diff options
| author | Alyssa Ross <hi@alyssa.is> | 2023-05-28 15:01:36 +0000 |
|---|---|---|
| committer | Alyssa Ross <hi@alyssa.is> | 2023-05-28 16:01:22 +0000 |
| commit | e3e4975c4954b239b324375d2ed778c4e56e67ab (patch) | |
| tree | 1423d2ac6dc2fe3b57a62d6e4a3248a436248931 | |
| parent | nixos/public-inbox: don't set RootDirectory= (diff) | |
| download | nixpkgs-origin/public-inbox-DynamicUser.tar.gz | |
nixos/public-inbox: use DynamicUser for readersorigin/public-inbox-DynamicUser
public-inbox-{http,nntp,imap}d only need to be able to read the
repositories, so they don't need to run as the public-inbox user,
which has write permission for /var/lib/public-inbox.
Annoyingly, confinement is currently not compatible with DynamicUser,
so we can't enable both at the same time.
| -rw-r--r-- | nixos/modules/services/mail/public-inbox.nix | 25 |
1 files changed, 21 insertions, 4 deletions
diff --git a/nixos/modules/services/mail/public-inbox.nix b/nixos/modules/services/mail/public-inbox.nix index 4875a20d8775..07ba15cc1b66 100644 --- a/nixos/modules/services/mail/public-inbox.nix +++ b/nixos/modules/services/mail/public-inbox.nix @@ -53,7 +53,9 @@ let # if running simultaneous services. NonBlocking = true; #LimitNOFILE = 30000; - User = config.users.users."public-inbox".name; + User = + lib.mkIf config.systemd.services."public-inbox-${srv}".confinement.enable + config.users.users."public-inbox".name; Group = config.users.groups."public-inbox".name; RuntimeDirectory = [ "public-inbox-${srv}/perl-inline" @@ -61,9 +63,7 @@ let RuntimeDirectoryMode = "700"; # This is for BindPaths= and BindReadOnlyPaths= # to allow traversal of directories they create inside RootDirectory= - UMask = "0066"; - StateDirectory = ["public-inbox"]; - StateDirectoryMode = "0750"; + UMask = "0026"; WorkingDirectory = stateDir; BindReadOnlyPaths = [ "/etc" @@ -433,8 +433,10 @@ in (mkIf cfg.imap.enable { public-inbox-imapd = mkMerge [(serviceConfig "imapd") { after = [ "public-inbox-init.service" "public-inbox-watch.service" ]; + environment.PI_DIR = "/var/lib/public-inbox/.public-inbox"; requires = [ "public-inbox-init.service" ]; serviceConfig = { + DynamicUser = !config.systemd.services."public-inbox-imapd".confinement.enable; ExecStart = escapeShellArgs ( [ "${cfg.package}/bin/public-inbox-imapd" ] ++ cfg.imap.args ++ @@ -447,8 +449,10 @@ in (mkIf cfg.http.enable { public-inbox-httpd = mkMerge [(serviceConfig "httpd") { after = [ "public-inbox-init.service" "public-inbox-watch.service" ]; + environment.PI_DIR = "/var/lib/public-inbox/.public-inbox"; requires = [ "public-inbox-init.service" ]; serviceConfig = { + DynamicUser = !config.systemd.services."public-inbox-httpd".confinement.enable; ExecStart = escapeShellArgs ( [ "${cfg.package}/bin/public-inbox-httpd" ] ++ cfg.http.args ++ @@ -486,8 +490,10 @@ in (mkIf cfg.nntp.enable { public-inbox-nntpd = mkMerge [(serviceConfig "nntpd") { after = [ "public-inbox-init.service" "public-inbox-watch.service" ]; + environment.PI_DIR = "/var/lib/public-inbox/.public-inbox"; requires = [ "public-inbox-init.service" ]; serviceConfig = { + DynamicUser = !config.systemd.services."public-inbox-nntpd".confinement.enable; ExecStart = escapeShellArgs ( [ "${cfg.package}/bin/public-inbox-nntpd" ] ++ cfg.nntp.args ++ @@ -508,6 +514,10 @@ in serviceConfig = { ExecStart = "${cfg.package}/bin/public-inbox-watch"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + StateDirectory = ["public-inbox"]; + StateDirectoryMode = "0750"; + User = config.users.users."public-inbox".name; + Group = config.users.groups."public-inbox".name; }; }]; }) @@ -561,15 +571,22 @@ in ls -1 "$inbox" | grep -q '^xap' || ${cfg.package}/bin/public-inbox-index "$inbox" done + + # Older versions of the module did not make inboxes group-readable. + # chmod -R g+r ${stateDir}/inboxes ''; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; StateDirectory = [ + "public-inbox" "public-inbox/.public-inbox" "public-inbox/.public-inbox/emergency" "public-inbox/inboxes" ]; + StateDirectoryMode = "0750"; + User = config.users.users."public-inbox".name; + Group = config.users.groups."public-inbox".name; }; }]; }) |