From b3af89dd388831ab13e769a62375a3bdb758ad3f Mon Sep 17 00:00:00 2001
From: Katalin Rebhan <me@dblsaiko.net>
Date: Sat, 7 Jun 2025 20:59:25 +0200
Subject: [PATCH] nixos/kerberos_server: add extraKDCArgs option

---
 nixos/modules/services/system/kerberos/default.nix |  9 +++++++++
 nixos/modules/services/system/kerberos/heimdal.nix | 11 ++++++++++-
 nixos/modules/services/system/kerberos/mit.nix     | 12 +++++++++++-
 3 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/services/system/kerberos/default.nix b/nixos/modules/services/system/kerberos/default.nix
index 5e7210ca7629..5dfc3bed844f 100644
--- a/nixos/modules/services/system/kerberos/default.nix
+++ b/nixos/modules/services/system/kerberos/default.nix
@@ -7,6 +7,7 @@
 
 let
   inherit (lib) mkOption types;
+  inherit (lib.types) listOf str;
   cfg = config.services.kerberos_server;
   inherit (config.security.krb5) package;
 
@@ -41,6 +42,14 @@ in
         '';
         default = { };
       };
+
+      extraKDCArgs = mkOption {
+        type = listOf str;
+        description = ''
+          Extra arguments to pass to the KDC process. See {manpage}`kdc(8)`.
+        '';
+        default = [ ];
+      };
     };
   };
 
diff --git a/nixos/modules/services/system/kerberos/heimdal.nix b/nixos/modules/services/system/kerberos/heimdal.nix
index 6daa86e79aae..2094a4dceb24 100644
--- a/nixos/modules/services/system/kerberos/heimdal.nix
+++ b/nixos/modules/services/system/kerberos/heimdal.nix
@@ -2,11 +2,14 @@
   pkgs,
   config,
   lib,
+  utils,
   ...
 }:
 
 let
   inherit (lib) mapAttrs;
+  inherit (utils) escapeSystemdExecArgs;
+
   cfg = config.services.kerberos_server;
   package = config.security.krb5.package;
 
@@ -94,7 +97,13 @@ in
         "info:heimdal"
       ];
       serviceConfig = {
-        ExecStart = "${package}/libexec/kdc --config-file=/etc/heimdal-kdc/kdc.conf";
+        ExecStart = escapeSystemdExecArgs (
+          [
+            "${package}/libexec/kdc"
+            "--config-file=/etc/heimdal-kdc/kdc.conf"
+          ]
+          ++ cfg.extraKDCArgs
+        );
         Slice = "system-kerberos-server.slice";
         StateDirectory = "heimdal";
       };
diff --git a/nixos/modules/services/system/kerberos/mit.nix b/nixos/modules/services/system/kerberos/mit.nix
index f1caa92c04df..0011f4cf1431 100644
--- a/nixos/modules/services/system/kerberos/mit.nix
+++ b/nixos/modules/services/system/kerberos/mit.nix
@@ -2,11 +2,14 @@
   pkgs,
   config,
   lib,
+  utils,
   ...
 }:
 
 let
   inherit (lib) mapAttrs;
+  inherit (utils) escapeSystemdExecArgs;
+
   cfg = config.services.kerberos_server;
   package = config.security.krb5.package;
   PIDFile = "/run/kdc.pid";
@@ -91,7 +94,14 @@ in
       serviceConfig = {
         Type = "forking";
         PIDFile = PIDFile;
-        ExecStart = "${package}/bin/krb5kdc -P ${PIDFile}";
+        ExecStart = escapeSystemdExecArgs (
+          [
+            "${package}/bin/krb5kdc"
+            "-P"
+            "${PIDFile}"
+          ]
+          ++ cfg.extraKDCArgs
+        );
         Slice = "system-kerberos-server.slice";
         StateDirectory = "krb5kdc";
       };