nixos/modules/services/monitoring/incron.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103

{ config, lib, pkgs, ... }:

with lib;

let

  cfg = config.services.incron;

in

{
  options = {

    services.incron = {

      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Whether to enable the incron daemon.

          Note that commands run under incrontab only support common Nix profiles for the <envar>PATH</envar> provided variable.
        '';
      };

      allow = mkOption {
        type = types.nullOr (types.listOf types.str);
        default = null;
        description = ''
          Users allowed to use incrontab.

          If empty then no user will be allowed to have their own incrontab.
          If <literal>null</literal> then will defer to <option>deny</option>.
          If both <option>allow</option> and <option>deny</option> are null
          then all users will be allowed to have their own incrontab.
        '';
      };

      deny = mkOption {
        type = types.nullOr (types.listOf types.str);
        default = null;
        description = "Users forbidden from using incrontab.";
      };

      systab = mkOption {
        type = types.lines;
        default = "";
        description = "The system incrontab contents.";
        example = ''
          /var/mail IN_CLOSE_WRITE abc $@/$#
          /tmp IN_ALL_EVENTS efg $@/$# $&
        '';
      };

      extraPackages = mkOption {
        type = types.listOf types.package;
        default = [];
        example = literalExpression "[ pkgs.rsync ]";
        description = "Extra packages available to the system incrontab.";
      };

    };

  };

  config = mkIf cfg.enable {

    warnings = optional (cfg.allow != null && cfg.deny != null)
      "If `services.incron.allow` is set then `services.incron.deny` will be ignored.";

    environment.systemPackages = [ pkgs.incron ];

    security.wrappers.incrontab =
    { setuid = true;
      owner = "root";
      group = "root";
      source = "${pkgs.incron}/bin/incrontab";
    };

    # incron won't read symlinks
    environment.etc."incron.d/system" = {
      mode = "0444";
      text = cfg.systab;
    };
    environment.etc."incron.allow" = mkIf (cfg.allow != null) {
      text = concatStringsSep "\n" cfg.allow;
    };
    environment.etc."incron.deny" = mkIf (cfg.deny != null) {
      text = concatStringsSep "\n" cfg.deny;
    };

    systemd.services.incron = {
      description = "File System Events Scheduler";
      wantedBy = [ "multi-user.target" ];
      path = cfg.extraPackages;
      serviceConfig.PIDFile = "/run/incrond.pid";
      serviceConfig.ExecStartPre = "${pkgs.coreutils}/bin/mkdir -m 710 -p /var/spool/incron";
      serviceConfig.ExecStart = "${pkgs.incron}/bin/incrond --foreground";
    };
  };

}