Wait, Restart can't be 'never', only 'no'

2024-01-07 15:25:29 -08:00 · 2024-01-07 15:25:29 -08:00 · f7a5a43d30
parent 2c206d394b
commit f7a5a43d30
1 changed files with 19 additions and 0 deletions
--- a/lib/fudo/auth/kerberos/kdc.nix
+++ b/lib/fudo/auth/kerberos/kdc.nix
@ -312,6 +312,25 @@ let
              description = "Heimdal propagation listener server.";
              path = with pkgs; [ heimdal ];
              serviceConfig = {
+                StandardInput = "socket";
+                StandardOutput = "socket";
+                PrivateDevices = true;
+                PrivateTmp = true;
+                ProtectControlGroups = true;
+                ProtectKernelTunables = true;
+                ProtectHostname = true;
+                ProtectClock = true;
+                ProtectKernelLogs = true;
+                MemoryDenyWriteExecute = true;
+                RestrictRealtime = true;
+                LimitNOFILE = "4096";
+                User = cfg.user;
+                Group = cfg.group;
+                # Server will retry -- this results in stacking
+                Restart = "no";
+                AmbientCapabilities = "CAP_NET_BIND_SERVICE";
+                SecureBits = "keep-caps";
+                ReadWritePaths = [ "${dirOf cfg.kdc.database}" ];
                ExecStart = let
                  startScript = pkgs.writeShellScript "launch-heimdal-hpropd.sh"
                    (concatStringsSep " " [