movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-09 19:13:26 +03:00
Code Issues Projects Releases Packages Wiki Activity

nixos/kanidm: Fix bind paths (#409310)

Browse source
This commit is contained in:
Adam C. Stephens 2025-06-06 08:35:49 -04:00 committed by GitHub
commit a4ff0e3c64
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 5 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

17
nixos/modules/services/security/kanidm.nix
View file

@ -54,15 +54,10 @@ let
++ optional (cfg.provision.extraJsonFile != null) cfg.provision.extraJsonFile
++ mapAttrsToList (_: x: x.basicSecretFile) cfg.provision.systems.oauth2
);
secretDirectories = unique (
map builtins.dirOf (
[
cfg.serverSettings.tls_chain
cfg.serverSettings.tls_key
]
++ optionals cfg.provision.enable provisionSecretFiles
)
);
secretPaths = [
cfg.serverSettings.tls_chain
cfg.serverSettings.tls_key
] ++ optionals cfg.provision.enable provisionSecretFiles;
# Merge bind mount paths and remove paths where a prefix is already mounted.
# This makes sure that if e.g. the tls_chain is in the nix store and /nix/store is already in the mount
@ -881,7 +876,7 @@ in
(
defaultServiceConfig
// {
BindReadOnlyPaths = mergePaths (defaultServiceConfig.BindReadOnlyPaths ++ secretDirectories);
BindReadOnlyPaths = mergePaths (defaultServiceConfig.BindReadOnlyPaths ++ secretPaths);
}
)
{
@ -895,8 +890,6 @@ in
BindPaths =
[
# To create the socket
"/run/kanidmd:/run/kanidmd"
# To store backups
cfg.serverSettings.online_backup.path
]