diff options
| author | nikstur <nikstur@outlook.com> | 2023-11-16 23:14:22 +0100 |
|---|---|---|
| committer | nikstur <nikstur@outlook.com> | 2023-12-29 03:20:28 +0100 |
| commit | 994df434ba29b9774efe56d23270a8dc150c68ce (patch) | |
| tree | 9a1b0384635f76b17bb5ba07b8661f91f1057b72 /nixos/modules/config | |
| parent | e96cd172fb625b910f13c0957be4204188afc884 (diff) | |
nixos/ldap: replace activationScript
Replace with a dedicated systemd service.
Diffstat (limited to 'nixos/modules/config')
| -rw-r--r-- | nixos/modules/config/ldap.nix | 101 |
1 files changed, 55 insertions, 46 deletions
diff --git a/nixos/modules/config/ldap.nix b/nixos/modules/config/ldap.nix index d2f01fb87d32d..e374e4a7a27e9 100644 --- a/nixos/modules/config/ldap.nix +++ b/nixos/modules/config/ldap.nix @@ -226,18 +226,6 @@ in "ldap.conf" = ldapConfig; }; - system.activationScripts = mkIf (!cfg.daemon.enable) { - ldap = stringAfter [ "etc" "groups" "users" ] '' - if test -f "${cfg.bind.passwordFile}" ; then - umask 0077 - conf="$(mktemp)" - printf 'bindpw %s\n' "$(cat ${cfg.bind.passwordFile})" | - cat ${ldapConfig.source} - >"$conf" - mv -fT "$conf" /etc/ldap.conf - fi - ''; - }; - system.nssModules = mkIf cfg.nsswitch (singleton ( if cfg.daemon.enable then nss_pam_ldapd else nss_ldap )); @@ -258,42 +246,63 @@ in }; }; - systemd.services = mkIf cfg.daemon.enable { - nslcd = { - wantedBy = [ "multi-user.target" ]; - - preStart = '' - umask 0077 - conf="$(mktemp)" - { - cat ${nslcdConfig} - test -z '${cfg.bind.distinguishedName}' -o ! -f '${cfg.bind.passwordFile}' || - printf 'bindpw %s\n' "$(cat '${cfg.bind.passwordFile}')" - test -z '${cfg.daemon.rootpwmoddn}' -o ! -f '${cfg.daemon.rootpwmodpwFile}' || - printf 'rootpwmodpw %s\n' "$(cat '${cfg.daemon.rootpwmodpwFile}')" - } >"$conf" - mv -fT "$conf" /run/nslcd/nslcd.conf - ''; - - restartTriggers = [ - nslcdConfig - cfg.bind.passwordFile - cfg.daemon.rootpwmodpwFile - ]; - - serviceConfig = { - ExecStart = "${nslcdWrapped}/bin/nslcd"; - Type = "forking"; - Restart = "always"; - User = "nslcd"; - Group = "nslcd"; - RuntimeDirectory = [ "nslcd" ]; - PIDFile = "/run/nslcd/nslcd.pid"; - AmbientCapabilities = "CAP_SYS_RESOURCE"; + systemd.services = mkMerge [ + (mkIf (!cfg.daemon.enable) { + ldap-password = { + wantedBy = [ "sysinit.target" ]; + before = [ "sysinit.target" "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; + unitConfig.DefaultDependencies = false; + serviceConfig.Type = "oneshot"; + serviceConfig.RemainAfterExit = true; + script = '' + if test -f "${cfg.bind.passwordFile}" ; then + umask 0077 + conf="$(mktemp)" + printf 'bindpw %s\n' "$(cat ${cfg.bind.passwordFile})" | + cat ${ldapConfig.source} - >"$conf" + mv -fT "$conf" /etc/ldap.conf + fi + ''; }; - }; + }) + + (mkIf cfg.daemon.enable { + nslcd = { + wantedBy = [ "multi-user.target" ]; + + preStart = '' + umask 0077 + conf="$(mktemp)" + { + cat ${nslcdConfig} + test -z '${cfg.bind.distinguishedName}' -o ! -f '${cfg.bind.passwordFile}' || + printf 'bindpw %s\n' "$(cat '${cfg.bind.passwordFile}')" + test -z '${cfg.daemon.rootpwmoddn}' -o ! -f '${cfg.daemon.rootpwmodpwFile}' || + printf 'rootpwmodpw %s\n' "$(cat '${cfg.daemon.rootpwmodpwFile}')" + } >"$conf" + mv -fT "$conf" /run/nslcd/nslcd.conf + ''; - }; + restartTriggers = [ + nslcdConfig + cfg.bind.passwordFile + cfg.daemon.rootpwmodpwFile + ]; + + serviceConfig = { + ExecStart = "${nslcdWrapped}/bin/nslcd"; + Type = "forking"; + Restart = "always"; + User = "nslcd"; + Group = "nslcd"; + RuntimeDirectory = [ "nslcd" ]; + PIDFile = "/run/nslcd/nslcd.pid"; + AmbientCapabilities = "CAP_SYS_RESOURCE"; + }; + }; + }) + ]; }; |