Make sure kerberos database belongs to kerberos user
This commit is contained in:
parent
f3312f8fce
commit
7ed8b64466
@ -210,8 +210,8 @@ let
|
|||||||
# ${convertCmd}
|
# ${convertCmd}
|
||||||
# ls $RUNTIME_DIRECTORY
|
# ls $RUNTIME_DIRECTORY
|
||||||
# '';
|
# '';
|
||||||
ExecStartPre = pkgs.writeShellScript "kdc-prepare-hprop-dump.sh"
|
ExecStartPre = let
|
||||||
(concatStringsSep " " [
|
dumpScript = (concatStringsSep " " [
|
||||||
"${pkgs.heimdal}/bin/kadmin"
|
"${pkgs.heimdal}/bin/kadmin"
|
||||||
"--local"
|
"--local"
|
||||||
"--config-file=${kdcConf}"
|
"--config-file=${kdcConf}"
|
||||||
@ -220,6 +220,13 @@ let
|
|||||||
"--format=Heimdal"
|
"--format=Heimdal"
|
||||||
"${staging-db}"
|
"${staging-db}"
|
||||||
]);
|
]);
|
||||||
|
in pkgs.writeShellScript "kdc-prepare-hprop-dump.sh" ''
|
||||||
|
chown ${cfg.user}:${cfg.group} ${staging-db}
|
||||||
|
chown ${cfg.user}:${cfg.group} ${cfg.kdc.database}
|
||||||
|
chown ${cfg.user}:${cfg.group} ${cfg.kdc.state-directory}/kerberos.log
|
||||||
|
${dumpScript}
|
||||||
|
'';
|
||||||
|
|
||||||
ExecStart = pkgs.writeShellScript "kdc-hprop.sh"
|
ExecStart = pkgs.writeShellScript "kdc-hprop.sh"
|
||||||
(concatStringsSep " " ([
|
(concatStringsSep " " ([
|
||||||
"${pkgs.heimdal}/libexec/heimdal/hprop"
|
"${pkgs.heimdal}/libexec/heimdal/hprop"
|
||||||
|
|||||||
@ -33,30 +33,30 @@ let
|
|||||||
tls = yes
|
tls = yes
|
||||||
tls_require_cert = try
|
tls_require_cert = try
|
||||||
'';
|
'';
|
||||||
in
|
in pkgs.writeText "dovecot2-ldap-config.conf.template" ''
|
||||||
pkgs.writeText "dovecot2-ldap-config.conf.template" ''
|
uris = ${concatStringsSep " " ldap-cfg.server-urls}
|
||||||
uris = ${concatStringsSep " " ldap-cfg.server-urls}
|
ldap_version = 3
|
||||||
ldap_version = 3
|
dn = ${ldap-cfg.reader-dn}
|
||||||
dn = ${ldap-cfg.reader-dn}
|
dnpass = __LDAP_READER_PASSWORD__
|
||||||
dnpass = __LDAP_READER_PASSWORD__
|
auth_bind = yes
|
||||||
auth_bind = yes
|
auth_bind_userdn = uid=%u,ou=members,dc=fudo,dc=org
|
||||||
auth_bind_userdn = uid=%u,ou=members,dc=fudo,dc=org
|
base = dc=fudo,dc=org
|
||||||
base = dc=fudo,dc=org
|
${ssl-config}
|
||||||
${ssl-config}
|
'';
|
||||||
'';
|
|
||||||
|
|
||||||
ldap-conf-generator = ldap-cfg: let
|
ldap-conf-generator = ldap-cfg:
|
||||||
template = ldap-conf-template ldap-cfg;
|
let
|
||||||
target-dir = dirOf ldap-cfg.generated-ldap-config;
|
template = ldap-conf-template ldap-cfg;
|
||||||
target = ldap-cfg.generated-ldap-config;
|
target-dir = dirOf ldap-cfg.generated-ldap-config;
|
||||||
in pkgs.writeScript "dovecot2-ldap-password-swapper.sh" ''
|
target = ldap-cfg.generated-ldap-config;
|
||||||
mkdir -p ${target-dir}
|
in pkgs.writeScript "dovecot2-ldap-password-swapper.sh" ''
|
||||||
touch ${target}
|
mkdir -p ${target-dir}
|
||||||
chmod 600 ${target}
|
touch ${target}
|
||||||
