firefox syncserver service: run as non-root user by default
This commit is contained in:
parent
c06fb4a269
commit
69a4836df5
2 changed files with 57 additions and 3 deletions
|
@ -154,6 +154,14 @@ rmdir /var/lib/ipfs/.ipfs
|
||||||
variables as parameters.
|
variables as parameters.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
<literal>services.firefox.syncserver</literal> now runs by default as a
|
||||||
|
non-root user. To accomodate this change, the default sqlite database
|
||||||
|
location has also been changed. Migration should work automatically.
|
||||||
|
Refer to the description of the options for more details.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para>Other notable improvements:</para>
|
<para>Other notable improvements:</para>
|
||||||
|
|
|
@ -4,6 +4,10 @@ with lib;
|
||||||
|
|
||||||
let
|
let
|
||||||
cfg = config.services.firefox.syncserver;
|
cfg = config.services.firefox.syncserver;
|
||||||
|
|
||||||
|
defaultDbLocation = "/var/db/firefox-sync-server/firefox-sync-server.db";
|
||||||
|
defaultSqlUri = "sqlite:///${defaultDbLocation}";
|
||||||
|
|
||||||
syncServerIni = pkgs.writeText "syncserver.ini" ''
|
syncServerIni = pkgs.writeText "syncserver.ini" ''
|
||||||
[DEFAULT]
|
[DEFAULT]
|
||||||
overrides = ${cfg.privateConfig}
|
overrides = ${cfg.privateConfig}
|
||||||
|
@ -25,6 +29,7 @@ let
|
||||||
backend = tokenserver.verifiers.LocalVerifier
|
backend = tokenserver.verifiers.LocalVerifier
|
||||||
audiences = ${removeSuffix "/" cfg.publicUrl}
|
audiences = ${removeSuffix "/" cfg.publicUrl}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
in
|
in
|
||||||
|
|
||||||
{
|
{
|
||||||
|
@ -65,6 +70,18 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
user = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "syncserver";
|
||||||
|
description = "User account under which syncserver runs.";
|
||||||
|
};
|
||||||
|
|
||||||
|
group = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "syncserver";
|
||||||
|
description = "Group account under which syncserver runs.";
|
||||||
|
};
|
||||||
|
|
||||||
publicUrl = mkOption {
|
publicUrl = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = "http://localhost:5000/";
|
default = "http://localhost:5000/";
|
||||||
|
@ -85,7 +102,7 @@ in
|
||||||
|
|
||||||
sqlUri = mkOption {
|
sqlUri = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = "sqlite:////var/db/firefox-sync-server.db";
|
default = defaultSqlUri;
|
||||||
example = "postgresql://scott:tiger@localhost/test";
|
example = "postgresql://scott:tiger@localhost/test";
|
||||||
description = ''
|
description = ''
|
||||||
The location of the database. This URL is composed of
|
The location of the database. This URL is composed of
|
||||||
|
@ -126,16 +143,45 @@ in
|
||||||
description = "Firefox Sync Server";
|
description = "Firefox Sync Server";
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
path = [ pkgs.coreutils syncServerEnv ];
|
path = [ pkgs.coreutils syncServerEnv ];
|
||||||
|
|
||||||
|
serviceConfig = {
|
||||||
|
User = cfg.user;
|
||||||
|
Group = cfg.group;
|
||||||
|
PermissionsStartOnly = true;
|
||||||
|
};
|
||||||
|
|
||||||
preStart = ''
|
preStart = ''
|
||||||
if ! test -e ${cfg.privateConfig}; then
|
if ! test -e ${cfg.privateConfig}; then
|
||||||
umask u=rwx,g=x,o=x
|
mkdir -m 700 -p $(dirname ${cfg.privateConfig})
|
||||||
mkdir -p $(dirname ${cfg.privateConfig})
|
|
||||||
echo > ${cfg.privateConfig} '[syncserver]'
|
echo > ${cfg.privateConfig} '[syncserver]'
|
||||||
echo >> ${cfg.privateConfig} "secret = $(head -c 20 /dev/urandom | sha1sum | tr -d ' -')"
|
echo >> ${cfg.privateConfig} "secret = $(head -c 20 /dev/urandom | sha1sum | tr -d ' -')"
|
||||||
fi
|
fi
|
||||||
|
chown ${cfg.user}:${cfg.group} ${cfg.privateConfig}
|
||||||
|
'' + optionalString (cfg.sqlUri == defaultSqlUri) ''
|
||||||
|
if ! test -e $(dirname ${defaultDbLocation}); then
|
||||||
|
mkdir -m 700 -p $(dirname ${defaultDbLocation})
|
||||||
|
chown ${cfg.user}:${cfg.group} $(dirname ${defaultDbLocation})
|
||||||
|
fi
|
||||||
|
# Move previous database file if it exists
|
||||||
|
oldDb="/var/db/firefox-sync-server.db"
|
||||||
|
if test -f $oldDb; then
|
||||||
|
mv $oldDb ${defaultDbLocation}
|
||||||
|
chown ${cfg.user}:${cfg.group} ${defaultDbLocation}
|
||||||
|
fi
|
||||||
'';
|
'';
|
||||||
serviceConfig.ExecStart = "${syncServerEnv}/bin/paster serve ${syncServerIni}";
|
serviceConfig.ExecStart = "${syncServerEnv}/bin/paster serve ${syncServerIni}";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
users.extraUsers = optionalAttrs (cfg.user == "syncserver")
|
||||||
|
(singleton {
|
||||||
|
name = "syncserver";
|
||||||
|
group = cfg.group;
|
||||||
|
isSystemUser = true;
|
||||||
|
});
|
||||||
|
|
||||||
|
users.extraGroups = optionalAttrs (cfg.group == "syncserver")
|
||||||
|
(singleton {
|
||||||
|
name = "syncserver";
|
||||||
|
});
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue