diff --git a/nixos/doc/manual/release-notes/rl-1709.xml b/nixos/doc/manual/release-notes/rl-1709.xml index a32f9963d1c5..90d7bd4b550b 100644 --- a/nixos/doc/manual/release-notes/rl-1709.xml +++ b/nixos/doc/manual/release-notes/rl-1709.xml @@ -154,6 +154,14 @@ rmdir /var/lib/ipfs/.ipfs variables as parameters. + + + services.firefox.syncserver now runs by default as a + non-root user. To accomodate this change, the default sqlite database + location has also been changed. Migration should work automatically. + Refer to the description of the options for more details. + + Other notable improvements: diff --git a/nixos/modules/services/networking/firefox/sync-server.nix b/nixos/modules/services/networking/firefox/sync-server.nix index c1a14931429a..a9f3fd65d76b 100644 --- a/nixos/modules/services/networking/firefox/sync-server.nix +++ b/nixos/modules/services/networking/firefox/sync-server.nix @@ -4,6 +4,10 @@ with lib; let cfg = config.services.firefox.syncserver; + + defaultDbLocation = "/var/db/firefox-sync-server/firefox-sync-server.db"; + defaultSqlUri = "sqlite:///${defaultDbLocation}"; + syncServerIni = pkgs.writeText "syncserver.ini" '' [DEFAULT] overrides = ${cfg.privateConfig} @@ -25,6 +29,7 @@ let backend = tokenserver.verifiers.LocalVerifier audiences = ${removeSuffix "/" cfg.publicUrl} ''; + in { @@ -65,6 +70,18 @@ in ''; }; + user = mkOption { + type = types.str; + default = "syncserver"; + description = "User account under which syncserver runs."; + }; + + group = mkOption { + type = types.str; + default = "syncserver"; + description = "Group account under which syncserver runs."; + }; + publicUrl = mkOption { type = types.str; default = "http://localhost:5000/"; @@ -85,7 +102,7 @@ in sqlUri = mkOption { type = types.str; - default = "sqlite:////var/db/firefox-sync-server.db"; + default = defaultSqlUri; example = "postgresql://scott:tiger@localhost/test"; description = '' The location of the database. This URL is composed of @@ -126,16 +143,45 @@ in description = "Firefox Sync Server"; wantedBy = [ "multi-user.target" ]; path = [ pkgs.coreutils syncServerEnv ]; + + serviceConfig = { + User = cfg.user; + Group = cfg.group; + PermissionsStartOnly = true; + }; + preStart = '' if ! test -e ${cfg.privateConfig}; then - umask u=rwx,g=x,o=x - mkdir -p $(dirname ${cfg.privateConfig}) + mkdir -m 700 -p $(dirname ${cfg.privateConfig}) echo > ${cfg.privateConfig} '[syncserver]' echo >> ${cfg.privateConfig} "secret = $(head -c 20 /dev/urandom | sha1sum | tr -d ' -')" fi + chown ${cfg.user}:${cfg.group} ${cfg.privateConfig} + '' + optionalString (cfg.sqlUri == defaultSqlUri) '' + if ! test -e $(dirname ${defaultDbLocation}); then + mkdir -m 700 -p $(dirname ${defaultDbLocation}) + chown ${cfg.user}:${cfg.group} $(dirname ${defaultDbLocation}) + fi + # Move previous database file if it exists + oldDb="/var/db/firefox-sync-server.db" + if test -f $oldDb; then + mv $oldDb ${defaultDbLocation} + chown ${cfg.user}:${cfg.group} ${defaultDbLocation} + fi ''; serviceConfig.ExecStart = "${syncServerEnv}/bin/paster serve ${syncServerIni}"; }; + users.extraUsers = optionalAttrs (cfg.user == "syncserver") + (singleton { + name = "syncserver"; + group = cfg.group; + isSystemUser = true; + }); + + users.extraGroups = optionalAttrs (cfg.group == "syncserver") + (singleton { + name = "syncserver"; + }); }; }