From 9786adf23b05218ddbb4623f803c5380c1751ecc Mon Sep 17 00:00:00 2001 From: Janne Heß Date: Mon, 30 Dec 2019 00:06:23 +0100 Subject: nixos/redis: Type all options redis: switch back to mkOption --- nixos/modules/services/databases/redis.nix | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) (limited to 'nixos/modules/services/databases/redis.nix') diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix index f1777854e14..4d2554786a3 100644 --- a/nixos/modules/services/databases/redis.nix +++ b/nixos/modules/services/databases/redis.nix @@ -133,12 +133,29 @@ in }; slaveOf = mkOption { - default = null; # { ip, port } - description = "An attribute set with two attributes: ip and port to which this redis instance acts as a slave."; + type = with types; nullOr (submodule ({ ... }: { + options = { + ip = mkOption { + type = str; + description = "IP of the Redis master"; + example = "192.168.1.100"; + }; + + port = mkOption { + type = port; + description = "port of the Redis master"; + default = 6379; + }; + }; + })); + + default = null; + description = "IP and port to which this redis instance acts as a slave."; example = { ip = "192.168.1.100"; port = 6379; }; }; masterAuth = mkOption { + type = types.str; default = null; description = ''If the master is password protected (using the requirePass configuration) it is possible to tell the slave to authenticate before starting the replication synchronization -- cgit 1.4.1 From 169ab0b89f124694e81639ff52c8bafc695d961d Mon Sep 17 00:00:00 2001 From: Niklas Hambüchen Date: Sun, 11 Oct 2020 03:15:19 +0200 Subject: redis service: Listen on localhost by default. Fixes #100192. All other database servers in NixOS also use this safe-by-default setting. --- nixos/doc/manual/release-notes/rl-2103.xml | 5 +++++ nixos/modules/services/databases/redis.nix | 9 ++++++--- 2 files changed, 11 insertions(+), 3 deletions(-) (limited to 'nixos/modules/services/databases/redis.nix') diff --git a/nixos/doc/manual/release-notes/rl-2103.xml b/nixos/doc/manual/release-notes/rl-2103.xml index 7fd7ff5c2a9..dc61f095a5c 100644 --- a/nixos/doc/manual/release-notes/rl-2103.xml +++ b/nixos/doc/manual/release-notes/rl-2103.xml @@ -159,6 +159,11 @@ to nextcloud20. + + + The setting defaults to 127.0.0.1 now, making Redis listen on the loopback interface only, and not all public network interfaces. + + NixOS now emits a deprecation warning if systemd's StartLimitInterval setting is used in a serviceConfig section instead of in a unitConfig; that setting is deprecated and now undocumented for the service section by systemd upstream, but still effective and somewhat buggy there, which can be confusing. See #45785 for details. diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix index f1777854e14..6b8853ae390 100644 --- a/nixos/modules/services/databases/redis.nix +++ b/nixos/modules/services/databases/redis.nix @@ -87,9 +87,12 @@ in bind = mkOption { type = with types; nullOr str; - default = null; # All interfaces - description = "The IP interface to bind to."; - example = "127.0.0.1"; + default = "127.0.0.1"; + description = '' + The IP interface to bind to. + null means "all interfaces". + ''; + example = "192.0.2.1"; }; unixSocket = mkOption { -- cgit 1.4.1 From 1a828f66dc7fad2a44b2e022251d797893af7a70 Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Mon, 4 Jan 2021 19:47:32 -0500 Subject: nixos/redis: replace extraConfig option with settings option --- nixos/modules/services/databases/redis.nix | 78 +++++++++++++++++++----------- 1 file changed, 49 insertions(+), 29 deletions(-) (limited to 'nixos/modules/services/databases/redis.nix') diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix index 6b8853ae390..9628d30e76a 100644 --- a/nixos/modules/services/databases/redis.nix +++ b/nixos/modules/services/databases/redis.nix @@ -4,31 +4,16 @@ with lib; let cfg = config.services.redis; - redisBool = b: if b then "yes" else "no"; - condOption = name: value: if value != null then "${name} ${toString value}" else ""; - - redisConfig = pkgs.writeText "redis.conf" '' - port ${toString cfg.port} - ${condOption "bind" cfg.bind} - ${condOption "unixsocket" cfg.unixSocket} - daemonize no - supervised systemd - loglevel ${cfg.logLevel} - logfile ${cfg.logfile} - syslog-enabled ${redisBool cfg.syslog} - databases ${toString cfg.databases} - ${concatMapStrings (d: "save ${toString (builtins.elemAt d 0)} ${toString (builtins.elemAt d 1)}\n") cfg.save} - dbfilename dump.rdb - dir /var/lib/redis - ${if cfg.slaveOf != null then "slaveof ${cfg.slaveOf.ip} ${toString cfg.slaveOf.port}" else ""} - ${condOption "masterauth" cfg.masterAuth} - ${condOption "requirepass" cfg.requirePass} - appendOnly ${redisBool cfg.appendOnly} - appendfsync ${cfg.appendFsync} - slowlog-log-slower-than ${toString cfg.slowLogLogSlowerThan} - slowlog-max-len ${toString cfg.slowLogMaxLen} - ${cfg.extraConfig} - ''; + + mkValueString = value: + if value == true then "yes" + else if value == false then "no" + else generators.mkValueStringDefault { } value; + + redisConfig = pkgs.writeText "redis.conf" (generators.toKeyValue { + listsAsDuplicateKeys = true; + mkKeyValue = generators.mkKeyValueDefault { inherit mkValueString; } " "; + } cfg.settings); in { imports = [ @@ -37,6 +22,7 @@ in (mkRemovedOptionModule [ "services" "redis" "dbFilename" ] "The redis module now uses /var/lib/redis/dump.rdb as database dump location.") (mkRemovedOptionModule [ "services" "redis" "appendOnlyFilename" ] "This option was never used.") (mkRemovedOptionModule [ "services" "redis" "pidFile" ] "This option was removed.") + (mkRemovedOptionModule [ "services" "redis" "extraConfig" ] "Use services.redis.settings instead.") ]; ###### interface @@ -191,10 +177,20 @@ in description = "Maximum number of items to keep in slow log."; }; - extraConfig = mkOption { - type = types.lines; - default = ""; - description = "Extra configuration options for redis.conf."; + settings = mkOption { + type = with types; attrsOf (oneOf [ bool int str (listOf str) ]); + default = {}; + description = '' + Redis configuration. Refer to + + for details on supported values. + ''; + example = literalExample '' + { + unixsocketperm = "700"; + loadmodule = [ "/path/to/my_module.so" "/path/to/other_module.so" ]; + } + ''; }; }; @@ -225,6 +221,30 @@ in environment.systemPackages = [ cfg.package ]; + services.redis.settings = mkMerge [ + { + port = cfg.port; + daemonize = false; + supervised = "systemd"; + loglevel = cfg.logLevel; + logfile = cfg.logfile; + syslog-enabled = cfg.syslog; + databases = cfg.databases; + save = map (d: "${toString (builtins.elemAt d 0)} ${toString (builtins.elemAt d 1)}") cfg.save; + dbfilename = "dump.rdb"; + dir = "/var/lib/redis"; + appendOnly = cfg.appendOnly; + appendfsync = cfg.appendFsync; + slowlog-log-slower-than = cfg.slowLogLogSlowerThan; + slowlog-max-len = cfg.slowLogMaxLen; + } + (mkIf (cfg.bind != null) { bind = cfg.bind; }) + (mkIf (cfg.unixSocket != null) { unixsocket = cfg.unixSocket; }) + (mkIf (cfg.slaveOf != null) { slaveof = "${cfg.slaveOf.ip} ${cfg.slaveOf.port}"; }) + (mkIf (cfg.masterAuth != null) { masterauth = cfg.masterAuth; }) + (mkIf (cfg.requirePass != null) { requirepass = cfg.requirePass; }) + ]; + systemd.services.redis = { description = "Redis Server"; -- cgit 1.4.1 From 4171cd53d699c7adc7548d0062d7766d93dc3d63 Mon Sep 17 00:00:00 2001 From: Milan Date: Fri, 15 Jan 2021 03:21:27 +0100 Subject: redis: make masterAuth option optional (#109417) --- nixos/modules/services/databases/redis.