commit 7ccda42007b892d82b0a89d511d93acec771a83e · tjh.dev/nixpkgs

tjh.dev / nixpkgs

Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)

fork atom

nixos: uptimed - rewrite and harden a bit (#7220)

This is mostly @thoughtpolice's work, but I cleaned it up a bit.

Dan Peebles 10 years ago 7ccda420 d787c225

+29 -40

1 changed file

expand all

unified split

nixos

modules

services

system

uptimed.nix

+29 -40

nixos/modules/services/system/uptimed.nix

··· 1 - {pkgs, config, lib, ...}: 1 + { config, lib, pkgs, ... }: 2 + 3 + with lib; 2 4 3 5 let 4 - 5 - inherit (lib) mkOption mkIf singleton; 6 - 7 - inherit (pkgs) uptimed; 8 - 6 + cfg = config.services.uptimed; 9 7 stateDir = "/var/spool/uptimed"; 10 - 11 - uptimedUser = "uptimed"; 12 - 13 8 in 14 - 15 9 { 16 - 17 - ###### interface 18 - 19 10 options = { 20 - 21 11 services.uptimed = { 22 - 23 12 enable = mkOption { 24 13 default = false; 25 14 description = '' 26 - Uptimed allows you to track your highest uptimes. 15 + Enable <literal>uptimed</literal>, allowing you to track 16 + your highest uptimes. 27 17 ''; 28 18 }; 29 - 30 19 }; 31 - 32 20 }; 33 21 22 + config = mkIf cfg.enable { 23 + users.extraUsers.uptimed = { 24 + description = "Uptimed daemon user"; 25 + home = stateDir; 26 + createHome = true; 27 + uid = config.ids.uids.uptimed; 28 + }; 34 29 35 - ###### implementation 30 + systemd.services.uptimed = { 31 + unitConfig.Documentation = "man:uptimed(8) man:uprecords(1)"; 32 + description = "uptimed service"; 33 + wantedBy = [ "multi-user.target" ]; 36 34 37 - config = mkIf config.services.uptimed.enable { 38 - 39 - environment.systemPackages = [ uptimed ]; 40 - 41 - users.extraUsers = singleton 42 - { name = uptimedUser; 43 - uid = config.ids.uids.uptimed; 44 - description = "Uptimed daemon user"; 45 - home = stateDir; 35 + serviceConfig = { 36 + Restart = "on-failure"; 37 + User = "uptimed"; 38 + Nice = 19; 39 + IOSchedulingClass = "idle"; 40 + PrivateTmp = "yes"; 41 + PrivateNetwork = "yes"; 42 + NoNewPrivileges = "yes"; 43 + ReadWriteDirectories = stateDir; 44 + InaccessibleDirectories = "/home"; 45 + ExecStart = "${pkgs.uptimed}/sbin/uptimed -f -p ${stateDir}/pid"; 46 46 }; 47 47 48 - systemd.services.uptimed = { 49 - description = "Uptimed daemon"; 50 - wantedBy = [ "multi-user.target" ]; 51 - 52 48 preStart = '' 53 - mkdir -m 0755 -p ${stateDir} 54 - chown ${uptimedUser} ${stateDir} 55 - 56 49 if ! test -f ${stateDir}/bootid ; then 57 - ${uptimed}/sbin/uptimed -b 50 + ${pkgs.uptimed}/sbin/uptimed -b 58 51 fi 59 52 ''; 60 - 61 - script = "${uptimed}/sbin/uptimed"; 62 53 }; 63 - 64 54 }; 65 - 66 55 }