pyrox.dev / nixpkgs
lol
fork atom

nixos/geoip-updater: run as user 'geoip' instead of 'nobody'

That way 'nobody' is prevented from messing with the databases.

Bjørn Forsman d4e5bb34 900fc490

+12 -4
unified split
+2
nixos/modules/misc/ids.nix
··· 287 287 pdns-recursor = 269; 288 288 kresd = 270; 289 289 rpc = 271; 290 + geoip = 272; 290 291 291 292 # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! 292 293 ··· 543 544 gogs = 268; 544 545 kresd = 270; 545 546 #rpc = 271; # unused 547 + #geoip = 272; # unused 546 548 547 549 # When adding a gid, make sure it doesn't match an existing 548 550 # uid. Users and groups with the same name should have equal
+10 -4
nixos/modules/services/misc/geoip-updater.nix
··· 251 251 } 252 252 ]; 253 253 254 + users.extraUsers.geoip = { 255 + group = "root"; 256 + description = "GeoIP database updater"; 257 + uid = config.ids.uids.geoip; 258 + }; 259 + 254 260 systemd.timers.geoip-updater = 255 261 { description = "GeoIP Updater Timer"; 256 262 partOf = [ "geoip-updater.service" ]; ··· 267 273 preStart = '' 268 274 mkdir -p "${cfg.databaseDir}" 269 275 chmod 755 "${cfg.databaseDir}" 270 - chown nobody:root "${cfg.databaseDir}" 276 + chown geoip:root "${cfg.databaseDir}" 271 277 ''; 272 278 serviceConfig = { 273 279 ExecStart = "${geoip-updater}/bin/geoip-updater"; 274 - User = "nobody"; 280 + User = "geoip"; 275 281 PermissionsStartOnly = true; 276 282 }; 277 283 }; ··· 285 291 preStart = '' 286 292 mkdir -p "${cfg.databaseDir}" 287 293 chmod 755 "${cfg.databaseDir}" 288 - chown nobody:root "${cfg.databaseDir}" 294 + chown geoip:root "${cfg.databaseDir}" 289 295 ''; 290 296 serviceConfig = { 291 297 ExecStart = "${geoip-updater}/bin/geoip-updater --skip-existing"; 292 - User = "nobody"; 298 + User = "geoip"; 293 299 PermissionsStartOnly = true; 294 300 # So it won't be (needlessly) restarted: 295 301 RemainAfterExit = true;