diff --git a/nixos/doc/manual/release-notes/rl-1709.xml b/nixos/doc/manual/release-notes/rl-1709.xml
index a32f9963d1c5..90d7bd4b550b 100644
--- a/nixos/doc/manual/release-notes/rl-1709.xml
+++ b/nixos/doc/manual/release-notes/rl-1709.xml
@@ -154,6 +154,14 @@ rmdir /var/lib/ipfs/.ipfs
variables as parameters.
+
+
+ services.firefox.syncserver now runs by default as a
+ non-root user. To accomodate this change, the default sqlite database
+ location has also been changed. Migration should work automatically.
+ Refer to the description of the options for more details.
+
+
Other notable improvements:
diff --git a/nixos/modules/services/networking/firefox/sync-server.nix b/nixos/modules/services/networking/firefox/sync-server.nix
index c1a14931429a..a9f3fd65d76b 100644
--- a/nixos/modules/services/networking/firefox/sync-server.nix
+++ b/nixos/modules/services/networking/firefox/sync-server.nix
@@ -4,6 +4,10 @@ with lib;
let
cfg = config.services.firefox.syncserver;
+
+ defaultDbLocation = "/var/db/firefox-sync-server/firefox-sync-server.db";
+ defaultSqlUri = "sqlite:///${defaultDbLocation}";
+
syncServerIni = pkgs.writeText "syncserver.ini" ''
[DEFAULT]
overrides = ${cfg.privateConfig}
@@ -25,6 +29,7 @@ let
backend = tokenserver.verifiers.LocalVerifier
audiences = ${removeSuffix "/" cfg.publicUrl}
'';
+
in
{
@@ -65,6 +70,18 @@ in
'';
};
+ user = mkOption {
+ type = types.str;
+ default = "syncserver";
+ description = "User account under which syncserver runs.";
+ };
+
+ group = mkOption {
+ type = types.str;
+ default = "syncserver";
+ description = "Group account under which syncserver runs.";
+ };
+
publicUrl = mkOption {
type = types.str;
default = "http://localhost:5000/";
@@ -85,7 +102,7 @@ in
sqlUri = mkOption {
type = types.str;
- default = "sqlite:////var/db/firefox-sync-server.db";
+ default = defaultSqlUri;
example = "postgresql://scott:tiger@localhost/test";
description = ''
The location of the database. This URL is composed of
@@ -126,16 +143,45 @@ in
description = "Firefox Sync Server";
wantedBy = [ "multi-user.target" ];
path = [ pkgs.coreutils syncServerEnv ];
+
+ serviceConfig = {
+ User = cfg.user;
+ Group = cfg.group;
+ PermissionsStartOnly = true;
+ };
+
preStart = ''
if ! test -e ${cfg.privateConfig}; then
- umask u=rwx,g=x,o=x
- mkdir -p $(dirname ${cfg.privateConfig})
+ mkdir -m 700 -p $(dirname ${cfg.privateConfig})
echo > ${cfg.privateConfig} '[syncserver]'
echo >> ${cfg.privateConfig} "secret = $(head -c 20 /dev/urandom | sha1sum | tr -d ' -')"
fi
+ chown ${cfg.user}:${cfg.group} ${cfg.privateConfig}
+ '' + optionalString (cfg.sqlUri == defaultSqlUri) ''
+ if ! test -e $(dirname ${defaultDbLocation}); then
+ mkdir -m 700 -p $(dirname ${defaultDbLocation})
+ chown ${cfg.user}:${cfg.group} $(dirname ${defaultDbLocation})
+ fi
+ # Move previous database file if it exists
+ oldDb="/var/db/firefox-sync-server.db"
+ if test -f $oldDb; then
+ mv $oldDb ${defaultDbLocation}
+ chown ${cfg.user}:${cfg.group} ${defaultDbLocation}
+ fi
'';
serviceConfig.ExecStart = "${syncServerEnv}/bin/paster serve ${syncServerIni}";
};
+ users.extraUsers = optionalAttrs (cfg.user == "syncserver")
+ (singleton {
+ name = "syncserver";
+ group = cfg.group;
+ isSystemUser = true;
+ });
+
+ users.extraGroups = optionalAttrs (cfg.group == "syncserver")
+ (singleton {
+ name = "syncserver";
+ });
};
}