confine

2020-12-20 20:35:56 +01:00 · 2020-12-20 20:35:56 +01:00 · c0cde009d9
commit c0cde009d9
parent b2f590f7c5
1 changed files with 21 additions and 17 deletions
--- a/mod.nix
+++ b/mod.nix
@ -3,6 +3,17 @@ with lib;
 let
  cfg = config.services.brownpaper;
  cfgc = config.programs.brownpaper;
+  keyDir = pkgs.runCommand "brownpaper-keys" { } ''
+    mkdir -p $out
+    ${concatStringsSep " && " (builtins.map (key: "ln -s ${key} $out") cfg.pgpKeys)}
+  '';
+  keyScript = pkgs.writeScript "brownpaper-keyscript" ''
+    #!${pkgs.bash}/bin/bash
+    DATADIR='${toString cfg.dataDir}'
+    ([ ! -s "$DATADIR/keys" ] && [ -d "$DATADIR/keys" ]) && mv "$DATADIR/keys" "$DATADIR/keys.bak"
+    [ -s "$DATADIR/keys" ] && rm "$DATADIR/keys"
+    ln -s ${keyDir} "$DATADIR/keys"
+  '';
 in
 {
  options.services.brownpaper = {
@ -37,30 +48,23 @@ in
  };
  config = {
    users.users = mkIf cfg.enable { ${cfg.user} = { }; };
+    system.activationScripts.brownpaper.text = ''
+      mkdir -p ${toString cfg.dataDir}
+      chown ${toString cfg.user} -R ${toString cfg.dataDir}
+      ${optionalString (cfg.pgpKeys != [ ]) "${keyScript}"}
+    '';
    systemd.services.brownpaper = mkIf cfg.enable {
      wantedBy = [ "multi-user.target" ];
      after = [ "network-online.target" ];
      path = [ pkgs.coreutils ];
      environment.BROWNPAPER_STORAGE_DIR = "${toString cfg.dataDir}";
+      confinement = {
+        enable = true;
+        packages = with pkgs;[ bash coreutils findutils tzdata keyDir ];
+      };
      serviceConfig =
-        let
-          keyDir = pkgs.runCommand "brownpaper-keys" { } ''
-            mkdir -p $out
-            ${concatStringsSep " && " (builtins.map (key: "ln -s ${key} $out") cfg.pgpKeys)}
-          '';
-          keyScript = pkgs.writeScript "brownpaper-keyscript" ''
-            DATADIR='${toString cfg.dataDir}'
-            ([ ! -s "$DATADIR/keys" ] && [ -d "$DATADIR/keys" ]) && mv "$DATADIR/keys" "$DATADIR/keys.bak"
-            [ -s "$DATADIR/keys" ] && rm "$DATADIR/keys"
-            ln -s ${keyDir} "$DATADIR/keys"
-          '';
-        in
        {
-          ExecStartPre = "+${pkgs.bash}/bin/bash -c '${concatStringsSep " && "
-              ([
-                  "mkdir -p ${toString cfg.dataDir}"
-                  "chown ${toString cfg.user} ${toString cfg.dataDir}"
-                ] ++ (optionals (cfg.pgpKeys != [ ]) [ "${keyScript}" ])) }'";
+          BindPaths = [ cfg.dataDir ];
          ExecStart = "${(pkgs.callPackage ./. { inherit pkgs; src = ./.; }).server.rootCrate.build}/bin/brownpaper ${cfg.listen}:${toString cfg.port}";
          User = cfg.user;
        };