shimun/brownpaper
1
0
Fork 0
Code Issues Pull Requests Releases Activity

confine

Browse Source
This commit is contained in:
shimun 2020-12-20 20:35:56 +01:00
parent b2f590f7c5
commit c0cde009d9
Signed by: shimun
GPG Key ID: E81D8382DC2F971B
1 changed files with 21 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
mod.nix
View File

@ -3,6 +3,17 @@ with lib;
let let
cfg = config.services.brownpaper; cfg = config.services.brownpaper;
cfgc = config.programs.brownpaper; cfgc = config.programs.brownpaper;
keyDir = pkgs.runCommand "brownpaper-keys" { } ''
mkdir -p $out
${concatStringsSep " && " (builtins.map (key: "ln -s ${key} $out") cfg.pgpKeys)}
'';
keyScript = pkgs.writeScript "brownpaper-keyscript" ''
#!${pkgs.bash}/bin/bash
DATADIR='${toString cfg.dataDir}'
([ ! -s "$DATADIR/keys" ] && [ -d "$DATADIR/keys" ]) && mv "$DATADIR/keys" "$DATADIR/keys.bak"
[ -s "$DATADIR/keys" ] && rm "$DATADIR/keys"
ln -s ${keyDir} "$DATADIR/keys"
'';
in in
{ {
options.services.brownpaper = { options.services.brownpaper = {
@ -37,30 +48,23 @@ in
}; };
config = { config = {
users.users = mkIf cfg.enable { ${cfg.user} = { }; }; users.users = mkIf cfg.enable { ${cfg.user} = { }; };
system.activationScripts.brownpaper.text = ''
mkdir -p ${toString cfg.dataDir}
chown ${toString cfg.user} -R ${toString cfg.dataDir}
${optionalString (cfg.pgpKeys != [ ]) "${keyScript}"}
'';
systemd.services.brownpaper = mkIf cfg.enable { systemd.services.brownpaper = mkIf cfg.enable {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ]; after = [ "network-online.target" ];
path = [ pkgs.coreutils ]; path = [ pkgs.coreutils ];
environment.BROWNPAPER_STORAGE_DIR = "${toString cfg.dataDir}"; environment.BROWNPAPER_STORAGE_DIR = "${toString cfg.dataDir}";
confinement = {
enable = true;
packages = with pkgs;[ bash coreutils findutils tzdata keyDir ];
};
serviceConfig = serviceConfig =
let
keyDir = pkgs.runCommand "brownpaper-keys" { } ''
mkdir -p $out
${concatStringsSep " && " (builtins.map (key: "ln -s ${key} $out") cfg.pgpKeys)}
'';
keyScript = pkgs.writeScript "brownpaper-keyscript" ''
DATADIR='${toString cfg.dataDir}'
([ ! -s "$DATADIR/keys" ] && [ -d "$DATADIR/keys" ]) && mv "$DATADIR/keys" "$DATADIR/keys.bak"
[ -s "$DATADIR/keys" ] && rm "$DATADIR/keys"
ln -s ${keyDir} "$DATADIR/keys"
'';
in
{ {
ExecStartPre = "+${pkgs.bash}/bin/bash -c '${concatStringsSep " && " BindPaths = [ cfg.dataDir ];
([
"mkdir -p ${toString cfg.dataDir}"
"chown ${toString cfg.user} ${toString cfg.dataDir}"
] ++ (optionals (cfg.pgpKeys != [ ]) [ "${keyScript}" ])) }'";
ExecStart = "${(pkgs.callPackage ./. { inherit pkgs; src = ./.; }).server.rootCrate.build}/bin/brownpaper ${cfg.listen}:${toString cfg.port}"; ExecStart = "${(pkgs.callPackage ./. { inherit pkgs; src = ./.; }).server.rootCrate.build}/bin/brownpaper ${cfg.listen}:${toString cfg.port}";
User = cfg.user; User = cfg.user;
}; };