From e409d0fed3b5d50147b61b6d223d9aa272863485 Mon Sep 17 00:00:00 2001
From: Dan Peebles <pumpkin@me.com>
Date: Sat, 23 Jan 2016 20:44:30 +0000
Subject: [PATCH] nixos: update-locatedb - harden via systemd (#7220)

Also, use systemd timers.

Most of the work is by @thoughtpolice but I changed enough of it to warrant changing commit author.
---
 .../manual/development/writing-modules.xml    |  78 +++++-----
 nixos/modules/misc/locate.nix                 | 137 +++++++++---------
 2 files changed, 113 insertions(+), 102 deletions(-)

diff --git a/nixos/doc/manual/development/writing-modules.xml b/nixos/doc/manual/development/writing-modules.xml
index a699e74e5f62..971e586f20bd 100644
--- a/nixos/doc/manual/development/writing-modules.xml
+++ b/nixos/doc/manual/development/writing-modules.xml
@@ -107,12 +107,12 @@ the file system.  This module declares two options that can be defined
 by other modules (typically the user’s
 <filename>configuration.nix</filename>):
 <option>services.locate.enable</option> (whether the database should
-be updated) and <option>services.locate.period</option> (when the
+be updated) and <option>services.locate.interval</option> (when the
 update should be done).  It implements its functionality by defining
 two options declared by other modules:
 <option>systemd.services</option> (the set of all systemd services)
-and <option>services.cron.systemCronJobs</option> (the list of
-commands to be executed periodically by <command>cron</command>).</para>
+and <option>systemd.timers</option> (the list of commands to be
+executed periodically by <command>systemd</command>).</para>
 
 <example xml:id='locate-example'><title>NixOS Module for the “locate” Service</title>
 <programlisting>
@@ -120,53 +120,59 @@ commands to be executed periodically by <command>cron</command>).</para>
 
 with lib;
 
-let locatedb = "/var/cache/locatedb"; in
-
-{
-  options = {
-
-    services.locate = {
-
-      enable = mkOption {
-        type = types.bool;
-        default = false;
-        description = ''
-          If enabled, NixOS will periodically update the database of
-          files used by the <command>locate</command> command.
-        '';
-      };
-
-      period = mkOption {
-        type = types.str;
-        default = "15 02 * * *";
-        description = ''
-          This option defines (in the format used by cron) when the
-          locate database is updated.  The default is to update at
-          02:15 at night every day.
-        '';
-      };
-
+let
+  cfg = config.services.locate;
+in {
+  options.services.locate = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        If enabled, NixOS will periodically update the database of
+        files used by the <command>locate</command> command.
+      '';
     };
 
+    interval = mkOption {
+      type = types.str;
+      default = "02:15";
+      example = "hourly";
+      description = ''
+        Update the locate database at this interval. Updates by
+        default at 2:15 AM every day.
+
+        The format is described in
+        <citerefentry><refentrytitle>systemd.time</refentrytitle>
+        <manvolnum>7</manvolnum></citerefentry>.
+      '';
+    };
+
+    # Other options omitted for documentation
   };
 
   config = {
-
     systemd.services.update-locatedb =
       { description = "Update Locate Database";
         path  = [ pkgs.su ];
         script =
           ''
-            mkdir -m 0755 -p $(dirname ${locatedb})
-            exec updatedb --localuser=nobody --output=${locatedb} --prunepaths='/tmp /var/tmp /run'
+            mkdir -m 0755 -p $(dirname ${toString cfg.output})
+            exec updatedb \
+              --localuser=${cfg.localuser} \
+              ${optionalString (!cfg.includeStore) "--prunepaths='/nix/store'"} \
+              --output=${toString cfg.output} ${concatStringsSep " " cfg.extraFlags}
           '';
       };
 
-    services.cron.systemCronJobs = optional config.services.locate.enable
-      "${config.services.locate.period} root ${config.systemd.package}/bin/systemctl start update-locatedb.service";
-
+    systemd.timers.update-locatedb = mkIf cfg.enable
+      { description = "Update timer for locate database";
+        partOf      = [ "update-locatedb.service" ];
+        wantedBy    = [ "timers.target" ];
+        timerConfig.OnCalendar = cfg.interval;
+      };
   };
-}</programlisting>
+}
+</programlisting>
 </example>
 