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos/modules/services/databases/redis.nix') diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix index 1b90e59b166..117e6366225 100644 --- a/nixos/modules/services/databases/redis.nix +++ b/nixos/modules/services/databases/redis.nix @@ -144,7 +144,7 @@ in }; masterAuth = mkOption { - type = types.str; + type = with types; nullOr str; default = null; description = ''If the master is password protected (using the requirePass configuration) it is possible to tell the slave to authenticate before starting the replication synchronization -- cgit 1.4.1 From 86d8b31e00b267f0ed67798e966c16ef06faf9ba Mon Sep 17 00:00:00 2001 From: Izorkin Date: Wed, 24 Mar 2021 13:13:47 +0300 Subject: nixos/redis: add option unixSocketPerm --- nixos/modules/services/databases/redis.nix | 10 ++++++++-- nixos/tests/redis.nix | 2 +- 2 files changed, 9 insertions(+), 3 deletions(-) (limited to 'nixos/modules/services/databases/redis.nix') diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix index 117e6366225..b5921a6dead 100644 --- a/nixos/modules/services/databases/redis.nix +++ b/nixos/modules/services/databases/redis.nix @@ -88,6 +88,13 @@ in example = "/run/redis/redis.sock"; }; + unixSocketPerm = mkOption { + type = types.int; + default = 750; + description = "Change permissions for the socket"; + example = 700; + }; + logLevel = mkOption { type = types.str; default = "notice"; # debug, verbose, notice, warning @@ -204,7 +211,6 @@ in ''; example = literalExample '' { - unixsocketperm = "700"; loadmodule = [ "/path/to/my_module.so" "/path/to/other_module.so" ]; } ''; @@ -256,7 +262,7 @@ in slowlog-max-len = cfg.slowLogMaxLen; } (mkIf (cfg.bind != null) { bind = cfg.bind; }) - (mkIf (cfg.unixSocket != null) { unixsocket = cfg.unixSocket; }) + (mkIf (cfg.unixSocket != null) { unixsocket = cfg.unixSocket; unixsocketperm = "${toString cfg.unixSocketPerm}"; }) (mkIf (cfg.slaveOf != null) { slaveof = "${cfg.slaveOf.ip} ${cfg.slaveOf.port}"; }) (mkIf (cfg.masterAuth != null) { masterauth = cfg.masterAuth; }) (mkIf (cfg.requirePass != null) { requirepass = cfg.requirePass; }) diff --git a/nixos/tests/redis.nix b/nixos/tests/redis.nix index ca171561435..79a7847414a 100644 --- a/nixos/tests/redis.nix +++ b/nixos/tests/redis.nix @@ -17,7 +17,7 @@ in services.redis.unixSocket = redisSocket; # Allow access to the unix socket for the "redis" group. - services.redis.settings.unixsocketperm = "770"; + services.redis.unixSocketPerm = 770; users.users."member" = { createHome = false; -- cgit 1.4.1 From 9d4aaf236627f8b9d8556fc0ed834a9837b2e76b Mon Sep 17 00:00:00 2001 From: Izorkin Date: Wed, 24 Mar 2021 13:33:34 +0300 Subject: nixos/redis: allow access to runtime and state directories to only redis user --- nixos/modules/services/databases/redis.nix | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) (limited to 'nixos/modules/services/databases/redis.nix') diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix index b5921a6dead..3ddc7aad81e 100644 --- a/nixos/modules/services/databases/redis.nix +++ b/nixos/modules/services/databases/redis.nix @@ -283,11 +283,18 @@ in serviceConfig = { ExecStart = "${cfg.package}/bin/redis-server /run/redis/redis.conf"; - RuntimeDirectory = "redis"; - StateDirectory = "redis"; Type = "notify"; + # User and group User = "redis"; Group = "redis"; + # Runtime directory and mode + RuntimeDirectory = "redis"; + RuntimeDirectoryMode = "0750"; + # State directory and mode + StateDirectory = "redis"; + StateDirectoryMode = "0700"; + # Access write directories + UMask = "0077"; }; }; }; -- cgit 1.4.1 From 061c913c366b339fd28b741ca2f56dacb64497f8 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Sat, 3 Apr 2021 23:00:48 +0300 