nixos/unit: init service unit

2 files changed, 31 insertions, 2 deletions

diff --git a/pkgs/servers/http/unit/default.nix b/pkgs/servers/http/unit/default.nix
index f250dd5e9bb..9efc1d64335 100644
--- a/pkgs/servers/http/unit/default.nix
+++ b/pkgs/servers/http/unit/default.nix
@@ -40,9 +40,14 @@ stdenv.mkDerivation rec {
     ++ optional withRuby ruby
     ++ optional withSSL openssl;
 
+  # Used patch to enable work with unprivileged user - https://github.com/nginx/unit/issues/228
+  patches = [ ./unit-rootless.patch ];
+
   configureFlags = [
-    "--control=unix:/run/control.unit.sock"
-    "--pid=/run/unit.pid"
+    "--control=unix:/run/unit/control.unit.sock"
+    "--pid=/run/unit/unit.pid"
+    "--user=unit"
+    "--group=unit"
   ] ++ optional withSSL     [ "--openssl" ]
     ++ optional (!withIPv6) [ "--no-ipv6" ]
     ++ optional withDebug   [ "--debug" ];
diff --git a/pkgs/servers/http/unit/unit-rootless.patch b/pkgs/servers/http/unit/unit-rootless.patch
new file mode 100644
index 00000000000..36506847f91
--- /dev/null
+++ b/pkgs/servers/http/unit/unit-rootless.patch
@@ -0,0 +1,24 @@
+diff --git a/src/nxt_process.c b/src/nxt_process.c
+index 5952029..7b29369 100644
+--- a/src/nxt_process.c
++++ b/src/nxt_process.c
+@@ -136,7 +136,7 @@ nxt_process_start(nxt_task_t *task, nxt_process_t *process)
+
+     nxt_random_init(&thread->random);
+
+-    if (init->user_cred != NULL && getuid() == 0) {
++    if (init->user_cred != NULL) {
+         /* Super-user. */
+
+         ret = nxt_user_cred_set(task, init->user_cred);
+@@ -434,9 +434,7 @@ nxt_user_cred_get(nxt_task_t *task, nxt_user_cred_t *uc, const char *group)
+         uc->base_gid = grp->gr_gid;
+     }
+
+-    if (getuid() == 0) {
+         return nxt_user_groups_get(task, uc);
+-    }
+
+     return NXT_OK;
+ }
+