From 7ccda42007b892d82b0a89d511d93acec771a83e Mon Sep 17 00:00:00 2001 From: Dan Peebles Date: Sat, 23 Jan 2016 19:28:01 +0000 Subject: [PATCH] nixos: uptimed - rewrite and harden a bit (#7220) This is mostly @thoughtpolice's work, but I cleaned it up a bit. --- nixos/modules/services/system/uptimed.nix | 71 ++++++++++------------- 1 file changed, 30 insertions(+), 41 deletions(-) diff --git a/nixos/modules/services/system/uptimed.nix b/nixos/modules/services/system/uptimed.nix index 5f8916bbf9a4..b20d60968032 100644 --- a/nixos/modules/services/system/uptimed.nix +++ b/nixos/modules/services/system/uptimed.nix @@ -1,66 +1,55 @@ -{pkgs, config, lib, ...}: +{ config, lib, pkgs, ... }: + +with lib; let - - inherit (lib) mkOption mkIf singleton; - - inherit (pkgs) uptimed; - + cfg = config.services.uptimed; stateDir = "/var/spool/uptimed"; - - uptimedUser = "uptimed"; - in - { - - ###### interface - options = { - services.uptimed = { - enable = mkOption { default = false; description = '' - Uptimed allows you to track your highest uptimes. + Enable uptimed, allowing you to track + your highest uptimes. ''; }; - }; - }; - - ###### implementation - - config = mkIf config.services.uptimed.enable { - - environment.systemPackages = [ uptimed ]; - - users.extraUsers = singleton - { name = uptimedUser; - uid = config.ids.uids.uptimed; - description = "Uptimed daemon user"; - home = stateDir; - }; + config = mkIf cfg.enable { + users.extraUsers.uptimed = { + description = "Uptimed daemon user"; + home = stateDir; + createHome = true; + uid = config.ids.uids.uptimed; + }; systemd.services.uptimed = { - description = "Uptimed daemon"; - wantedBy = [ "multi-user.target" ]; + unitConfig.Documentation = "man:uptimed(8) man:uprecords(1)"; + description = "uptimed service"; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Restart = "on-failure"; + User = "uptimed"; + Nice = 19; + IOSchedulingClass = "idle"; + PrivateTmp = "yes"; + PrivateNetwork = "yes"; + NoNewPrivileges = "yes"; + ReadWriteDirectories = stateDir; + InaccessibleDirectories = "/home"; + ExecStart = "${pkgs.uptimed}/sbin/uptimed -f -p ${stateDir}/pid"; + }; preStart = '' - mkdir -m 0755 -p ${stateDir} - chown ${uptimedUser} ${stateDir} - if ! test -f ${stateDir}/bootid ; then - ${uptimed}/sbin/uptimed -b + ${pkgs.uptimed}/sbin/uptimed -b fi ''; - - script = "${uptimed}/sbin/uptimed"; }; - }; - }