Whenever keytab is modded, copy.

config/profile-config/host/kerberos.nix

@@ -9,13 +9,56 @@ let
 in {
   config = mkIf has-secret-files (let
     keytab-file = try-attr hostname config.fudo.secrets.files.host-keytabs;
-  in {
-    environment.etc."krb5.keytab" = mkIf (keytab-file != null) {
-      source =
-        config.fudo.secrets.host-secrets.${hostname}.host-keytab.target-file;
-      user = "root";
-      group = "root";
-      mode = "0400";
+  in mkIf (keytab-file != null) {
+    ## This doesn't seem to work...timing?
+    # environment.etc."krb5.keytab" = mkIf (keytab-file != null) {
+    #   source =
+    #     config.fudo.secrets.host-secrets.${hostname}.host-keytab.target-file;
+    #   user = "root";
+    #   group = "root";
+    #   mode = "0400";
+    # };
+
+    systemd = let
+      host-keytab = config.fudo.secrets.host-secrets.${hostname}.host-keytab.target-file;
+    in {
+      paths."${hostname}-keytab-watcher" = {
+        wantedBy = [ "default.target" ];
+        description = "Watch host keytab for changes.";
+        pathConfig = {
+          PathChanged = host-keytab;
+          Unit = "${hostname}-keytab-watcher.service";
+        };
+      };
+
+      services = {
+        "${hostname}-keytab-watcher" = {
+          description = "When host keytab is available or changed, activate copy job.";
+          path = with pkgs; [ systemd ];
+          serviceConfig = {
+            Type = "oneshot";
+          };
+          script = "systemctl restart ${hostname}-copy-keytab.service";
+        };
+
+        "${hostname}-copy-keytab" = {
+          description = "Copy the host krb5.keytab into place once it's available.";
+          serviceConfig = {
+            Type = "oneshot";
+            RemainAfterExit = true;
+            ExecStart = pkgs.writeShellScript "${hostname}-copy-keytab.sh" ''
+              [ -f ${host-keytab} ] || exit 1
+              [ -f /etc/krb5.keytab ] && rm /etc/krb5.keytab
+              cp ${host-keytab} /etc/krb5.keytab
+              chown root:root /etc/krb5.keytab
+              chmod 0400 /etc/krb5.keytab
+            '';
+            ExecStop = pkgs.writeShellScript "${hostname}-remove-keytab.sh" ''
+              rm -f /etc/krb5.keytab
+            '';
+          };
+        };
+      };
     };
 
     fudo.secrets.host-secrets.${hostname}.host-keytab = mkIf (keytab-file != null) {