diff options
author | talyz <kim.lindberger@gmail.com> | 2020-03-11 19:52:37 +0100 |
---|---|---|
committer | talyz <kim.lindberger@gmail.com> | 2020-03-11 19:52:37 +0100 |
commit | bb7ad853fbcbd158ff32c12d2d93941343418715 (patch) | |
tree | 2e2d0b0fffbd8bfdecad104efa2e5d809bb6627a /nixos/modules/services | |
parent | 5c500875665785b27539557520364582be8ffe0e (diff) | |
download | nixlib-bb7ad853fbcbd158ff32c12d2d93941343418715.tar nixlib-bb7ad853fbcbd158ff32c12d2d93941343418715.tar.gz nixlib-bb7ad853fbcbd158ff32c12d2d93941343418715.tar.bz2 nixlib-bb7ad853fbcbd158ff32c12d2d93941343418715.tar.lz nixlib-bb7ad853fbcbd158ff32c12d2d93941343418715.tar.xz nixlib-bb7ad853fbcbd158ff32c12d2d93941343418715.tar.zst nixlib-bb7ad853fbcbd158ff32c12d2d93941343418715.zip |
nixos/haproxy: Revive the haproxy user and group
Running haproxy with "DynamicUser = true" doesn't really work, since it prohibits specifying a TLS certificate bundle with limited permissions. This revives the haproxy user and group, but makes them dynamically allocated by NixOS, rather than statically allocated. It also adds options to specify which user and group haproxy runs as.
Diffstat (limited to 'nixos/modules/services')
-rw-r--r-- | nixos/modules/services/networking/haproxy.nix | 26 |
1 files changed, 25 insertions, 1 deletions
diff --git a/nixos/modules/services/networking/haproxy.nix b/nixos/modules/services/networking/haproxy.nix index aff71e5e97da..4678829986c6 100644 --- a/nixos/modules/services/networking/haproxy.nix +++ b/nixos/modules/services/networking/haproxy.nix @@ -26,6 +26,18 @@ with lib; ''; }; + user = mkOption { + type = types.str; + default = "haproxy"; + description = "User account under which haproxy runs."; + }; + + group = mkOption { + type = types.str; + default = "haproxy"; + description = "Group account under which haproxy runs."; + }; + config = mkOption { type = types.nullOr types.lines; default = null; @@ -49,7 +61,8 @@ with lib; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { - DynamicUser = true; + User = cfg.user; + Group = cfg.group; Type = "notify"; # when running the config test, don't be quiet so we can see what goes wrong ExecStartPre = "${pkgs.haproxy}/sbin/haproxy -c -f ${haproxyCfg}"; @@ -60,5 +73,16 @@ with lib; AmbientCapabilities = "CAP_NET_BIND_SERVICE"; }; }; + + users.users = optionalAttrs (cfg.user == "haproxy") { + haproxy = { + group = cfg.group; + isSystemUser = true; + }; + }; + + users.groups = optionalAttrs (cfg.group == "haproxy") { + haproxy = {}; + }; }; } |