nixos/modules/services/monitoring/incron.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89

{ config, lib, pkgs, ... }:

with lib;

let

  cfg = config.services.incron;

in

{
  options = {

    services.incron = {

      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Whether to enable the incron daemon.

          Note that commands run under incrontab only support common Nix profiles for the PATH provided variable.
        '';
      };

      allow = mkOption {
        type = types.nullOr (types.listOf types.str);
        default = null;
        description = ''
          Users allowed to use incrontab.

          If empty then no user will be allowed to have their own incrontab.
          If null then will defer to <option>deny</option>.
          If both <option>allow</option> and <option>deny</option> are null
          then all users will be allowed to have their own incrontab.
        '';
      };

      deny = mkOption {
        type = types.nullOr (types.listOf types.str);
        default = null;
        description = "Users forbidden from using incrontab.";
      };

      systab = mkOption {
        type = types.lines;
        default = "";
        description = "The system incrontab contents.";
        example = ''
          "/var/mail IN_CLOSE_WRITE abc $@/$#"
          "/tmp IN_ALL_EVENTS efg $@/$# $&"
        '';
      };

    };

  };

  config = mkIf cfg.enable {

    environment.systemPackages = [ pkgs.incron ];

    security.wrappers.incrontab.source = "${pkgs.incron}/bin/incrontab";

    # incron won't read symlinks
    environment.etc."incron.d/system" = {
      mode = "0444";
      text = "${cfg.systab}";
    };
    environment.etc."incron.allow" = mkIf (cfg.allow != null) {
      text = "${concatStringsSep "\n" cfg.allow}";
    };
    environment.etc."incron.deny" = mkIf (cfg.deny != null) {
      text = "${concatStringsSep "\n" cfg.deny}";
    };

    systemd.services.incron = {
      description = "File system events scheduler";
      wantedBy = [ "multi-user.target" ];
      path = [ config.system.path ];
      preStart = "mkdir -m 710 -p /var/spool/incron";
      serviceConfig.Type = "forking";
      serviceConfig.PIDFile = "/run/incrond.pid";
      serviceConfig.ExecStart = "${pkgs.incron}/bin/incrond";
    };
  };

}