depot/cluster/services/idm/modules/idm-nss-ready.nix

{ lib, pkgs, ... }:

let
  idmReady = pkgs.writers.writeHaskellBin "idm-nss-ready" {
    libraries = with pkgs.haskellPackages; [ watchdog ];
  } ''
    import Control.Monad.IO.Class
    import Control.Watchdog
    import System.IO.Error
    import System.Posix.User

    main :: IO ()
    main = watchdog $ do
      setInitialDelay 300_000
      setMaximumDelay 30_000_000
      watch $ do
        check <- liftIO $ tryIOError $ getGroupEntryForName "infra_admins"
        case check of
          Right _ -> return $ Right ()
          Left _ -> return $ Left "group not found"
  '';
in

{
  systemd.services.idm-nss-ready = {
    description = "Wait for IDM NSS";
    requires = [ "kanidm-unixd.service" "nss-user-lookup.target" ];
    after = [ "kanidm-unixd.service" ];
    before = [ "nss-user-lookup.target" ];
    serviceConfig = {
      ExecStart = lib.getExe idmReady;
      DynamicUser = true;
      TimeoutStartSec = "2m";
      Type = "oneshot";
    };
  };
}