From 46f06ccde7deb76bc1b8a04671ecdf486480c74e Mon Sep 17 00:00:00 2001 From: Russell O'Connor Date: Wed, 24 Jun 2015 14:42:43 +0000 Subject: [PATCH] uwsgi-service: Add user/group for uwsgi service. Also add a uwsgi directory under /run (defaulting to /run/uwsgi) where the uwsgi user can place sockets. --- nixos/modules/misc/ids.nix | 2 + nixos/modules/services/web-servers/uwsgi.nix | 42 ++++++++++++++++---- 2 files changed, 37 insertions(+), 7 deletions(-) diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 0b0be87347dc..e6357d138cae 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -222,6 +222,7 @@ ripple-rest = 198; nix-serve = 199; tvheadend = 200; + uwsgi = 201; # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -422,6 +423,7 @@ #ripple-rest = 198; #unused #nix-serve = 199; #unused #tvheadend = 200; #unused + uwsgi = 201; # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/services/web-servers/uwsgi.nix b/nixos/modules/services/web-servers/uwsgi.nix index 6e454a2dacd7..3e18a6f0e986 100644 --- a/nixos/modules/services/web-servers/uwsgi.nix +++ b/nixos/modules/services/web-servers/uwsgi.nix @@ -47,13 +47,19 @@ in { options = { services.uwsgi = { - + enable = mkOption { type = types.bool; default = false; description = "Enable uWSGI"; }; + runDir = mkOption { + type = types.string; + default = "/run/uwsgi"; + description = "Where uWSGI communication sockets can live"; + }; + instance = mkOption { type = types.attrs; default = { @@ -66,7 +72,7 @@ in { moin = { type = "normal"; python2Packages = self: with self; [ moinmoin ]; - socket = "/run/uwsgi.sock"; + socket = "${config.services.uwsgi.runDir}/uwsgi.sock"; }; }; } @@ -89,24 +95,46 @@ in { description = "Plugins used with uWSGI"; }; - }; + user = mkOption { + type = types.str; + default = "uwsgi"; + description = "User account under which uwsgi runs."; + }; + group = mkOption { + type = types.str; + default = "uwsgi"; + description = "Group account under which uwsgi runs."; + }; + }; }; config = mkIf cfg.enable { - systemd.services.uwsgi = { wantedBy = [ "multi-user.target" ]; - + preStart = '' + mkdir -p ${cfg.runDir} + chown ${cfg.user}:${cfg.group} ${cfg.runDir} + ''; serviceConfig = { Type = "notify"; - ExecStart = "${uwsgi}/bin/uwsgi --json ${pkgs.writeText "uwsgi.json" (buildCfg cfg.instance)}"; + ExecStart = "${uwsgi}/bin/uwsgi --uid ${cfg.user} --gid ${cfg.group} --json ${pkgs.writeText "uwsgi.json" (buildCfg cfg.instance)}"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; ExecStop = "${pkgs.coreutils}/bin/kill -INT $MAINPID"; NotifyAccess = "main"; KillSignal = "SIGQUIT"; }; - }; + + users.extraUsers = optionalAttrs (cfg.user == "uwsgi") (singleton + { name = "uwsgi"; + group = cfg.group; + uid = config.ids.uids.uwsgi; + }); + + users.extraGroups = optionalAttrs (cfg.group == "uwsgi") (singleton + { name = "uwsgi"; + gid = config.ids.gids.uwsgi; + }); }; }