProtectKernelTunables = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelLogs = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + LimitNOFILE = "4096"; User = cfg.user; Group = cfg.group; # Server will retry -- this results in stacking Restart = "never"; - # AmbientCapabilities = "CAP_NET_BIND_SERVICE"; - # SecureBits = "keep-caps"; - ReadWritePaths = [ "${dirOf cfg.kdc.database}" ]; + AmbientCapabilities = "CAP_NET_BIND_SERVICE"; + SecureBits = "keep-caps"; + #ReadWritePaths = [ "${dirOf cfg.kdc.database}" ]; ExecStart = let startScript = pkgs.writeShellScript "launch-heimdal-hpropd.sh" (concatStringsSep " " [