diff options
| author | Austin Seipp <aseipp@pobox.com> | 2014-04-15 06:50:39 -0500 |
|---|---|---|
| committer | Austin Seipp <aseipp@pobox.com> | 2014-04-15 06:54:51 -0500 |
| commit | da6bc44dd7eb39b68d9b16bc398e64248d7a09c3 (patch) | |
| tree | c4d1ab80f236142b99a1ec4af75fceff01dd4f78 /nixos/modules/security | |
| parent | 253f83ea2d4dbfd0f7eac81ffeadeb80d4863e21 (diff) | |
| download | nixlib-da6bc44dd7eb39b68d9b16bc398e64248d7a09c3.tar nixlib-da6bc44dd7eb39b68d9b16bc398e64248d7a09c3.tar.gz nixlib-da6bc44dd7eb39b68d9b16bc398e64248d7a09c3.tar.bz2 nixlib-da6bc44dd7eb39b68d9b16bc398e64248d7a09c3.tar.lz nixlib-da6bc44dd7eb39b68d9b16bc398e64248d7a09c3.tar.xz nixlib-da6bc44dd7eb39b68d9b16bc398e64248d7a09c3.tar.zst nixlib-da6bc44dd7eb39b68d9b16bc398e64248d7a09c3.zip | |
nixos: transmission improvements
This mostly upgrades transmission, and does some very minor touchups on AppArmor support. In particular, there is now no need to ever specify the umask as part of the settings, as it will be mixed in by default (which is essentially always what you want). Also, the default configuration is now more sensible: Downloads are put in /var/lib/transmission/Downloads, and incomplete files are put in /var/lib/transmission/.incomplete - this also allows easy use of file syncing probrams, like BitTorrent Sync. Finally, this unconditionally enables the AppArmor profiles for the daemon, if AppArmor is enabled - rather than letting the user specify profile support, it's best to default to supporting profiles for daemons transparently in all places. Signed-off-by: Austin Seipp <aseipp@pobox.com>
Diffstat (limited to 'nixos/modules/security')
| -rw-r--r-- | nixos/modules/security/apparmor.nix | 43 |
1 files changed, 12 insertions, 31 deletions
diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix index 29ac71777f03..da7c93beee98 100644 --- a/nixos/modules/security/apparmor.nix +++ b/nixos/modules/security/apparmor.nix @@ -1,55 +1,39 @@ { config, lib, pkgs, ... }: +with lib; + let cfg = config.security.apparmor; in - -with lib; - { - - ###### interface - options = { - security.apparmor = { - enable = mkOption { type = types.bool; default = false; - description = '' - Enable AppArmor application security system. Enable only if - you want to further improve AppArmor. - ''; + description = "Enable the AppArmor Mandatory Access Control system."; }; profiles = mkOption { type = types.listOf types.path; default = []; - description = '' - List of file names of AppArmor profiles. - ''; + description = "List of files containing AppArmor profiles."; }; - }; }; - - ###### implementation - - config = mkIf (cfg.enable) { - - assertions = [ { assertion = config.boot.kernelPackages.kernel.features ? apparmor - && config.boot.kernelPackages.kernel.features.apparmor; - message = "AppArmor is enabled, but the kernel doesn't have AppArmor support"; } - ]; + config = mkIf cfg.enable { + assertions = + [ { assertion = config.boot.kernelPackages.kernel.features ? apparmor + && config.boot.kernelPackages.kernel.features.apparmor; + message = "Your selected kernel does not have AppArmor support"; + } + ]; environment.systemPackages = [ pkgs.apparmor ]; - systemd.services.apparmor = { - #wantedBy = [ "basic.target" ]; wantedBy = [ "local-fs.target" ]; - path = [ pkgs.apparmor ]; + path = [ pkgs.apparmor ]; serviceConfig = { Type = "oneshot"; @@ -61,9 +45,6 @@ with lib; ''${pkgs.apparmor}/sbin/apparmor_parser -Rv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}" ; '' ) cfg.profiles; }; - }; - }; - } |