Add mutable config option#1
Add mutable config option#1kwohlfahrt wants to merge 13 commits intoposcat0x04:openldap-modernizefrom
Conversation
This is messy, because it means the config construction script has to have root access to create the config dir and set permissions. Additionally, the intention with systemd seems to be that ConfigurationDirectory is world-readable, which is not suitable for us because it contains secrets. Look into LoadCredential for alternatives.
TODO: add mutable/immutable content, for symmetry.
|
As an aside, I took a brief look at implementing I'm planning to use |
|
Sorry I'm very busy right now, I'll review this PR asap. |
|
Hi @poscat0x04 - any chance you'll have some free time to review this in the near future? If not, do you mind if I open a new PR against NixOS/nixpkgs to replace yours with these changes? |
2 participants
This mainly adds the option
mutableConfig, as discussed in NixOS#141240. I got carried away and did a few other things too:mutableConfigoption).ldapi:///sockets with custom path)ExecStartPrelines. This makes it obvious fromsystemctl statuswhich part has failed.I added one additional assertion, that means declarative database contents are not usable with the
configDiroption (which essentially bypasses all of this module). I don't think this check is technically 100% necessary, since if the customconfigDircontains the rightolcDbDirectoryit should work, but it's easy to get wrong and I don't see much of a use case for using NixOS for database contents, but not config.I'm also a little cautious about the other assertion (
assertion = dataDirs ? "${dn}";) - when we havemutableConfig = true, this assertion might pass, even though the actual configuration has diverged from what is insettings. This kind of thing is why I'm not a huge fan ofmutableConfig. Any suggestions for things to change here, or should we leave this as-is?