From 65ff518a0d56ea2907114288a891464c2ab916ac Mon Sep 17 00:00:00 2001 From: nikstur Date: Mon, 13 Nov 2023 10:47:25 +0100 Subject: [PATCH] nixos/ipa: replace activationScript Replaced with a dedicated systemd service. --- nixos/modules/security/ipa.nix | 40 ++++++++++++++++++++-------------- 1 file changed, 24 insertions(+), 16 deletions(-) diff --git a/nixos/modules/security/ipa.nix b/nixos/modules/security/ipa.nix index 69a670cd5e4a..49226ec38199 100644 --- a/nixos/modules/security/ipa.nix +++ b/nixos/modules/security/ipa.nix @@ -181,25 +181,33 @@ in { ''; }; - system.activationScripts.ipa = stringAfter ["etc"] '' - # libcurl requires a hard copy of the certificate - if ! ${pkgs.diffutils}/bin/diff ${cfg.certificate} /etc/ipa/ca.crt > /dev/null 2>&1; then - rm -f /etc/ipa/ca.crt - cp ${cfg.certificate} /etc/ipa/ca.crt - fi + systemd.services."ipa-activation" = { + wantedBy = [ "sysinit.target" ]; + before = [ "sysinit.target" "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; + unitConfig.DefaultDependencies = false; + serviceConfig.Type = "oneshot"; + serviceConfig.RemainAfterExit = true; + script = '' + # libcurl requires a hard copy of the certificate + if ! ${pkgs.diffutils}/bin/diff ${cfg.certificate} /etc/ipa/ca.crt > /dev/null 2>&1; then + rm -f /etc/ipa/ca.crt + cp ${cfg.certificate} /etc/ipa/ca.crt + fi - if [ ! -f /etc/krb5.keytab ]; then - cat <