Subject: nixos/redis: enable sandbox mode --- nixos/modules/services/databases/redis.nix | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) (limited to 'nixos/modules/services/databases/redis.nix') diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix index 3ddc7aad81e..24fe4ab3cc2 100644 --- a/nixos/modules/services/databases/redis.nix +++ b/nixos/modules/services/databases/redis.nix @@ -295,6 +295,32 @@ in StateDirectoryMode = "0700"; # Access write directories UMask = "0077"; + # Capabilities + CapabilityBoundingSet = ""; + # Security + NoNewPrivileges = true; + # Sandboxing + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + PrivateUsers = true; + ProtectClock = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + PrivateMounts = true; + # System Call Filtering + SystemCallArchitectures = "native"; + SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @raw-io @reboot @resources @setuid @swap"; }; }; }; -- cgit 1.4.1 From e075aeb8c0113b3d91c63aa99b22dcb4ce5a0d81 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Mon, 12 Apr 2021 12:36:28 +0300 Subject: nixos/redis: add option maxclients --- nixos/modules/services/databases/redis.nix | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) (limited to 'nixos/modules/services/databases/redis.nix') diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix index 24fe4ab3cc2..7ec10c0eb5a 100644 --- a/nixos/modules/services/databases/redis.nix +++ b/nixos/modules/services/databases/redis.nix @@ -5,6 +5,8 @@ with lib; let cfg = config.services.redis; + ulimitNofile = cfg.maxclients + 32; + mkValueString = value: if value == true then "yes" else if value == false then "no" @@ -14,8 +16,8 @@ let listsAsDuplicateKeys = true; mkKeyValue = generators.mkKeyValueDefault { inherit mkValueString; } " "; } cfg.settings); -in -{ + +in { imports = [ (mkRemovedOptionModule [ "services" "redis" "user" ] "The redis module now is hardcoded to the redis user.") (mkRemovedOptionModule [ "services" "redis" "dbpath" ] "The redis module now uses /var/lib/redis as data directory.") @@ -121,6 +123,12 @@ in description = "Set the number of databases."; }; + maxclients = mkOption { + type = types.int; + default = 10000; + description = "Set the max number of connected clients at the same time."; + }; + save = mkOption { type = with types; listOf (listOf int); default = [ [900 1] [300 10] [60 10000] ]; @@ -253,6 +261,7 @@ in logfile = cfg.logfile; syslog-enabled = cfg.syslog; databases = cfg.databases; + maxclients = cfg.maxclients; save = map (d: "${toString (builtins.elemAt d 0)} ${toString (builtins.elemAt d 1)}") cfg.save; dbfilename = "dump.rdb"; dir = "/var/lib/redis"; @@ -299,6 +308,8 @@ in CapabilityBoundingSet = ""; # Security NoNewPrivileges = true; + # Process Properties + LimitNOFILE = "${toString ulimitNofile}"; # Sandboxing ProtectSystem = "strict"; ProtectHome = true; -- cgit 1.4.1 From feebe402f55fcb38b873370bee8fa09979018e85 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Thu, 13 May 2021 15:29:25 +0300 Subject: treewide: remove duplicates SystemCallFilters --- nixos/modules/services/databases/redis.nix | 2 +- nixos/modules/services/misc/jellyfin.nix | 4 +--- nixos/modules/services/network-filesystems/samba-wsdd.nix | 2 +- nixos/modules/services/networking/croc.nix | 4 +--- nixos/modules/services/web-apps/shiori.nix | 5 +---- nixos/modules/services/web-servers/nginx/default.nix | 2 +- 6 files changed, 6 insertions(+), 13 deletions(-) (limited to 'nixos/modules/services/databases/redis.nix') diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix index 7ec10c0eb5a..c4d51958e23 100644 --- a/nixos/modules/services/databases/redis.nix +++ b/nixos/modules/services/databases/redis.nix @@ -331,7 +331,7 @@ in { PrivateMounts = true; # System Call Filtering SystemCallArchitectures = "native"; - SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @raw-io @reboot @resources @setuid @swap"; + SystemCallFilter = "~@cpu-emulation @debug @keyring @memlock @mount @obsolete @privileged @resources @setuid"; }; }; }; diff --git a/nixos/modules/services/misc/jellyfin.nix b/nixos/modules/services/misc/jellyfin.nix index c1b45864041..6d64acc0291 100644 --- a/nixos/modules/services/misc/jellyfin.nix +++ b/nixos/modules/services/misc/jellyfin.nix @@ -92,9 +92,7 @@ in SystemCallErrorNumber = "EPERM"; SystemCallFilter = [ "@system-service" - - "~@chown" "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@module" - "~@obsolete" "~@privileged" "~@setuid" + "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid" ]; }; }; diff --git a/nixos/modules/services/network-filesystems/samba-wsdd.nix b/nixos/modules/services/network-filesystems/samba-wsdd.nix index c68039c79e2..800ef448d37 100644 --- a/nixos/modules/services/network-filesystems/samba-wsdd.nix +++ b/nixos/modules/services/network-filesystems/samba-wsdd.nix @@ -117,7 +117,7 @@ in { PrivateMounts = true; # System Call Filtering SystemCallArchitectures = "native"; - SystemCallFilter = "~@clock @cpu-emulation @debug @module @mount @obsolete @privileged @raw-io @reboot @resources @swap"; + SystemCallFilter = "~@cpu-emulation @debug @mount @obsolete @privileged @resources"; }; }; }; diff --git a/nixos/modules/services/networking/croc.nix b/nixos/modules/services/networking/croc.nix index b218fab2196..9466adf71d8 100644 --- a/nixos/modules/services/networking/croc.nix +++ b/nixos/modules/services/networking/croc.nix @@ -72,9 +72,7 @@ in RuntimeDirectoryMode = "700"; SystemCallFilter = [ "@system-service" - "~@aio" "~@chown" "~@keyring" "~@memlock" - "~@privileged" "~@resources" "~@setuid" - "~@sync" "~@timer" + "~@aio" "~@keyring" "~@memlock" "~@privileged" "~@resources" "~@setuid" "~@sync" "~@timer" ]; SystemCallArchitectures = "native"; SystemCallErrorNumber = "EPERM"; diff --git a/nixos/modules/services/web-apps/shiori.nix b/nixos/modules/services/web-apps/shiori.nix index 8f96dd9b5dd..a15bb9744a9 100644 --- a/nixos/modules/services/web-apps/shiori.nix +++ b/nixos/modules/services/web-apps/shiori.nix @@ -86,10 +86,7 @@ in { SystemCallErrorNumber = "EPERM"; SystemCallFilter = [ "@system-service" - - "~@chown" "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" - "~@module" "~@obsolete" "~@privileged" "~@raw-io" - "~@resources" "~@setuid" + "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@resources" "~@setuid" ]; }; }; diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index d811879b7b1..033e1584c11 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -850,7 +850,7 @@ in PrivateMounts = true; # System Call Filtering SystemCallArchitectures = "native"; - SystemCallFilter = "~@chown @cpu-emulation @debug @keyring @ipc @module @mount @obsolete @privileged @raw-io @reboot @setuid @swap"; + SystemCallFilter = "~@cpu-emulation @debug @keyring @ipc @mount @obsolete @privileged @setuid"; }; }; -- cgit 1.4.1 From 0cde374a7604821ceddd24d06ae21e44de59d04c Mon Sep 17 00:00:00 2001 From: Daniel Nagy Date: Tue, 25 May 2021 19:26:38 +0200 Subject: nixos/redis: set port type to `types.port` --- nixos/modules/services/databases/redis.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos/modules/services/databases/redis.nix') diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix index c4d51958e23..9c0740f28c9 100644 --- a/nixos/modules/services/databases/redis.nix +++ b/nixos/modules/services/databases/redis.nix @@ -52,7 +52,7 @@ in { }; port = mkOption { - type = types.int; + type = types.port; default = 6379; description = "The port for Redis to listen to."; }; -- cgit 1.4.1