From 940f49870b1253edfd58d68726e13d1decd49b35 Mon Sep 17 00:00:00 2001
From: Quentin Smith <quentin@mit.edu>
Date: Tue, 26 Aug 2025 17:17:41 -0400
Subject: [PATCH] module: support additional properties in "ak"

This changes the "ak" script to contain all properties from the
authentik.service unit except the Exec* and Restart* properties. This allows the
script to work when the user has added additional properties to the unit (e.g.
the `SupplementaryGroups` property to connect to Redis over a Unix socket).
---
 module.nix | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/module.nix b/module.nix
index 39f735c..d4d283e 100644
--- a/module.nix
+++ b/module.nix
@@ -196,13 +196,17 @@ in
             # `systemd-run(1)` in order to spin up an environment with correct (dynamic) user,
             # state directory and environment to run `ak` inside.
             (k: vs: map (v: "--property ${k}=${if isBool v then boolToString v else toString v}") (toList vs))
-            # Read serviceDefaults from `authentik.service`. That way, module system primitives (mk*)
-            # can be used inside `serviceDefaults` and it doesn't need to be evaluated here again.
+            # Read properties from `authentik.service`. That way, users can customize the properties using
+            # module system primitives and the like.
             (
-              getAttrs (attrNames serviceDefaults) config.systemd.services.authentik.serviceConfig
-              // {
-                StateDirectory = "authentik";
-              }
+              removeAttrs config.systemd.services.authentik.serviceConfig [
+                "ExecStart"
+                "ExecStartPre"
+                "Restart"
+                "RestartSec"
+                # systemd-run doesn't expand the %S specifier, so this is passed separately below.
+                "WorkingDirectory"
+              ]
             )
         );
       in