From f7a5a43d30e4c4ba7bd84dc9160bd81beac75125 Mon Sep 17 00:00:00 2001
From: niten <niten@fudo.org>
Date: Sun, 7 Jan 2024 15:25:29 -0800
Subject: [PATCH] Wait, Restart can't be 'never', only 'no'

---
 lib/fudo/auth/kerberos/kdc.nix | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/lib/fudo/auth/kerberos/kdc.nix b/lib/fudo/auth/kerberos/kdc.nix
index 7b6d374..1a94bef 100644
--- a/lib/fudo/auth/kerberos/kdc.nix
+++ b/lib/fudo/auth/kerberos/kdc.nix
@@ -312,6 +312,25 @@ let
               description = "Heimdal propagation listener server.";
               path = with pkgs; [ heimdal ];
               serviceConfig = {
+                StandardInput = "socket";
+                StandardOutput = "socket";
+                PrivateDevices = true;
+                PrivateTmp = true;
+                ProtectControlGroups = true;
+                ProtectKernelTunables = true;
+                ProtectHostname = true;
+                ProtectClock = true;
+                ProtectKernelLogs = true;
+                MemoryDenyWriteExecute = true;
+                RestrictRealtime = true;
+                LimitNOFILE = "4096";
+                User = cfg.user;
+                Group = cfg.group;
+                # Server will retry -- this results in stacking
+                Restart = "no";
+                AmbientCapabilities = "CAP_NET_BIND_SERVICE";
+                SecureBits = "keep-caps";
+                ReadWritePaths = [ "${dirOf cfg.kdc.database}" ];
                 ExecStart = let
                   startScript = pkgs.writeShellScript "launch-heimdal-hpropd.sh"
                     (concatStringsSep " " [