nixos/ldap: replace activationScript

Replace with a dedicated systemd service.
2023-11-16 23:14:22 +01:00 · 2023-11-16 23:14:22 +01:00 · 994df434ba
commit 994df434ba
parent e96cd172fb
1 changed files with 55 additions and 46 deletions
--- a/nixos/modules/config/ldap.nix
+++ b/nixos/modules/config/ldap.nix
@ -226,18 +226,6 @@ in
      "ldap.conf" = ldapConfig;
    };

-    system.activationScripts = mkIf (!cfg.daemon.enable) {
-      ldap = stringAfter [ "etc" "groups" "users" ] ''
-        if test -f "${cfg.bind.passwordFile}" ; then
-          umask 0077
-          conf="$(mktemp)"
-          printf 'bindpw %s\n' "$(cat ${cfg.bind.passwordFile})" |
-          cat ${ldapConfig.source} - >"$conf"
-          mv -fT "$conf" /etc/ldap.conf
-        fi
-      '';
-    };
-
    system.nssModules = mkIf cfg.nsswitch (singleton (
      if cfg.daemon.enable then nss_pam_ldapd else nss_ldap
    ));
@ -258,7 +246,28 @@ in
      };
    };

-    systemd.services = mkIf cfg.daemon.enable {
+    systemd.services = mkMerge [
+      (mkIf (!cfg.daemon.enable) {
+        ldap-password = {
+          wantedBy = [ "sysinit.target" ];
+          before = [ "sysinit.target" "shutdown.target" ];
+          conflicts = [ "shutdown.target" ];
+          unitConfig.DefaultDependencies = false;
+          serviceConfig.Type = "oneshot";
+          serviceConfig.RemainAfterExit = true;
+          script = ''
+            if test -f "${cfg.bind.passwordFile}" ; then
+              umask 0077
+              conf="$(mktemp)"
+              printf 'bindpw %s\n' "$(cat ${cfg.bind.passwordFile})" |
+              cat ${ldapConfig.source} - >"$conf"
+              mv -fT "$conf" /etc/ldap.conf
+            fi
+          '';
+        };
+      })
+
+      (mkIf cfg.daemon.enable {
        nslcd = {
          wantedBy = [ "multi-user.target" ];

@ -292,8 +301,8 @@ in
            AmbientCapabilities = "CAP_SYS_RESOURCE";
          };
        };
-
-    };
+      })
+    ];

  };