From e409d0fed3b5d50147b61b6d223d9aa272863485 Mon Sep 17 00:00:00 2001
From: Dan Peebles <pumpkin@me.com>
Date: Sat, 23 Jan 2016 20:44:30 +0000
Subject: nixos: update-locatedb - harden via systemd (#7220)

Also, use systemd timers.

Most of the work is by @thoughtpolice but I changed enough of it to warrant changing commit author.
---
 nixos/modules/misc/locate.nix | 127 ++++++++++++++++++++++--------------------
 1 file changed, 66 insertions(+), 61 deletions(-)

(limited to 'nixos/modules')

diff --git a/nixos/modules/misc/locate.nix b/nixos/modules/misc/locate.nix
index 4f9c8d4e5ba1..318b81ca07c2 100644
--- a/nixos/modules/misc/locate.nix
+++ b/nixos/modules/misc/locate.nix
@@ -1,76 +1,74 @@
-{ config, lib, pkgs, ... }:
+{ config, options, lib, pkgs, ... }:
 
 with lib;
 
 let
   cfg = config.services.locate;
 in {
+  options.services.locate = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        If enabled, NixOS will periodically update the database of
+        files used by the <command>locate</command> command.
+      '';
+    };
 
-  ###### interface
-
-  options = {
-
-    services.locate = {
-
-      enable = mkOption {
-        type = types.bool;
-        default = false;
-        description = ''
-          If enabled, NixOS will periodically update the database of
-          files used by the <command>locate</command> command.
-        '';
-      };
-
-      period = mkOption {
-        type = types.str;
-        default = "15 02 * * *";
-        description = ''
-          This option defines (in the format used by cron) when the
-          locate database is updated.
-          The default is to update at 02:15 at night every day.
-        '';
-      };
-
-      extraFlags = mkOption {
-        type = types.listOf types.str;
-        default = [ ];
-        description = ''
-          Extra flags to pass to <command>updatedb</command>.
-        '';
-      };
+    interval = mkOption {
+      type = types.str;
+      default = "02:15";
+      example = "hourly";
+      description = ''
+        Update the locate database at this interval. Updates by
+        default at 2:15 AM every day.
+
+        The format is described in
+        <citerefentry><refentrytitle>systemd.time</refentrytitle>
+        <manvolnum>7</manvolnum></citerefentry>.
+      '';
+    };
 
-      output = mkOption {
-        type = types.path;
-        default = "/var/cache/locatedb";
-        description = ''
-          The database file to build.
-        '';
-      };
+    # This is no longer supported, but we keep it to give a better warning below
+    period = mkOption { visible = false; };
 
-      localuser = mkOption {
-        type = types.str;
-        default = "nobody";
-        description = ''
-          The user to search non-network directories as, using
-          <command>su</command>.
-        '';
-      };
+    extraFlags = mkOption {
+      type = types.listOf types.str;
+      default = [ ];
+      description = ''
+        Extra flags to pass to <command>updatedb</command>.
+      '';
+    };
 
-      includeStore = mkOption {
-        type = types.bool;
-        default = false;
-        description = ''
-          Whether to include <filename>/nix/store</filename> in the locate database.
-        '';
-      };
+    output = mkOption {
+      type = types.path;
+      default = "/var/cache/locatedb";
+      description = ''
+        The database file to build.
+      '';
+    };
 
+    localuser = mkOption {
+      type = types.str;
+      default = "nobody";
+      description = ''
+        The user to search non-network directories as, using
+        <command>su</command>.
+      '';
     };
 
+    includeStore = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Whether to include <filename>/nix/store</filename> in the locate database.
+      '';
+    };
   };
 
-  ###### implementation
-
   config = {
+    warnings = let opt = options.services.locate.period; in optional opt.isDefined "The `period` definition in ${showFiles opt.files} has been removed; please replace it with `interval`, using the new systemd.time interval specifier.";
+
     systemd.services.update-locatedb =
       { description = "Update Locate Database";
         path  = [ pkgs.su ];
@@ -84,11 +82,18 @@ in {
           '';
         serviceConfig.Nice = 19;
         serviceConfig.IOSchedulingClass = "idle";
+        serviceConfig.PrivateTmp = "yes";
+        serviceConfig.PrivateNetwork = "yes";
+        serviceConfig.NoNewPrivileges = "yes";
+        serviceConfig.ReadOnlyDirectories = "/";
+        serviceConfig.ReadWriteDirectories = cfg.output;
       };
 
-    services.cron.systemCronJobs = optional config.services.locate.enable
-      "${config.services.locate.period} root ${config.systemd.package}/bin/systemctl start update-locatedb.service";
-
+    systemd.timers.update-locatedb = mkIf cfg.enable
+      { description = "Update timer for locate database";
+        partOf      = [ "update-locatedb.service" ];
+        wantedBy    = [ "timers.target" ];
+        timerConfig.OnCalendar = cfg.interval;
+      };
   };
-
 }
-- 
cgit 1.4.1