diff options
| author | Dan Peebles <pumpkin@me.com> | 2016-01-23 19:28:01 +0000 |
|---|---|---|
| committer | Dan Peebles <pumpkin@me.com> | 2016-01-23 19:28:01 +0000 |
| commit | 7ccda42007b892d82b0a89d511d93acec771a83e (patch) | |
| tree | 7280d3c9c6722204a17ca95fe95859f8c8929c98 /nixos/modules/services/system/uptimed.nix | |
| parent | d787c2258b1836b30a5b1241a7ebd8daaa7dc665 (diff) | |
| download | nixpkgs-7ccda42007b892d82b0a89d511d93acec771a83e.tar nixpkgs-7ccda42007b892d82b0a89d511d93acec771a83e.tar.gz nixpkgs-7ccda42007b892d82b0a89d511d93acec771a83e.tar.bz2 nixpkgs-7ccda42007b892d82b0a89d511d93acec771a83e.tar.lz nixpkgs-7ccda42007b892d82b0a89d511d93acec771a83e.tar.xz nixpkgs-7ccda42007b892d82b0a89d511d93acec771a83e.tar.zst nixpkgs-7ccda42007b892d82b0a89d511d93acec771a83e.zip | |
nixos: uptimed - rewrite and harden a bit (#7220)
This is mostly @thoughtpolice's work, but I cleaned it up a bit.
Diffstat (limited to 'nixos/modules/services/system/uptimed.nix')
| -rw-r--r-- | nixos/modules/services/system/uptimed.nix | 71 |
1 files changed, 30 insertions, 41 deletions
diff --git a/nixos/modules/services/system/uptimed.nix b/nixos/modules/services/system/uptimed.nix index 5f8916bbf9a..b20d6096803 100644 --- a/nixos/modules/services/system/uptimed.nix +++ b/nixos/modules/services/system/uptimed.nix @@ -1,66 +1,55 @@ -{pkgs, config, lib, ...}: +{ config, lib, pkgs, ... }: -let - - inherit (lib) mkOption mkIf singleton; - - inherit (pkgs) uptimed; +with lib; +let + cfg = config.services.uptimed; stateDir = "/var/spool/uptimed"; - - uptimedUser = "uptimed"; - in - { - - ###### interface - options = { - services.uptimed = { - enable = mkOption { default = false; description = '' - Uptimed allows you to track your highest uptimes. + Enable <literal>uptimed</literal>, allowing you to track + your highest uptimes. ''; }; - }; - }; - - ###### implementation - - config = mkIf config.services.uptimed.enable { - - environment.systemPackages = [ uptimed ]; - - users.extraUsers = singleton - { name = uptimedUser; - uid = config.ids.uids.uptimed; - description = "Uptimed daemon user"; - home = stateDir; - }; + config = mkIf cfg.enable { + users.extraUsers.uptimed = { + description = "Uptimed daemon user"; + home = stateDir; + createHome = true; + uid = config.ids.uids.uptimed; + }; systemd.services.uptimed = { - description = "Uptimed daemon"; - wantedBy = [ "multi-user.target" ]; + unitConfig.Documentation = "man:uptimed(8) man:uprecords(1)"; + description = "uptimed service"; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Restart = "on-failure"; + User = "uptimed"; + Nice = 19; + IOSchedulingClass = "idle"; + PrivateTmp = "yes"; + PrivateNetwork = "yes"; + NoNewPrivileges = "yes"; + ReadWriteDirectories = stateDir; + InaccessibleDirectories = "/home"; + ExecStart = "${pkgs.uptimed}/sbin/uptimed -f -p ${stateDir}/pid"; + }; preStart = '' - mkdir -m 0755 -p ${stateDir} - chown ${uptimedUser} ${stateDir} - if ! test -f ${stateDir}/bootid ; then - ${uptimed}/sbin/uptimed -b + ${pkgs.uptimed}/sbin/uptimed -b fi ''; - - script = "${uptimed}/sbin/uptimed"; }; - }; - } |