 <xi:include href="option-declarations.xml" />
diff --git a/nixos/modules/misc/locate.nix b/nixos/modules/misc/locate.nix
index 4f9c8d4e5ba1..318b81ca07c2 100644
--- a/nixos/modules/misc/locate.nix
+++ b/nixos/modules/misc/locate.nix
@@ -1,76 +1,74 @@
-{ config, lib, pkgs, ... }:
+{ config, options, lib, pkgs, ... }:
 
 with lib;
 
 let
   cfg = config.services.locate;
 in {
-
-  ###### interface
-
-  options = {
-
-    services.locate = {
-
-      enable = mkOption {
-        type = types.bool;
-        default = false;
-        description = ''
-          If enabled, NixOS will periodically update the database of
-          files used by the <command>locate</command> command.
-        '';
-      };
-
-      period = mkOption {
-        type = types.str;
-        default = "15 02 * * *";
-        description = ''
-          This option defines (in the format used by cron) when the
-          locate database is updated.
-          The default is to update at 02:15 at night every day.
-        '';
-      };
-
-      extraFlags = mkOption {
-        type = types.listOf types.str;
-        default = [ ];
-        description = ''
-          Extra flags to pass to <command>updatedb</command>.
-        '';
-      };
-
-      output = mkOption {
-        type = types.path;
-        default = "/var/cache/locatedb";
-        description = ''
-          The database file to build.
-        '';
-      };
-
-      localuser = mkOption {
-        type = types.str;
-        default = "nobody";
-        description = ''
-          The user to search non-network directories as, using
-          <command>su</command>.
-        '';
-      };
-
-      includeStore = mkOption {
-        type = types.bool;
-        default = false;
-        description = ''
-          Whether to include <filename>/nix/store</filename> in the locate database.
-        '';
-      };
-
+  options.services.locate = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        If enabled, NixOS will periodically update the database of
+        files used by the <command>locate</command> command.
+      '';
     };
 
+    interval = mkOption {
+      type = types.str;
+      default = "02:15";
+      example = "hourly";
+      description = ''
+        Update the locate database at this interval. Updates by
+        default at 2:15 AM every day.
+
+        The format is described in
+        <citerefentry><refentrytitle>systemd.time</refentrytitle>
+        <manvolnum>7</manvolnum></citerefentry>.
+      '';
+    };
+
+    # This is no longer supported, but we keep it to give a better warning below
+    period = mkOption { visible = false; };
+
+    extraFlags = mkOption {
+      type = types.listOf types.str;
+      default = [ ];
+      description = ''
+        Extra flags to pass to <command>updatedb</command>.
+      '';
+    };
+
+    output = mkOption {
+      type = types.path;
+      default = "/var/cache/locatedb";
+      description = ''
+        The database file to build.
+      '';
+    };
+
+    localuser = mkOption {
+      type = types.str;
+      default = "nobody";
+      description = ''
+        The user to search non-network directories as, using
+        <command>su</command>.
+      '';
+    };
+
+    includeStore = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Whether to include <filename>/nix/store</filename> in the locate database.
+      '';
+    };
   };
 
-  ###### implementation
-
   config = {
+    warnings = let opt = options.services.locate.period; in optional opt.isDefined "The `period` definition in ${showFiles opt.files} has been removed; please replace it with `interval`, using the new systemd.time interval specifier.";
+
     systemd.services.update-locatedb =
       { description = "Update Locate Database";
         path  = [ pkgs.su ];
@@ -84,11 +82,18 @@ in {
           '';
         serviceConfig.Nice = 19;
         serviceConfig.IOSchedulingClass = "idle";
+        serviceConfig.PrivateTmp = "yes";
+        serviceConfig.PrivateNetwork = "yes";
+        serviceConfig.NoNewPrivileges = "yes";
+        serviceConfig.ReadOnlyDirectories = "/";
+        serviceConfig.ReadWriteDirectories = cfg.output;
       };
 
-    services.cron.systemCronJobs = optional config.services.locate.enable
-      "${config.services.locate.period} root ${config.systemd.package}/bin/systemctl start update-locatedb.service";
-
+    systemd.timers.update-locatedb = mkIf cfg.enable
+      { description = "Update timer for locate database";
+        partOf      = [ "update-locatedb.service" ];
+        wantedBy    = [ "timers.target" ];
+        timerConfig.OnCalendar = cfg.interval;
+      };
   };
-
 }