chown ${config.services.dovecot2.user} ${target}
|
chmod 600 ${target}
|
||||||
LDAP_READER_PASSWORD=$( cat "${ldap-cfg.reader-password-file}" )
|
chown ${config.services.dovecot2.user} ${target}
|
||||||
sed 's/__LDAP_READER_PASSWORD__/$LDAP_READER_PASSWORD/' '${template}' > ${target}
|
LDAP_READER_PASSWORD=$( cat "${ldap-cfg.reader-password-file}" )
|
||||||
'';
|
sed 's/__LDAP_READER_PASSWORD__/$LDAP_READER_PASSWORD/' '${template}' > ${target}
|
||||||
|
'';
|
||||||
|
|
||||||
ldap-passwd-entry = ldap-config: ''
|
ldap-passwd-entry = ldap-config: ''
|
||||||
passdb {
|
passdb {
|
||||||
@ -69,7 +69,8 @@ let
|
|||||||
options = with types; {
|
options = with types; {
|
||||||
ca = mkOption {
|
ca = mkOption {
|
||||||
type = nullOr str;
|
type = nullOr str;
|
||||||
description = "The path to the CA cert used to sign the LDAP server certificate.";
|
description =
|
||||||
|
"The path to the CA cert used to sign the LDAP server certificate.";
|
||||||
default = null;
|
default = null;
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -99,7 +100,8 @@ let
|
|||||||
|
|
||||||
generated-ldap-config = mkOption {
|
generated-ldap-config = mkOption {
|
||||||
type = str;
|
type = str;
|
||||||
description = "Path at which to store the generated LDAP config file, including password.";
|
description =
|
||||||
|
"Path at which to store the generated LDAP config file, including password.";
|
||||||
default = "/run/dovecot2/config/ldap.conf";
|
default = "/run/dovecot2/config/ldap.conf";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
@ -132,7 +134,7 @@ in {
|
|||||||
|
|
||||||
services.prometheus.exporters.dovecot = mkIf cfg.monitoring.enable {
|
services.prometheus.exporters.dovecot = mkIf cfg.monitoring.enable {
|
||||||
enable = true;
|
enable = true;
|
||||||
scopes = ["user" "global"];
|
scopes = [ "user" "global" ];
|
||||||
listenAddress = "127.0.0.1";
|
listenAddress = "127.0.0.1";
|
||||||
port = cfg.monitoring.dovecot-listen-port;
|
port = cfg.monitoring.dovecot-listen-port;
|
||||||
socketPath = "/var/run/dovecot2/old-stats";
|
socketPath = "/var/run/dovecot2/old-stats";
|
||||||
@ -295,9 +297,8 @@ in {
|
|||||||
};
|
};
|
||||||
|
|
||||||
systemd = {
|
systemd = {
|
||||||
tmpfiles.rules = [
|
tmpfiles.rules =
|
||||||
"d ${sieve-path} 750 ${dovecot-user} ${cfg.mail-group} - -"
|
[ "d ${sieve-path} 750 ${dovecot-user} ${cfg.mail-group} - -" ];
|
||||||
];
|
|
||||||
|
|
||||||
services.dovecot2.preStart = ''
|
services.dovecot2.preStart = ''
|
||||||
rm -f ${sieve-path}/*
|
rm -f ${sieve-path}/*
|
||||||
@ -307,7 +308,7 @@ in {
|
|||||||
done
|
done
|
||||||
|
|
||||||
${optionalString (cfg.dovecot.ldap != null)
|
${optionalString (cfg.dovecot.ldap != null)
|
||||||
(ldap-conf-generator cfg.dovecot.ldap)}
|
(ldap-conf-generator cfg.dovecot.ldap)}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user