nixos/geoip-updater: run as user 'geoip' instead of 'nobody'

That way 'nobody' is prevented from messing with the databases.
author: Bjørn Forsman <bjorn.forsman@gmail.com> 2017-02-13 22:26:21 +0100
committer: Bjørn Forsman <bjorn.forsman@gmail.com> 2017-02-15 23:25:27 +0100
commit: d4e5bb34b76c98adee1d7fc00440adeb6a2a8c13 (patch)
tree: b9ff819b8bc4e124df3ee77f53fde0ea7f1fabf8 /nixos
parent: 900fc49013c83e39ed7b22260d15a616a939b32e (diff)
download: nixlib-d4e5bb34b76c98adee1d7fc00440adeb6a2a8c13.tar
nixlib-d4e5bb34b76c98adee1d7fc00440adeb6a2a8c13.tar.gz
nixlib-d4e5bb34b76c98adee1d7fc00440adeb6a2a8c13.tar.bz2
nixlib-d4e5bb34b76c98adee1d7fc00440adeb6a2a8c13.tar.lz
nixlib-d4e5bb34b76c98adee1d7fc00440adeb6a2a8c13.tar.xz
nixlib-d4e5bb34b76c98adee1d7fc00440adeb6a2a8c13.tar.zst
nixlib-d4e5bb34b76c98adee1d7fc00440adeb6a2a8c13.zip
2 files changed, 12 insertions, 4 deletions
diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix
index 1566dbe1677e..d51b29b99dae 100644
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@@ -287,6 +287,7 @@
       pdns-recursor = 269;
       kresd = 270;
       rpc = 271;
+      geoip = 272;
 
       # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
 
@@ -543,6 +544,7 @@
       gogs = 268;
       kresd = 270;
       #rpc = 271; # unused
+      #geoip = 272; # unused
 
       # When adding a gid, make sure it doesn't match an existing
       # uid. Users and groups with the same name should have equal
diff --git a/nixos/modules/services/misc/geoip-updater.nix b/nixos/modules/services/misc/geoip-updater.nix
index 021ee02782d2..5135fac8f7dc 100644
--- a/nixos/modules/services/misc/geoip-updater.nix
+++ b/nixos/modules/services/misc/geoip-updater.nix
@@ -251,6 +251,12 @@ in
       }
     ];
 
+    users.extraUsers.geoip = {
+      group = "root";
+      description = "GeoIP database updater";
+      uid = config.ids.uids.geoip;
+    };
+
     systemd.timers.geoip-updater =
       { description = "GeoIP Updater Timer";
         partOf = [ "geoip-updater.service" ];
@@ -267,11 +273,11 @@ in
       preStart = ''
         mkdir -p "${cfg.databaseDir}"
         chmod 755 "${cfg.databaseDir}"
-        chown nobody:root "${cfg.databaseDir}"
+        chown geoip:root "${cfg.databaseDir}"
       '';
       serviceConfig = {
         ExecStart = "${geoip-updater}/bin/geoip-updater";
-        User = "nobody";
+        User = "geoip";
         PermissionsStartOnly = true;
       };
     };
@@ -285,11 +291,11 @@ in
       preStart = ''
         mkdir -p "${cfg.databaseDir}"
         chmod 755 "${cfg.databaseDir}"
-        chown nobody:root "${cfg.databaseDir}"
+        chown geoip:root "${cfg.databaseDir}"
       '';
       serviceConfig = {
         ExecStart = "${geoip-updater}/bin/geoip-updater --skip-existing";
-        User = "nobody";
+        User = "geoip";
         PermissionsStartOnly = true;
         # So it won't be (needlessly) restarted:
         RemainAfterExit = true;
author	Bjørn Forsman <bjorn.forsman@gmail.com>	2017-02-13 22:26:21 +0100
committer	Bjørn Forsman <bjorn.forsman@gmail.com>	2017-02-15 23:25:27 +0100
commit	d4e5bb34b76c98adee1d7fc00440adeb6a2a8c13 (patch)
tree	b9ff819b8bc4e124df3ee77f53fde0ea7f1fabf8 /nixos
parent	900fc49013c83e39ed7b22260d15a616a939b32e (diff)
download	nixlib-d4e5bb34b76c98adee1d7fc00440adeb6a2a8c13.tar nixlib-d4e5bb34b76c98adee1d7fc00440adeb6a2a8c13.tar.gz nixlib-d4e5bb34b76c98adee1d7fc00440adeb6a2a8c13.tar.bz2 nixlib-d4e5bb34b76c98adee1d7fc00440adeb6a2a8c13.tar.lz nixlib-d4e5bb34b76c98adee1d7fc00440adeb6a2a8c13.tar.xz nixlib-d4e5bb34b76c98adee1d7fc00440adeb6a2a8c13.tar.zst nixlib-d4e5bb34b76c98adee1d7fc00440adeb6a2a8c13.zip