From 1c30532b6d9536949379694fd99e5f01603bf425 Mon Sep 17 00:00:00 2001 From: Peter Hoeg Date: Mon, 26 Mar 2018 15:16:22 +0800 Subject: [PATCH] nixos pykms: run via DynamicUser --- nixos/modules/misc/ids.nix | 4 +- nixos/modules/services/misc/pykms.nix | 67 +++++++++++---------------- 2 files changed, 29 insertions(+), 42 deletions(-) diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 0b4ed6d3b628..321e248d21c8 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -306,7 +306,7 @@ rslsync = 279; minio = 280; kanboard = 281; - pykms = 282; + # pykms = 282; # DynamicUser = true kodi = 283; restya-board = 284; mighttpd2 = 285; @@ -597,7 +597,7 @@ rslsync = 279; minio = 280; kanboard = 281; - pykms = 282; + # pykms = 282; # DynamicUser = true kodi = 283; restya-board = 284; mighttpd2 = 285; diff --git a/nixos/modules/services/misc/pykms.nix b/nixos/modules/services/misc/pykms.nix index a11296e1bd02..ef90d124a284 100644 --- a/nixos/modules/services/misc/pykms.nix +++ b/nixos/modules/services/misc/pykms.nix @@ -5,20 +5,8 @@ with lib; let cfg = config.services.pykms; - home = "/var/lib/pykms"; - - services = { - serviceConfig = { - Restart = "on-failure"; - RestartSec = "10s"; - StartLimitInterval = "1min"; - PrivateTmp = true; - ProtectSystem = "full"; - ProtectHome = true; - }; - }; - in { + meta.maintainers = with lib.maintainers; [ peterhoeg ]; options = { services.pykms = rec { @@ -51,39 +39,38 @@ in { default = false; description = "Whether the listening port should be opened automatically."; }; + + memoryLimit = mkOption { + type = types.str; + default = "64M"; + description = "How much memory to use at most."; + }; }; }; config = mkIf cfg.enable { networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewallPort [ cfg.port ]; - systemd.services = { - pykms = services // { - description = "Python KMS"; - wantedBy = [ "multi-user.target" ]; - serviceConfig = with pkgs; { - User = "pykms"; - Group = "pykms"; - ExecStartPre = "${getBin pykms}/bin/create_pykms_db.sh ${home}/clients.db"; - ExecStart = "${getBin pykms}/bin/server.py ${optionalString cfg.verbose "--verbose"} ${cfg.listenAddress} ${toString cfg.port}"; - WorkingDirectory = home; - MemoryLimit = "64M"; - }; - }; - }; - - users = { - users.pykms = { - name = "pykms"; - group = "pykms"; - home = home; - createHome = true; - uid = config.ids.uids.pykms; - description = "PyKMS daemon user"; - }; - - groups.pykms = { - gid = config.ids.gids.pykms; + systemd.services.pykms = let + home = "/var/lib/pykms"; + in { + description = "Python KMS"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + # python programs with DynamicUser = true require HOME to be set + environment.HOME = home; + serviceConfig = with pkgs; { + DynamicUser = true; + StateDirectory = baseNameOf home; + ExecStartPre = "${getBin pykms}/bin/create_pykms_db.sh ${home}/clients.db"; + ExecStart = lib.concatStringsSep " " ([ + "${getBin pykms}/bin/server.py" + cfg.listenAddress + (toString cfg.port) + ] ++ lib.optional cfg.verbose "--verbose"); + WorkingDirectory = home; + Restart = "on-failure"; + MemoryLimit = cfg.memoryLimit; }; }; };