This could be tricky to get right. Currently this is a .in file but it isn't pre-processed in any way, just copied. in Fedora/RHEL the rpm macro %tmpfiles_create handles installation and configuration of the file (and this macro is deprecated, as it turns out).

From a quick read it essentially does this:

/usr/bin/systemd-tmpfiles --create <file>

I don't know how other distributions handle this.

In order to make it possible to substitute this I think it would need to be generated during ipa-server-install instead and systemd-tmpfiles called directly. I'm not sure if that has any implications or not.

Actually, it's not that hard.. we can follow the example set by ODS_USER etc, I'll send a MR.

part of https://github.com/freeipa/freeipa/pull/6091

master:

• 4738ab3 ipaplatform/debian: Fix HTTPD_ALIAS_DIR, and drop some obsolete paths.
• de97d83 ipaplatform: Add support for recognizing systemd-timesyncd
• dfbae69 ipaplatform/debian: Fix named keytab name
• e94afdd ipaplatform/debian: Fix ntpd service name
• 52090d3 ipatests/test_ipaplatform: Skip test_ipa_version on Debian
• 9799b81 ipaplatform: Modify paths to fips-mode-setup and systemd-tmpfiles
• 9eecadd configure: Use HTTPD_GROUP in init/tmpfiles/ipa.conf.in

ipa-4-9:

• a0eb02c ipaplatform/debian: Fix HTTPD_ALIAS_DIR, and drop some obsolete paths.
• cf9c4cc ipaplatform: Add support for recognizing systemd-timesyncd
• da9be70 ipaplatform/debian: Fix named keytab name
• dcdc31b ipaplatform/debian: Fix ntpd service name
• e99870f ipatests/test_ipaplatform: Skip test_ipa_version on Debian
• 739d356 ipaplatform: Modify paths to fips-mode-setup and systemd-tmpfiles
• 69f5f31 configure: Use HTTPD_GROUP in init/tmpfiles/ipa.conf.in