nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-01 15:11:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

nixos: update-locatedb - harden via systemd (#7220)

Browse Source 
Also, use systemd timers.

Most of the work is by @thoughtpolice but I changed enough of it to warrant changing commit author.
This commit is contained in:
Dan Peebles 2016-01-23 20:44:30 +00:00
parent 7ccda42007
commit e409d0fed3
2 changed files with 113 additions and 102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
nixos/doc/manual/development/writing-modules.xml
View File

@ -107,12 +107,12 @@ the file system. This module declares two options that can be defined
by other modules (typically the users by other modules (typically the users
<filename>configuration.nix</filename>): <filename>configuration.nix</filename>):
<option>services.locate.enable</option> (whether the database should <option>services.locate.enable</option> (whether the database should
be updated) and <option>services.locate.period</option> (when the be updated) and <option>services.locate.interval</option> (when the
update should be done). It implements its functionality by defining update should be done). It implements its functionality by defining
two options declared by other modules: two options declared by other modules:
<option>systemd.services</option> (the set of all systemd services) <option>systemd.services</option> (the set of all systemd services)
and <option>services.cron.systemCronJobs</option> (the list of and <option>systemd.timers</option> (the list of commands to be
commands to be executed periodically by <command>cron</command>).</para> executed periodically by <command>systemd</command>).</para>
<example xml:id='locate-example'><title>NixOS Module for the “locate” Service</title> <example xml:id='locate-example'><title>NixOS Module for the “locate” Service</title>
<programlisting> <programlisting>
@ -120,53 +120,59 @@ commands to be executed periodically by <command>cron</command>).</para>
with lib; with lib;
let locatedb = "/var/cache/locatedb"; in let
cfg = config.services.locate;
{ in {
options = { options.services.locate = {
enable = mkOption {
services.locate = { type = types.bool;
default = false;
enable = mkOption { description = ''
type = types.bool; If enabled, NixOS will periodically update the database of
default = false; files used by the <command>locate</command> command.
description = '' '';
If enabled, NixOS will periodically update the database of
files used by the <command>locate</command> command.
'';
};
period = mkOption {
type = types.str;
default = "15 02 * * *";
description = ''
This option defines (in the format used by cron) when the
locate database is updated. The default is to update at
02:15 at night every day.
'';
};
}; };
interval = mkOption {
type = types.str;
default = "02:15";
example = "hourly";
description = ''
Update the locate database at this interval. Updates by
default at 2:15 AM every day.
The format is described in
<citerefentry><refentrytitle>systemd.time</refentrytitle>
<manvolnum>7</manvolnum></citerefentry>.
'';
};
# Other options omitted for documentation
}; };
config = { config = {
systemd.services.update-locatedb = systemd.services.update-locatedb =
{ description = "Update Locate Database"; { description = "Update Locate Database";
path = [ pkgs.su ]; path = [ pkgs.su ];
script = script =
'' ''
mkdir -m 0755 -p $(dirname ${locatedb}) mkdir -m 0755 -p $(dirname ${toString cfg.output})
exec updatedb --localuser=nobody --output=${locatedb} --prunepaths='/tmp /var/tmp /run' exec updatedb \
--localuser=${cfg.localuser} \
${optionalString (!cfg.includeStore) "--prunepaths='/nix/store'"} \
--output=${toString cfg.output} ${concatStringsSep " " cfg.extraFlags}
''; '';
}; };
services.cron.systemCronJobs = optional config.services.locate.enable systemd.timers.update-locatedb = mkIf cfg.enable
"${config.services.locate.period} root ${config.systemd.package}/bin/systemctl start update-locatedb.service"; { description = "Update timer for locate database";
partOf = [ "update-locatedb.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = cfg.interval;
};
}; };
}</programlisting> }
</programlisting>
</example> </example>
<xi:include href="option-declarations.xml" /> <xi:include href="option-declarations.xml" />

137
nixos/modules/misc/locate.nix
View File

@ -1,76 +1,74 @@
{ config, lib, pkgs, ... }: { config, options, lib, pkgs, ... }:
with lib; with lib;
let let
cfg = config.services.locate; cfg = config.services.locate;
in { in {
options.services.locate = {
###### interface enable = mkOption {
type = types.bool;
options = { default = false;
description = ''
services.locate = { If enabled, NixOS will periodically update the database of
files used by the <command>locate</command> command.
enable = mkOption { '';
type = types.bool;
default = false;
description = ''
If enabled, NixOS will periodically update the database of
files used by the <command>locate</command> command.
'';
};
period = mkOption {
type = types.str;
default = "15 02 * * *";
description = ''
This option defines (in the format used by cron) when the
locate database is updated.
The default is to update at 02:15 at night every day.
'';
};
extraFlags = mkOption {
type = types.listOf types.str;
default = [ ];
description = ''
Extra flags to pass to <command>updatedb</command>.
'';
};
output = mkOption {
type = types.path;
default = "/var/cache/locatedb";
description = ''
The database file to build.
'';
};
localuser = mkOption {
type = types.str;
default = "nobody";
description = ''
The user to search non-network directories as, using
<command>su</command>.
'';
};
includeStore = mkOption {
type = types.bool;
default = false;
description = ''
Whether to include <filename>/nix/store</filename> in the locate database.
'';
};
}; };
interval = mkOption {
type = types.str;
default = "02:15";
example = "hourly";
description = ''
Update the locate database at this interval. Updates by
default at 2:15 AM every day.
The format is described in
<citerefentry><refentrytitle>systemd.time</refentrytitle>
<manvolnum>7</manvolnum></citerefentry>.
'';
};
# This is no longer supported, but we keep it to give a better warning below
period = mkOption { visible = false; };
extraFlags = mkOption {
type = types.listOf types.str;
default = [ ];
description = ''
Extra flags to pass to <command>updatedb</command>.
'';
};
output = mkOption {
type = types.path;
default = "/var/cache/locatedb";
description = ''
The database file to build.
'';
};
localuser = mkOption {
type = types.str;
default = "nobody";
description = ''
The user to search non-network directories as, using
<command>su</command>.
'';
};
includeStore = mkOption {
type = types.bool;
default = false;
description = ''
Whether to include <filename>/nix/store</filename> in the locate database.
'';
};
}; };
###### implementation
config = { config = {
warnings = let opt = options.services.locate.period; in optional opt.isDefined "The `period` definition in ${showFiles opt.files} has been removed; please replace it with `interval`, using the new systemd.time interval specifier.";
systemd.services.update-locatedb = systemd.services.update-locatedb =
{ description = "Update Locate Database"; { description = "Update Locate Database";
path = [ pkgs.su ]; path = [ pkgs.su ];
@ -84,11 +82,18 @@ in {
''; '';
serviceConfig.Nice = 19; serviceConfig.Nice = 19;
serviceConfig.IOSchedulingClass = "idle"; serviceConfig.IOSchedulingClass = "idle";
serviceConfig.PrivateTmp = "yes";
serviceConfig.PrivateNetwork = "yes";
serviceConfig.NoNewPrivileges = "yes";
serviceConfig.ReadOnlyDirectories = "/";
serviceConfig.ReadWriteDirectories = cfg.output;
}; };
services.cron.systemCronJobs = optional config.services.locate.enable systemd.timers.update-locatedb = mkIf cfg.enable
"${config.services.locate.period} root ${config.systemd.package}/bin/systemctl start update-locatedb.service"; { description = "Update timer for locate database";
partOf = [ "update-locatedb.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = cfg.interval;
};
}; };
} }