diff options
| author | Dan Peebles <pumpkin@me.com> | 2016-01-23 20:44:30 +0000 |
|---|---|---|
| committer | Dan Peebles <pumpkin@me.com> | 2016-01-23 20:44:30 +0000 |
| commit | e409d0fed3b5d50147b61b6d223d9aa272863485 (patch) | |
| tree | 06e21b489284deaf69e0e605726bcffe907eb310 /nixos/modules | |
| parent | 7ccda42007b892d82b0a89d511d93acec771a83e (diff) | |
| download | nixlib-e409d0fed3b5d50147b61b6d223d9aa272863485.tar nixlib-e409d0fed3b5d50147b61b6d223d9aa272863485.tar.gz nixlib-e409d0fed3b5d50147b61b6d223d9aa272863485.tar.bz2 nixlib-e409d0fed3b5d50147b61b6d223d9aa272863485.tar.lz nixlib-e409d0fed3b5d50147b61b6d223d9aa272863485.tar.xz nixlib-e409d0fed3b5d50147b61b6d223d9aa272863485.tar.zst nixlib-e409d0fed3b5d50147b61b6d223d9aa272863485.zip | |
nixos: update-locatedb - harden via systemd (#7220)
Also, use systemd timers. Most of the work is by @thoughtpolice but I changed enough of it to warrant changing commit author.
Diffstat (limited to 'nixos/modules')
| -rw-r--r-- | nixos/modules/misc/locate.nix | 127 |
1 files changed, 66 insertions, 61 deletions
diff --git a/nixos/modules/misc/locate.nix b/nixos/modules/misc/locate.nix index 4f9c8d4e5ba1..318b81ca07c2 100644 --- a/nixos/modules/misc/locate.nix +++ b/nixos/modules/misc/locate.nix @@ -1,76 +1,74 @@ -{ config, lib, pkgs, ... }: +{ config, options, lib, pkgs, ... }: with lib; let cfg = config.services.locate; in { + options.services.locate = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + If enabled, NixOS will periodically update the database of + files used by the <command>locate</command> command. + ''; + }; - ###### interface - - options = { - - services.locate = { - - enable = mkOption { - type = types.bool; - default = false; - description = '' - If enabled, NixOS will periodically update the database of - files used by the <command>locate</command> command. - ''; - }; - - period = mkOption { - type = types.str; - default = "15 02 * * *"; - description = '' - This option defines (in the format used by cron) when the - locate database is updated. - The default is to update at 02:15 at night every day. - ''; - }; - - extraFlags = mkOption { - type = types.listOf types.str; - default = [ ]; - description = '' - Extra flags to pass to <command>updatedb</command>. - ''; - }; + interval = mkOption { + type = types.str; + default = "02:15"; + example = "hourly"; + description = '' + Update the locate database at this interval. Updates by + default at 2:15 AM every day. + + The format is described in + <citerefentry><refentrytitle>systemd.time</refentrytitle> + <manvolnum>7</manvolnum></citerefentry>. + ''; + }; - output = mkOption { - type = types.path; - default = "/var/cache/locatedb"; - description = '' - The database file to build. - ''; - }; + # This is no longer supported, but we keep it to give a better warning below + period = mkOption { visible = false; }; - localuser = mkOption { - type = types.str; - default = "nobody"; - description = '' - The user to search non-network directories as, using - <command>su</command>. - ''; - }; + extraFlags = mkOption { + type = types.listOf types.str; + default = [ ]; + description = '' + Extra flags to pass to <command>updatedb</command>. + ''; + }; - includeStore = mkOption { - type = types.bool; - default = false; - description = '' - Whether to include <filename>/nix/store</filename> in the locate database. - ''; - }; + output = mkOption { + type = types.path; + default = "/var/cache/locatedb"; + description = '' + The database file to build. + ''; + }; + localuser = mkOption { + type = types.str; + default = "nobody"; + description = '' + The user to search non-network directories as, using + <command>su</command>. + ''; }; + includeStore = mkOption { + type = types.bool; + default = false; + description = '' + Whether to include <filename>/nix/store</filename> in the locate database. + ''; + }; }; - ###### implementation - config = { + warnings = let opt = options.services.locate.period; in optional opt.isDefined "The `period` definition in ${showFiles opt.files} has been removed; please replace it with `interval`, using the new systemd.time interval specifier."; + systemd.services.update-locatedb = { description = "Update Locate Database"; path = [ pkgs.su ]; @@ -84,11 +82,18 @@ in { ''; serviceConfig.Nice = 19; serviceConfig.IOSchedulingClass = "idle"; + serviceConfig.PrivateTmp = "yes"; + serviceConfig.PrivateNetwork = "yes"; + serviceConfig.NoNewPrivileges = "yes"; + serviceConfig.ReadOnlyDirectories = "/"; + serviceConfig.ReadWriteDirectories = cfg.output; }; - services.cron.systemCronJobs = optional config.services.locate.enable - "${config.services.locate.period} root ${config.systemd.package}/bin/systemctl start update-locatedb.service"; - + systemd.timers.update-locatedb = mkIf cfg.enable + { description = "Update timer for locate database"; + partOf = [ "update-locatedb.service" ]; + wantedBy = [ "timers.target" ]; + timerConfig.OnCalendar = cfg.interval; + }; }; - } |