commit fda2ff4edc2c0b897011eff4dffc5d777d07f4c8 · tjh.dev/nixpkgs

tjh.dev / nixpkgs

Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)

nixos/pinnwand: add reaper systemd unit/timer

The reap function culls expired pastes outside of the process serving
the pastes. Previously the database could accumulate a large number of
pastes and while they were expired they would not be deleted unless
accessed from the frontend.

Martin Weinelt 4 years ago fda2ff4e ac4b47f8

+35 -10

1 changed file

expand all

unified split

nixos

modules

services

misc

pinnwand.nix

+35 -10

nixos/modules/services/misc/pinnwand.nix

··· 40 40 ''; 41 41 }; 42 42 43 - systemd.services.pinnwand = { 44 - description = "Pinnwannd HTTP Server"; 45 - after = [ "network.target" ]; 46 - wantedBy = [ "multi-user.target" ]; 43 + systemd.services = let 44 + hardeningOptions = { 45 + User = "pinnwand"; 46 + DynamicUser = true; 47 47 48 - unitConfig.Documentation = "https://pinnwand.readthedocs.io/en/latest/"; 49 - serviceConfig = { 50 - ExecStart = "${pkgs.pinnwand}/bin/pinnwand --configuration-path ${configFile} http --port ${toString(cfg.port)}"; 51 48 StateDirectory = "pinnwand"; 52 49 StateDirectoryMode = "0700"; 53 50 54 51 AmbientCapabilities = []; 55 52 CapabilityBoundingSet = ""; 56 53 DevicePolicy = "closed"; 57 - DynamicUser = true; 58 54 LockPersonality = true; 59 55 MemoryDenyWriteExecute = true; 60 56 PrivateDevices = true; 61 57 PrivateUsers = true; 58 + ProcSubset = "pid"; 62 59 ProtectClock = true; 63 60 ProtectControlGroups = true; 64 - ProtectKernelLogs = true; 65 61 ProtectHome = true; 66 62 ProtectHostname = true; 63 + ProtectKernelLogs = true; 67 64 ProtectKernelModules = true; 68 65 ProtectKernelTunables = true; 69 - RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; 66 + ProtectProc = "invisible"; 67 + RestrictAddressFamilies = [ 68 + "AF_UNIX" 69 + "AF_INET" 70 + "AF_INET6" 71 + ]; 70 72 RestrictNamespaces = true; 71 73 RestrictRealtime = true; 72 74 SystemCallArchitectures = "native"; 73 75 SystemCallFilter = "@system-service"; 74 76 UMask = "0077"; 77 + }; 78 + 79 + command = "${pkgs.pinnwand}/bin/pinnwand --configuration-path ${configFile}"; 80 + in { 81 + pinnwand = { 82 + description = "Pinnwannd HTTP Server"; 83 + after = [ "network.target" ]; 84 + wantedBy = [ "multi-user.target" ]; 85 + 86 + unitConfig.Documentation = "https://pinnwand.readthedocs.io/en/latest/"; 87 + 88 + serviceConfig = { 89 + ExecStart = "${command} http --port ${toString(cfg.port)}"; 90 + } // hardeningOptions; 91 + }; 92 + 93 + pinnwand-reaper = { 94 + description = "Pinnwand Reaper"; 95 + startAt = "daily"; 96 + 97 + serviceConfig = { 98 + ExecStart = "${command} -vvvv reap"; # verbosity increased to show number of deleted pastes 99 + } // hardeningOptions; 75 100 }; 76 101 }; 77 102 };