Loading nixos/modules/services/misc/sssd.nix +33 −7 Original line number Diff line number Diff line Loading @@ -6,7 +6,6 @@ }: let cfg = config.services.sssd; nscd = config.services.nscd; dataDir = "/var/lib/sssd"; settingsFile = "${dataDir}/sssd.conf"; Loading Loading @@ -106,18 +105,36 @@ in config.environment.etc."nscd.conf".source settingsFileUnsubstituted ]; script = '' export LDB_MODULES_PATH+="''${LDB_MODULES_PATH+:}${pkgs.ldb}/modules/ldb:${pkgs.sssd}/modules/ldb" mkdir -p /var/lib/sss/{pubconf,db,mc,pipes,gpo_cache,secrets} /var/lib/sss/pipes/private /var/lib/sss/pubconf/krb5.include.d ${pkgs.sssd}/bin/sssd -D -c ${settingsFile} ''; environment.LDB_MODULES_PATH = "${pkgs.ldb}/modules/ldb:${pkgs.sssd}/modules/ldb"; serviceConfig = { Type = "forking"; # systemd needs to start sssd directly for "NotifyAccess=main" to work ExecStart = "${pkgs.sssd}/bin/sssd -i -c ${settingsFile}"; Type = "notify"; NotifyAccess = "main"; PIDFile = "/run/sssd.pid"; CapabilityBoundingSet = [ "CAP_IPC_LOCK" "CAP_CHOWN" "CAP_DAC_READ_SEARCH" "CAP_KILL" "CAP_NET_ADMIN" "CAP_SYS_NICE" "CAP_FOWNER" "CAP_SETGID" "CAP_SETUID" "CAP_SYS_ADMIN" "CAP_SYS_RESOURCE" "CAP_BLOCK_SUSPEND" ]; Restart = "on-abnormal"; StateDirectory = baseNameOf dataDir; # We cannot use LoadCredential here because it's not available in ExecStartPre EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile; }; unitConfig = { StartLimitIntervalSec = "50s"; StartLimitBurst = 5; }; preStart = '' mkdir -p "${dataDir}/conf.d" [ -f ${settingsFile} ] && rm -f ${settingsFile} Loading @@ -127,6 +144,7 @@ in -o ${settingsFile} \ -i ${settingsFileUnsubstituted} umask $old_umask mkdir -p /var/lib/sss/{pubconf,db,mc,pipes,gpo_cache,secrets} /var/lib/sss/pipes/private /var/lib/sss/pubconf/krb5.include.d ''; }; Loading @@ -147,6 +165,14 @@ in serviceConfig = { ExecStartPre = "-${pkgs.sssd}/bin/sssd --genconf-section=kcm"; ExecStart = "${pkgs.sssd}/libexec/sssd/sssd_kcm --uid 0 --gid 0"; CapabilityBoundingSet = [ "CAP_IPC_LOCK" "CAP_CHOWN" "CAP_DAC_READ_SEARCH" "CAP_FOWNER" "CAP_SETGID" "CAP_SETUID" ]; }; restartTriggers = [ settingsFileUnsubstituted Loading Loading
nixos/modules/services/misc/sssd.nix +33 −7 Original line number Diff line number Diff line Loading @@ -6,7 +6,6 @@ }: let cfg = config.services.sssd; nscd = config.services.nscd; dataDir = "/var/lib/sssd"; settingsFile = "${dataDir}/sssd.conf"; Loading Loading @@ -106,18 +105,36 @@ in config.environment.etc."nscd.conf".source settingsFileUnsubstituted ]; script = '' export LDB_MODULES_PATH+="''${LDB_MODULES_PATH+:}${pkgs.ldb}/modules/ldb:${pkgs.sssd}/modules/ldb" mkdir -p /var/lib/sss/{pubconf,db,mc,pipes,gpo_cache,secrets} /var/lib/sss/pipes/private /var/lib/sss/pubconf/krb5.include.d ${pkgs.sssd}/bin/sssd -D -c ${settingsFile} ''; environment.LDB_MODULES_PATH = "${pkgs.ldb}/modules/ldb:${pkgs.sssd}/modules/ldb"; serviceConfig = { Type = "forking"; # systemd needs to start sssd directly for "NotifyAccess=main" to work ExecStart = "${pkgs.sssd}/bin/sssd -i -c ${settingsFile}"; Type = "notify"; NotifyAccess = "main"; PIDFile = "/run/sssd.pid"; CapabilityBoundingSet = [ "CAP_IPC_LOCK" "CAP_CHOWN" "CAP_DAC_READ_SEARCH" "CAP_KILL" "CAP_NET_ADMIN" "CAP_SYS_NICE" "CAP_FOWNER" "CAP_SETGID" "CAP_SETUID" "CAP_SYS_ADMIN" "CAP_SYS_RESOURCE" "CAP_BLOCK_SUSPEND" ]; Restart = "on-abnormal"; StateDirectory = baseNameOf dataDir; # We cannot use LoadCredential here because it's not available in ExecStartPre EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile; }; unitConfig = { StartLimitIntervalSec = "50s"; StartLimitBurst = 5; }; preStart = '' mkdir -p "${dataDir}/conf.d" [ -f ${settingsFile} ] && rm -f ${settingsFile} Loading @@ -127,6 +144,7 @@ in -o ${settingsFile} \ -i ${settingsFileUnsubstituted} umask $old_umask mkdir -p /var/lib/sss/{pubconf,db,mc,pipes,gpo_cache,secrets} /var/lib/sss/pipes/private /var/lib/sss/pubconf/krb5.include.d ''; }; Loading @@ -147,6 +165,14 @@ in serviceConfig = { ExecStartPre = "-${pkgs.sssd}/bin/sssd --genconf-section=kcm"; ExecStart = "${pkgs.sssd}/libexec/sssd/sssd_kcm --uid 0 --gid 0"; CapabilityBoundingSet = [ "CAP_IPC_LOCK" "CAP_CHOWN" "CAP_DAC_READ_SEARCH" "CAP_FOWNER" "CAP_SETGID" "CAP_SETUID" ]; }; restartTriggers = [ settingsFileUnsubstituted Loading
