diff options
author | Peter Hoeg <peter@hoeg.com> | 2019-01-18 15:52:12 +0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-01-18 15:52:12 +0800 |
commit | 9f5b5fee9c4c13c1495ecbe042a651ad033aad6d (patch) | |
tree | 7683b04087a0604ab061a7571555aacc00b471b3 /nixos/modules | |
parent | eaa665e2435ab3dfc356d9799ba5938aabcd75d8 (diff) | |
parent | 1c30532b6d9536949379694fd99e5f01603bf425 (diff) | |
download | nixpkgs-9f5b5fee9c4c13c1495ecbe042a651ad033aad6d.tar nixpkgs-9f5b5fee9c4c13c1495ecbe042a651ad033aad6d.tar.gz nixpkgs-9f5b5fee9c4c13c1495ecbe042a651ad033aad6d.tar.bz2 nixpkgs-9f5b5fee9c4c13c1495ecbe042a651ad033aad6d.tar.lz nixpkgs-9f5b5fee9c4c13c1495ecbe042a651ad033aad6d.tar.xz nixpkgs-9f5b5fee9c4c13c1495ecbe042a651ad033aad6d.tar.zst nixpkgs-9f5b5fee9c4c13c1495ecbe042a651ad033aad6d.zip |
Merge pull request #48101 from peterhoeg/f/pykms_master
nixos pykms: run via DynamicUser
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/misc/ids.nix | 4 | ||||
-rw-r--r-- | nixos/modules/services/misc/pykms.nix | 67 |
2 files changed, 29 insertions, 42 deletions
diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 49f30dc85a0..d6e6ccaecd2 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -306,7 +306,7 @@ rslsync = 279; minio = 280; kanboard = 281; - pykms = 282; + # pykms = 282; # DynamicUser = true kodi = 283; restya-board = 284; mighttpd2 = 285; @@ -605,7 +605,7 @@ rslsync = 279; minio = 280; kanboard = 281; - pykms = 282; + # pykms = 282; # DynamicUser = true kodi = 283; restya-board = 284; mighttpd2 = 285; diff --git a/nixos/modules/services/misc/pykms.nix b/nixos/modules/services/misc/pykms.nix index a11296e1bd0..ef90d124a28 100644 --- a/nixos/modules/services/misc/pykms.nix +++ b/nixos/modules/services/misc/pykms.nix @@ -5,20 +5,8 @@ with lib; let cfg = config.services.pykms; - home = "/var/lib/pykms"; - - services = { - serviceConfig = { - Restart = "on-failure"; - RestartSec = "10s"; - StartLimitInterval = "1min"; - PrivateTmp = true; - ProtectSystem = "full"; - ProtectHome = true; - }; - }; - in { + meta.maintainers = with lib.maintainers; [ peterhoeg ]; options = { services.pykms = rec { @@ -51,39 +39,38 @@ in { default = false; description = "Whether the listening port should be opened automatically."; }; + + memoryLimit = mkOption { + type = types.str; + default = "64M"; + description = "How much memory to use at most."; + }; }; }; config = mkIf cfg.enable { networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewallPort [ cfg.port ]; - systemd.services = { - pykms = services // { - description = "Python KMS"; - wantedBy = [ "multi-user.target" ]; - serviceConfig = with pkgs; { - User = "pykms"; - Group = "pykms"; - ExecStartPre = "${getBin pykms}/bin/create_pykms_db.sh ${home}/clients.db"; - ExecStart = "${getBin pykms}/bin/server.py ${optionalString cfg.verbose "--verbose"} ${cfg.listenAddress} ${toString cfg.port}"; - WorkingDirectory = home; - MemoryLimit = "64M"; - }; - }; - }; - - users = { - users.pykms = { - name = "pykms"; - group = "pykms"; - home = home; - createHome = true; - uid = config.ids.uids.pykms; - description = "PyKMS daemon user"; - }; - - groups.pykms = { - gid = config.ids.gids.pykms; + systemd.services.pykms = let + home = "/var/lib/pykms"; + in { + description = "Python KMS"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + # python programs with DynamicUser = true require HOME to be set + environment.HOME = home; + serviceConfig = with pkgs; { + DynamicUser = true; + StateDirectory = baseNameOf home; + ExecStartPre = "${getBin pykms}/bin/create_pykms_db.sh ${home}/clients.db"; + ExecStart = lib.concatStringsSep " " ([ + "${getBin pykms}/bin/server.py" + cfg.listenAddress + (toString cfg.port) + ] ++ lib.optional cfg.verbose "--verbose"); + WorkingDirectory = home; + Restart = "on-failure"; + MemoryLimit = cfg.memoryLimit; }; }; }; |