nix
/
nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Make sure krb database belongs to krb user

This commit is contained in:
niten 2023-10-15 21:31:16 -07:00
parent 8ada3ef6b3
commit 859be01b23
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
config/service/fudo-auth.nix
View File

@ -73,6 +73,7 @@ in {
systemd = {
tmpfiles.rules = mkIf (kerberos-master || kerberos-slave) [
"d ${cfg.kerberos.state-directory} 0700 ${krb-user} ${krb-group} - -"
"f ${cfg.fudo.auth.kerberos.kdc.database} 0700 ${krb-user} ${krb-group} - -"
];
paths.heimdal-kdc-initialize = mkIf kerberos-master {
@ -88,6 +89,10 @@ in {
host-secrets.kdc-principals.service
host-secrets.realm-master-key.service
];
after = [
host-secrets.kdc-principals.service
host-secrets.realm-master-key.service
];
description = "Initialize and update the Heimdal KDC database.";
path = with pkgs; [ kdcMergePrincipals coreutils ];
serviceConfig = let
@ -98,7 +103,6 @@ in {
User = krb-user;
Group = krb-group;
Restart = "always";
ConditionPathExists = [ db principals master-key ];
ExecStart = let
init-db-cmd = concatStringsSep " " [
"${pkgs.kdcMergePrincipals}/bin/kdc-merge-principals"
@ -116,6 +120,7 @@ in {
'';
in "+${script}";
};
unitConfig.ConditionPathExists = [ db principals master-key ];
};
heimdal-kdc = mkIf kerberos-master {
requires = [ "heimdal-kdc-initialize.service" ];