nixos/ipfs: add systemd hardening

Use the hardened systemd unit from upstream.

3 files changed, 27 insertions, 9 deletions

diff --git a/nixos/modules/services/network-filesystems/ipfs.nix b/nixos/modules/services/network-filesystems/ipfs.nix
index 17da020bf3e..655785b99d8 100644
--- a/nixos/modules/services/network-filesystems/ipfs.nix
+++ b/nixos/modules/services/network-filesystems/ipfs.nix
@@ -239,7 +239,10 @@ in
       "d '${cfg.ipnsMountDir}' - ${cfg.user} ${cfg.group} - -"
     ];
 
-    systemd.packages = [ cfg.package ];
+    # The hardened systemd unit breaks the fuse-mount function according to documentation in the unit file itself
+    systemd.packages = if cfg.autoMount
+      then [ cfg.package.systemd_unit ]
+      else [ cfg.package.systemd_unit_hardened ];
 
     systemd.services.ipfs = {
       path = [ "/run/wrappers" cfg.package ];
@@ -275,6 +278,8 @@ in
         ExecStart = [ "" "${cfg.package}/bin/ipfs daemon ${ipfsFlags}" ];
         User = cfg.user;
         Group = cfg.group;
+        StateDirectory = "";
+        ReadWritePaths = [ "" cfg.dataDir ];
       } // optionalAttrs (cfg.serviceFdlimit != null) { LimitNOFILE = cfg.serviceFdlimit; };
     } // optionalAttrs (!cfg.startWhenNeeded) {
       wantedBy = [ "default.target" ];
diff --git a/nixos/tests/ipfs.nix b/nixos/tests/ipfs.nix
index f8683b0a858..5e7c967028e 100644
--- a/nixos/tests/ipfs.nix
+++ b/nixos/tests/ipfs.nix
@@ -10,6 +10,7 @@ import ./make-test-python.nix ({ pkgs, ...} : {
       # Also will add a unix domain socket socket API address, see module.
       startWhenNeeded = true;
       apiAddress = "/ip4/127.0.0.1/tcp/2324";
+      dataDir = "/mnt/ipfs";
     };
   };
 
@@ -35,5 +36,9 @@ import ./make-test-python.nix ({ pkgs, ...} : {
     machine.succeed(
         f"ipfs --api /unix/run/ipfs.sock cat /ipfs/{ipfs_hash.strip()} | grep fnord2"
     )
+
+    # Test if setting dataDir works properly with the hardened systemd unit
+    machine.succeed("test -e /mnt/ipfs/config")
+    machine.succeed("test ! -e /var/lib/ipfs/")
   '';
 })
diff --git a/pkgs/applications/networking/ipfs/default.nix b/pkgs/applications/networking/ipfs/default.nix
index 2cceddf0bd7..f6285ae59be 100644
--- a/pkgs/applications/networking/ipfs/default.nix
+++ b/pkgs/applications/networking/ipfs/default.nix
@@ -29,15 +29,23 @@ buildGoModule rec {
 
   vendorSha256 = null;
 
+  outputs = [ "out" "systemd_unit" "systemd_unit_hardened" ];
+
+  postPatch = ''
+    substituteInPlace 'misc/systemd/ipfs.service' \
+      --replace '/usr/bin/ipfs' "$out/bin/ipfs"
+    substituteInPlace 'misc/systemd/ipfs-hardened.service' \
+      --replace '/usr/bin/ipfs' "$out/bin/ipfs"
+  '';
+
   postInstall = ''
-    install --mode=444 -D misc/systemd/ipfs.service $out/etc/systemd/system/ipfs.service
-    install --mode=444 -D misc/systemd/ipfs-hardened.service $out/etc/systemd/system/ipfs-hardened.service
-    install --mode=444 -D misc/systemd/ipfs-api.socket $out/etc/systemd/system/ipfs-api.socket
-    install --mode=444 -D misc/systemd/ipfs-gateway.socket $out/etc/systemd/system/ipfs-gateway.socket
-    substituteInPlace $out/etc/systemd/system/ipfs.service \
-      --replace /usr/bin/ipfs $out/bin/ipfs
-    substituteInPlace $out/etc/systemd/system/ipfs-hardened.service \
-      --replace /usr/bin/ipfs $out/bin/ipfs
+    install --mode=444 -D 'misc/systemd/ipfs-api.socket' "$systemd_unit/etc/systemd/system/ipfs-api.socket"
+    install --mode=444 -D 'misc/systemd/ipfs-gateway.socket' "$systemd_unit/etc/systemd/system/ipfs-gateway.socket"
+    install --mode=444 -D 'misc/systemd/ipfs.service' "$systemd_unit/etc/systemd/system/ipfs.service"
+
+    install --mode=444 -D 'misc/systemd/ipfs-api.socket' "$systemd_unit_hardened/etc/systemd/system/ipfs-api.socket"
+    install --mode=444 -D 'misc/systemd/ipfs-gateway.socket' "$systemd_unit_hardened/etc/systemd/system/ipfs-gateway.socket"
+    install --mode=444 -D 'misc/systemd/ipfs-hardened.service' "$systemd_unit_hardened/etc/systemd/system/ipfs.service"
   '';
 
   meta = with lib; {