diff options
| author | Peter Hoeg <peter@hoeg.com> | 2018-03-26 15:16:22 +0800 |
|---|---|---|
| committer | Peter Hoeg <peter@hoeg.com> | 2018-10-16 10:38:45 +0800 |
| commit | 1c30532b6d9536949379694fd99e5f01603bf425 (patch) | |
| tree | e783a050dbe69e1098b8be64b39b2af4f6dff309 | |
| parent | 2f94acd9aeea0d0a128967fc0c2dc088983beb41 (diff) | |
| download | nixpkgs-1c30532b6d9536949379694fd99e5f01603bf425.tar nixpkgs-1c30532b6d9536949379694fd99e5f01603bf425.tar.gz nixpkgs-1c30532b6d9536949379694fd99e5f01603bf425.tar.bz2 nixpkgs-1c30532b6d9536949379694fd99e5f01603bf425.tar.lz nixpkgs-1c30532b6d9536949379694fd99e5f01603bf425.tar.xz nixpkgs-1c30532b6d9536949379694fd99e5f01603bf425.tar.zst nixpkgs-1c30532b6d9536949379694fd99e5f01603bf425.zip | |
nixos pykms: run via DynamicUser
| -rw-r--r-- | nixos/modules/misc/ids.nix | 4 | ||||
| -rw-r--r-- | nixos/modules/services/misc/pykms.nix | 67 |
2 files changed, 29 insertions, 42 deletions
diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 0b4ed6d3b62..321e248d21c 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -306,7 +306,7 @@ rslsync = 279; minio = 280; kanboard = 281; - pykms = 282; + # pykms = 282; # DynamicUser = true kodi = 283; restya-board = 284; mighttpd2 = 285; @@ -597,7 +597,7 @@ rslsync = 279; minio = 280; kanboard = 281; - pykms = 282; + # pykms = 282; # DynamicUser = true kodi = 283; restya-board = 284; mighttpd2 = 285; diff --git a/nixos/modules/services/misc/pykms.nix b/nixos/modules/services/misc/pykms.nix index a11296e1bd0..ef90d124a28 100644 --- a/nixos/modules/services/misc/pykms.nix +++ b/nixos/modules/services/misc/pykms.nix @@ -5,20 +5,8 @@ with lib; let cfg = config.services.pykms; - home = "/var/lib/pykms"; - - services = { - serviceConfig = { - Restart = "on-failure"; - RestartSec = "10s"; - StartLimitInterval = "1min"; - PrivateTmp = true; - ProtectSystem = "full"; - ProtectHome = true; - }; - }; - in { + meta.maintainers = with lib.maintainers; [ peterhoeg ]; options = { services.pykms = rec { @@ -51,39 +39,38 @@ in { default = false; description = "Whether the listening port should be opened automatically."; }; + + memoryLimit = mkOption { + type = types.str; + default = "64M"; + description = "How much memory to use at most."; + }; }; }; config = mkIf cfg.enable { networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewallPort [ cfg.port ]; - systemd.services = { - pykms = services // { - description = "Python KMS"; - wantedBy = [ "multi-user.target" ]; - serviceConfig = with pkgs; { - User = "pykms"; - Group = "pykms"; - ExecStartPre = "${getBin pykms}/bin/create_pykms_db.sh ${home}/clients.db"; - ExecStart = "${getBin pykms}/bin/server.py ${optionalString cfg.verbose "--verbose"} ${cfg.listenAddress} ${toString cfg.port}"; - WorkingDirectory = home; - MemoryLimit = "64M"; - }; - }; - }; - - users = { - users.pykms = { - name = "pykms"; - group = "pykms"; - home = home; - createHome = true; - uid = config.ids.uids.pykms; - description = "PyKMS daemon user"; - }; - - groups.pykms = { - gid = config.ids.gids.pykms; + systemd.services.pykms = let + home = "/var/lib/pykms"; + in { + description = "Python KMS"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + # python programs with DynamicUser = true require HOME to be set + environment.HOME = home; + serviceConfig = with pkgs; { + DynamicUser = true; + StateDirectory = baseNameOf home; + ExecStartPre = "${getBin pykms}/bin/create_pykms_db.sh ${home}/clients.db"; + ExecStart = lib.concatStringsSep " " ([ + "${getBin pykms}/bin/server.py" + cfg.listenAddress + (toString cfg.port) + ] ++ lib.optional cfg.verbose "--verbose"); + WorkingDirectory = home; + Restart = "on-failure"; + MemoryLimit = cfg.memoryLimit; }; }; }; |