From c0cde009d95b11d02f305e49617cf14b3f930354 Mon Sep 17 00:00:00 2001
From: shimun <shimun@shimun.net>
Date: Sun, 20 Dec 2020 20:35:56 +0100
Subject: [PATCH] confine

---
 mod.nix | 38 +++++++++++++++++++++-----------------
 1 file changed, 21 insertions(+), 17 deletions(-)

diff --git a/mod.nix b/mod.nix
index 8ee5ca7..2769d32 100644
--- a/mod.nix
+++ b/mod.nix
@@ -3,6 +3,17 @@ with lib;
 let
   cfg = config.services.brownpaper;
   cfgc = config.programs.brownpaper;
+  keyDir = pkgs.runCommand "brownpaper-keys" { } ''
+    mkdir -p $out
+    ${concatStringsSep " && " (builtins.map (key: "ln -s ${key} $out") cfg.pgpKeys)}
+  '';
+  keyScript = pkgs.writeScript "brownpaper-keyscript" ''
+    #!${pkgs.bash}/bin/bash
+    DATADIR='${toString cfg.dataDir}'
+    ([ ! -s "$DATADIR/keys" ] && [ -d "$DATADIR/keys" ]) && mv "$DATADIR/keys" "$DATADIR/keys.bak"
+    [ -s "$DATADIR/keys" ] && rm "$DATADIR/keys"
+    ln -s ${keyDir} "$DATADIR/keys"
+  '';
 in
 {
   options.services.brownpaper = {
@@ -37,30 +48,23 @@ in
   };
   config = {
     users.users = mkIf cfg.enable { ${cfg.user} = { }; };
+    system.activationScripts.brownpaper.text = ''
+      mkdir -p ${toString cfg.dataDir}
+      chown ${toString cfg.user} -R ${toString cfg.dataDir}
+      ${optionalString (cfg.pgpKeys != [ ]) "${keyScript}"}
+    '';
     systemd.services.brownpaper = mkIf cfg.enable {
       wantedBy = [ "multi-user.target" ];
       after = [ "network-online.target" ];
       path = [ pkgs.coreutils ];
       environment.BROWNPAPER_STORAGE_DIR = "${toString cfg.dataDir}";
+      confinement = {
+        enable = true;
+        packages = with pkgs;[ bash coreutils findutils tzdata keyDir ];
+      };
       serviceConfig =
-        let
-          keyDir = pkgs.runCommand "brownpaper-keys" { } ''
-            mkdir -p $out
-            ${concatStringsSep " && " (builtins.map (key: "ln -s ${key} $out") cfg.pgpKeys)}
-          '';
-          keyScript = pkgs.writeScript "brownpaper-keyscript" ''
-            DATADIR='${toString cfg.dataDir}'
-            ([ ! -s "$DATADIR/keys" ] && [ -d "$DATADIR/keys" ]) && mv "$DATADIR/keys" "$DATADIR/keys.bak"
-            [ -s "$DATADIR/keys" ] && rm "$DATADIR/keys"
-            ln -s ${keyDir} "$DATADIR/keys"
-          '';
-        in
         {
-          ExecStartPre = "+${pkgs.bash}/bin/bash -c '${concatStringsSep " && "
-              ([
-                  "mkdir -p ${toString cfg.dataDir}"
-                  "chown ${toString cfg.user} ${toString cfg.dataDir}"
-                ] ++ (optionals (cfg.pgpKeys != [ ]) [ "${keyScript}" ])) }'";
+          BindPaths = [ cfg.dataDir ];
           ExecStart = "${(pkgs.callPackage ./. { inherit pkgs; src = ./.; }).server.rootCrate.build}/bin/brownpaper ${cfg.listen}:${toString cfg.port}";
           User = cfg.user;
         };