Merge pull request #96844 from peterhoeg/m/nfs

nixos/nfsd: run rpc-statd as a normal user
This commit is contained in:
Peter Hoeg 2020-09-09 09:10:46 +08:00 committed by GitHub
commit 42eebd7ade
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 35 additions and 36 deletions

View File

@ -8,6 +8,8 @@ let
exports = pkgs.writeText "exports" cfg.exports;
rpcUser = "statd";
in
{
@ -140,36 +142,40 @@ in
environment.etc.exports.source = exports;
systemd.services.nfs-server =
{ enable = true;
wantedBy = [ "multi-user.target" ];
systemd.services.nfs-server = {
enable = true;
wantedBy = [ "multi-user.target" ];
};
preStart =
''
mkdir -p /var/lib/nfs/v4recovery
'';
systemd.services.nfs-mountd = {
enable = true;
restartTriggers = [ exports ];
preStart = optionalString cfg.createMountPoints ''
# create export directories:
# skip comments, take first col which may either be a quoted
# "foo bar" or just foo (-> man export)
sed '/^#.*/d;s/^"\([^"]*\)".*/\1/;t;s/[ ].*//' ${exports} \
| xargs -d '\n' mkdir -p
'';
};
# rpc-statd will drop privileges by changing user from root to the owner of
# /var/lib/nfs
systemd.tmpfiles.rules = [
"d /var/lib/nfs 0700 ${rpcUser} ${rpcUser} - -"
] ++ map (e:
"d /var/lib/nfs/${e} 0755 root root - -"
) [ "recovery" "v4recovery" "sm" "sm.bak" ];
users = {
groups."${rpcUser}" = {};
users."${rpcUser}" = {
description = "NFS RPC user";
group = rpcUser;
isSystemUser = true;
};
systemd.services.nfs-mountd =
{ enable = true;
restartTriggers = [ exports ];
preStart =
''
mkdir -p /var/lib/nfs
${optionalString cfg.createMountPoints
''
# create export directories:
# skip comments, take first col which may either be a quoted
# "foo bar" or just foo (-> man export)
sed '/^#.*/d;s/^"\([^"]*\)".*/\1/;t;s/[ ].*//' ${exports} \
| xargs -d '\n' mkdir -p
''
}
'';
};
};
};
}

View File

@ -101,13 +101,6 @@ in
};
systemd.services.rpc-statd =
{ restartTriggers = [ nfsConfFile ];
preStart =
''
mkdir -p /var/lib/nfs/{sm,sm.bak}
'';
};
{ restartTriggers = [ nfsConfFile ]; };
};
}