dev/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #126058 from talyz/geoip-fixes

Browse Source 
nixos/geoipupdater: Fix initial setup, add stricter security, fix a filename
This commit is contained in:
Kim Lindberger 2021-07-02 14:30:49 +02:00 committed by GitHub
commit 90ed906797
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 46 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
nixos/modules/services/misc/geoipupdate.nix
View File

@ -99,9 +99,22 @@ in
LockFile = "/run/geoipupdate/.lock"; LockFile = "/run/geoipupdate/.lock";
}; };
systemd.services.geoipupdate-create-db-dir = {
serviceConfig.Type = "oneshot";
script = ''
mkdir -p ${cfg.settings.DatabaseDirectory}
chmod 0755 ${cfg.settings.DatabaseDirectory}
'';
};
systemd.services.geoipupdate = { systemd.services.geoipupdate = {
description = "GeoIP Updater"; description = "GeoIP Updater";
after = [ "network-online.target" "nss-lookup.target" ]; requires = [ "geoipupdate-create-db-dir.service" ];
after = [
"geoipupdate-create-db-dir.service"
"network-online.target"
"nss-lookup.target"
];
wants = [ "network-online.target" ]; wants = [ "network-online.target" ];
startAt = cfg.interval; startAt = cfg.interval;
serviceConfig = { serviceConfig = {
@ -119,11 +132,9 @@ in
}; };
}; };
geoipupdateConf = pkgs.writeText "discourse.conf" (geoipupdateKeyValue cfg.settings); geoipupdateConf = pkgs.writeText "geoipupdate.conf" (geoipupdateKeyValue cfg.settings);
script = '' script = ''
mkdir -p "${cfg.settings.DatabaseDirectory}"
chmod 755 "${cfg.settings.DatabaseDirectory}"
chown geoip "${cfg.settings.DatabaseDirectory}" chown geoip "${cfg.settings.DatabaseDirectory}"
cp ${geoipupdateConf} /run/geoipupdate/GeoIP.conf cp ${geoipupdateConf} /run/geoipupdate/GeoIP.conf
@ -139,7 +150,38 @@ in
ReadWritePaths = cfg.settings.DatabaseDirectory; ReadWritePaths = cfg.settings.DatabaseDirectory;
RuntimeDirectory = "geoipupdate"; RuntimeDirectory = "geoipupdate";
RuntimeDirectoryMode = 0700; RuntimeDirectoryMode = 0700;
CapabilityBoundingSet = "";
PrivateDevices = true;
PrivateMounts = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProcSubset = "pid";
SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
RestrictRealtime = true;
RestrictNamespaces = true;
MemoryDenyWriteExecute = true;
LockPersonality = true;
SystemCallArchitectures = "native";
};
};
systemd.timers.geoipupdate-initial-run = {
wantedBy = [ "timers.target" ];
unitConfig.ConditionPathExists = "!${cfg.settings.DatabaseDirectory}";
timerConfig = {
Unit = "geoipupdate.service";
OnActiveSec = 0;
}; };
}; };
}; };
meta.maintainers = [ lib.maintainers.talyz ];
} }