nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-01 15:11:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

nixos: update-locatedb - harden via systemd (#7220)

Browse Source 
Also, use systemd timers.

Most of the work is by @thoughtpolice but I changed enough of it to warrant changing commit author.
This commit is contained in:
Dan Peebles 2016-01-23 20:44:30 +00:00
parent 7ccda42007
commit e409d0fed3
2 changed files with 113 additions and 102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
nixos/doc/manual/development/writing-modules.xml
View File

@ -107,12 +107,12 @@ the file system. This module declares two options that can be defined
by other modules (typically the users by other modules (typically the users
<filename>configuration.nix</filename>): <filename>configuration.nix</filename>):
<option>services.locate.enable</option> (whether the database should <option>services.locate.enable</option> (whether the database should
be updated) and <option>services.locate.period</option> (when the be updated) and <option>services.locate.interval</option> (when the
update should be done). It implements its functionality by defining update should be done). It implements its functionality by defining
two options declared by other modules: two options declared by other modules:
<option>systemd.services</option> (the set of all systemd services) <option>systemd.services</option> (the set of all systemd services)
and <option>services.cron.systemCronJobs</option> (the list of and <option>systemd.timers</option> (the list of commands to be
commands to be executed periodically by <command>cron</command>).</para> executed periodically by <command>systemd</command>).</para>
<example xml:id='locate-example'><title>NixOS Module for the “locate” Service</title> <example xml:id='locate-example'><title>NixOS Module for the “locate” Service</title>
<programlisting> <programlisting>
@ -120,13 +120,10 @@ commands to be executed periodically by <command>cron</command>).</para>
with lib; with lib;
let locatedb = "/var/cache/locatedb"; in let
cfg = config.services.locate;
{ in {
options = { options.services.locate = {
services.locate = {
enable = mkOption { enable = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
@ -136,37 +133,46 @@ let locatedb = "/var/cache/locatedb"; in
''; '';
}; };
period = mkOption { interval = mkOption {
type = types.str; type = types.str;
default = "15 02 * * *"; default = "02:15";
example = "hourly";
description = '' description = ''
This option defines (in the format used by cron) when the Update the locate database at this interval. Updates by
locate database is updated. The default is to update at default at 2:15 AM every day.
02:15 at night every day.
The format is described in
<citerefentry><refentrytitle>systemd.time</refentrytitle>
<manvolnum>7</manvolnum></citerefentry>.
''; '';
}; };
}; # Other options omitted for documentation
}; };
config = { config = {
systemd.services.update-locatedb = systemd.services.update-locatedb =
{ description = "Update Locate Database"; { description = "Update Locate Database";
path = [ pkgs.su ]; path = [ pkgs.su ];
script = script =
'' ''
mkdir -m 0755 -p $(dirname ${locatedb}) mkdir -m 0755 -p $(dirname ${toString cfg.output})
exec updatedb --localuser=nobody --output=${locatedb} --prunepaths='/tmp /var/tmp /run' exec updatedb \
--localuser=${cfg.localuser} \
${optionalString (!cfg.includeStore) "--prunepaths='/nix/store'"} \
--output=${toString cfg.output} ${concatStringsSep " " cfg.extraFlags}
''; '';
}; };
services.cron.systemCronJobs = optional config.services.locate.enable systemd.timers.update-locatedb = mkIf cfg.enable
"${config.services.locate.period} root ${config.systemd.package}/bin/systemctl start update-locatedb.service"; { description = "Update timer for locate database";
partOf = [ "update-locatedb.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = cfg.interval;
}; };
}</programlisting> };
}
</programlisting>
</example> </example>
<xi:include href="option-declarations.xml" /> <xi:include href="option-declarations.xml" />

49
nixos/modules/misc/locate.nix
View File

@ -1,17 +1,11 @@
{ config, lib, pkgs, ... }: { config, options, lib, pkgs, ... }:
with lib; with lib;
let let
cfg = config.services.locate; cfg = config.services.locate;
in { in {
options.services.locate = {
###### interface
options = {
services.locate = {
enable = mkOption { enable = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
@ -21,16 +15,23 @@ in {
''; '';
}; };
period = mkOption { interval = mkOption {
type = types.str; type = types.str;
default = "15 02 * * *"; default = "02:15";
example = "hourly";
description = '' description = ''
This option defines (in the format used by cron) when the Update the locate database at this interval. Updates by
locate database is updated. default at 2:15 AM every day.
The default is to update at 02:15 at night every day.
The format is described in
<citerefentry><refentrytitle>systemd.time</refentrytitle>
<manvolnum>7</manvolnum></citerefentry>.
''; '';
}; };
# This is no longer supported, but we keep it to give a better warning below
period = mkOption { visible = false; };
extraFlags = mkOption { extraFlags = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = [ ]; default = [ ];
@ -63,14 +64,11 @@ in {
Whether to include <filename>/nix/store</filename> in the locate database. Whether to include <filename>/nix/store</filename> in the locate database.
''; '';
}; };
}; };
};
###### implementation
config = { config = {
warnings = let opt = options.services.locate.period; in optional opt.isDefined "The `period` definition in ${showFiles opt.files} has been removed; please replace it with `interval`, using the new systemd.time interval specifier.";
systemd.services.update-locatedb = systemd.services.update-locatedb =
{ description = "Update Locate Database"; { description = "Update Locate Database";
path = [ pkgs.su ]; path = [ pkgs.su ];
@ -84,11 +82,18 @@ in {
''; '';
serviceConfig.Nice = 19; serviceConfig.Nice = 19;
serviceConfig.IOSchedulingClass = "idle"; serviceConfig.IOSchedulingClass = "idle";
serviceConfig.PrivateTmp = "yes";
serviceConfig.PrivateNetwork = "yes";
serviceConfig.NoNewPrivileges = "yes";
serviceConfig.ReadOnlyDirectories = "/";
serviceConfig.ReadWriteDirectories = cfg.output;
}; };
services.cron.systemCronJobs = optional config.services.locate.enable systemd.timers.update-locatedb = mkIf cfg.enable
"${config.services.locate.period} root ${config.systemd.package}/bin/systemctl start update-locatedb.service"; { description = "Update timer for locate database";
partOf = [ "update-locatedb.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = cfg.interval;
};
}; };
} }