nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-02-22 12:04:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

nixos/smokeping: do homedir management with systemd.tmpfiles (#332050)

Browse Source 
- ensures that everything in /var/lib/smokeping belongs to the service
- add nginx user to smokeping group, instead of allowing world to cd
  into somkeping homedir
This commit is contained in:
Herwig Hochleitner 2024-08-27 14:37:34 +02:00 committed by GitHub
parent 2fab9d6d9a
commit 98ce61be57
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 20 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
nixos/modules/services/networking/smokeping.nix
View File

@ -313,11 +313,16 @@ in
group = cfg.user;
description = "smokeping daemon user";
home = smokepingHome;
createHome = true;
# When `cfg.webService` is enabled, `nginx` requires read permissions on the home directory.
homeMode = "711";
};
users.users.${config.services.nginx.user} = mkIf cfg.webService {
extraGroups = [
cfg.user ## user == group in this module
];
};
users.groups.${cfg.user} = { };
systemd.services.smokeping = {
reloadTriggers = [ configPath ];
requiredBy = [ "multi-user.target" ];
@ -327,15 +332,23 @@ in
ExecStart = "${cfg.package}/bin/smokeping --config=/etc/smokeping.conf --nodaemon";
};
preStart = ''
mkdir -m 0755 -p ${smokepingHome}/cache ${smokepingHome}/data
ln -snf ${cfg.package}/htdocs/css ${smokepingHome}/css
ln -snf ${cfg.package}/htdocs/js ${smokepingHome}/js
ln -snf ${cgiHome} ${smokepingHome}/smokeping.fcgi
${cfg.package}/bin/smokeping --check --config=${configPath}
${cfg.package}/bin/smokeping --static --config=${configPath}
'';
};
systemd.tmpfiles.rules = [
# create cache and data directories
"d ${smokepingHome}/cache 0750 ${cfg.user} ${cfg.user}"
"d ${smokepingHome}/data 0750 ${cfg.user} ${cfg.user}"
# create symlings
"L+ ${smokepingHome}/css - - - - ${cfg.package}/htdocs/css"
"L+ ${smokepingHome}/js - - - - ${cfg.package}/htdocs/js"
"L+ ${smokepingHome}/smokeping.fcgi - - - - ${cgiHome}"
# recursively adjust access mode and ownership (in case config change)
"Z ${smokepingHome} 0750 ${cfg.user} ${cfg.user}"
];
# use nginx to serve the smokeping web service
services.fcgiwrap.instances.smokeping = mkIf cfg.webService {
process.user = cfg.user;
@ -367,4 +380,3 @@ in
nh2
];
}