nix/lib
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Make sure kerberos database belongs to kerberos user

Browse Source
This commit is contained in:
niten 2023-09-22 10:08:18 -07:00
parent f3312f8fce
commit 7ed8b64466
2 changed files with 40 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
lib/fudo/auth/kerberos/kdc.nix
View File

@ -210,8 +210,8 @@ let
# ${convertCmd} # ${convertCmd}
# ls $RUNTIME_DIRECTORY # ls $RUNTIME_DIRECTORY
# ''; # '';
ExecStartPre = pkgs.writeShellScript "kdc-prepare-hprop-dump.sh" ExecStartPre = let
(concatStringsSep " " [ dumpScript = (concatStringsSep " " [
"${pkgs.heimdal}/bin/kadmin" "${pkgs.heimdal}/bin/kadmin"
"--local" "--local"
"--config-file=${kdcConf}" "--config-file=${kdcConf}"
@ -220,6 +220,13 @@ let
"--format=Heimdal" "--format=Heimdal"
"${staging-db}" "${staging-db}"
]); ]);
in pkgs.writeShellScript "kdc-prepare-hprop-dump.sh" ''
chown ${cfg.user}:${cfg.group} ${staging-db}
chown ${cfg.user}:${cfg.group} ${cfg.kdc.database}
chown ${cfg.user}:${cfg.group} ${cfg.kdc.state-directory}/kerberos.log
${dumpScript}
'';
ExecStart = pkgs.writeShellScript "kdc-hprop.sh" ExecStart = pkgs.writeShellScript "kdc-hprop.sh"
(concatStringsSep " " ([ (concatStringsSep " " ([
"${pkgs.heimdal}/libexec/heimdal/hprop" "${pkgs.heimdal}/libexec/heimdal/hprop"

19
lib/fudo/mail/dovecot.nix
View File

@ -33,8 +33,7 @@ let
tls = yes tls = yes
tls_require_cert = try tls_require_cert = try
''; '';
in in pkgs.writeText "dovecot2-ldap-config.conf.template" ''
pkgs.writeText "dovecot2-ldap-config.conf.template" ''
uris = ${concatStringsSep " " ldap-cfg.server-urls} uris = ${concatStringsSep " " ldap-cfg.server-urls}
ldap_version = 3 ldap_version = 3
dn = ${ldap-cfg.reader-dn} dn = ${ldap-cfg.reader-dn}
@ -45,7 +44,8 @@ let
${ssl-config} ${ssl-config}
''; '';
ldap-conf-generator = ldap-cfg: let ldap-conf-generator = ldap-cfg:
let
template = ldap-conf-template ldap-cfg; template = ldap-conf-template ldap-cfg;
target-dir = dirOf ldap-cfg.generated-ldap-config; target-dir = dirOf ldap-cfg.generated-ldap-config;
target = ldap-cfg.generated-ldap-config; target = ldap-cfg.generated-ldap-config;
@ -69,7 +69,8 @@ let
options = with types; { options = with types; {
ca = mkOption { ca = mkOption {
type = nullOr str; type = nullOr str;
description = "The path to the CA cert used to sign the LDAP server certificate."; description =
"The path to the CA cert used to sign the LDAP server certificate.";
default = null; default = null;
}; };
@ -99,7 +100,8 @@ let
generated-ldap-config = mkOption { generated-ldap-config = mkOption {
type = str; type = str;
description = "Path at which to store the generated LDAP config file, including password."; description =
"Path at which to store the generated LDAP config file, including password.";
default = "/run/dovecot2/config/ldap.conf"; default = "/run/dovecot2/config/ldap.conf";
}; };
}; };
@ -132,7 +134,7 @@ in {
services.prometheus.exporters.dovecot = mkIf cfg.monitoring.enable { services.prometheus.exporters.dovecot = mkIf cfg.monitoring.enable {
enable = true; enable = true;
scopes = ["user" "global"]; scopes = [ "user" "global" ];
listenAddress = "127.0.0.1"; listenAddress = "127.0.0.1";
port = cfg.monitoring.dovecot-listen-port; port = cfg.monitoring.dovecot-listen-port;
socketPath = "/var/run/dovecot2/old-stats"; socketPath = "/var/run/dovecot2/old-stats";
@ -295,9 +297,8 @@ in {
}; };
systemd = { systemd = {
tmpfiles.rules = [ tmpfiles.rules =
"d ${sieve-path} 750 ${dovecot-user} ${cfg.mail-group} - -" [ "d ${sieve-path} 750 ${dovecot-user} ${cfg.mail-group} - -" ];
];
services.dovecot2.preStart = '' services.dovecot2.preStart = ''
rm -f ${sieve-path}/* rm -f ${sieve-path}/*