Make sure kerberos database belongs to kerberos user

lib/fudo/auth/kerberos/kdc.nix

@@ -210,8 +210,8 @@ let
                 #   ${convertCmd}
                 #   ls $RUNTIME_DIRECTORY
                 # '';
-                ExecStartPre = pkgs.writeShellScript "kdc-prepare-hprop-dump.sh"
+                ExecStartPre = let
-                  (concatStringsSep " " [
+                  dumpScript = (concatStringsSep " " [
                     "${pkgs.heimdal}/bin/kadmin"
                     "--local"
                     "--config-file=${kdcConf}"
@@ -220,6 +220,13 @@ let
                     "--format=Heimdal"
                     "${staging-db}"
                   ]);
+                in pkgs.writeShellScript "kdc-prepare-hprop-dump.sh" ''
+                  chown ${cfg.user}:${cfg.group} ${staging-db}
+                  chown ${cfg.user}:${cfg.group} ${cfg.kdc.database}
+                  chown ${cfg.user}:${cfg.group} ${cfg.kdc.state-directory}/kerberos.log
+                  ${dumpScript}
+                '';
+
                 ExecStart = pkgs.writeShellScript "kdc-hprop.sh"
                   (concatStringsSep " " ([
                     "${pkgs.heimdal}/libexec/heimdal/hprop"

lib/fudo/mail/dovecot.nix

@@ -33,8 +33,7 @@ let
         tls = yes
         tls_require_cert = try
       '';
-    in
+    in pkgs.writeText "dovecot2-ldap-config.conf.template" ''
-      pkgs.writeText "dovecot2-ldap-config.conf.template" ''
       uris = ${concatStringsSep " " ldap-cfg.server-urls}
       ldap_version = 3
       dn = ${ldap-cfg.reader-dn}
@@ -45,7 +44,8 @@ let
       ${ssl-config}
     '';
 
-  ldap-conf-generator = ldap-cfg: let
+  ldap-conf-generator = ldap-cfg:
+    let
       template = ldap-conf-template ldap-cfg;
       target-dir = dirOf ldap-cfg.generated-ldap-config;
       target = ldap-cfg.generated-ldap-config;
@@ -69,7 +69,8 @@ let
     options = with types; {
       ca = mkOption {
         type = nullOr str;
-        description = "The path to the CA cert used to sign the LDAP server certificate.";
+        description =
+          "The path to the CA cert used to sign the LDAP server certificate.";
         default = null;
       };
 
@@ -99,7 +100,8 @@ let
 
       generated-ldap-config = mkOption {
         type = str;
-        description = "Path at which to store the generated LDAP config file, including password.";
+        description =
+          "Path at which to store the generated LDAP config file, including password.";
         default = "/run/dovecot2/config/ldap.conf";
       };
     };
@@ -295,9 +297,8 @@ in {
     };
 
     systemd = {
-      tmpfiles.rules = [
+      tmpfiles.rules =
-        "d ${sieve-path} 750 ${dovecot-user} ${cfg.mail-group} - -"
+        [ "d ${sieve-path} 750 ${dovecot-user} ${cfg.mail-group} - -" ];
-      ];
 
       services.dovecot2.preStart = ''
         rm -f ${sieve-path}/*