b12f/nixpkgs
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Merge pull request #178154 from aanderse/nixos/prosody

Browse source 
nixos/prosody: conditionally provision required directories with StateDirectory
This commit is contained in:
Aaron Andersen 2022-06-26 22:45:18 +02:00 committed by GitHub
parent 50fdd2d827 078a53824e
commit 28562b800e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 51 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

77
nixos/modules/services/networking/prosody.nix
View file

@ -511,8 +511,13 @@ in
dataDir = mkOption {
type = types.path;
description = "Directory where Prosody stores its data";
default = "/var/lib/prosody";
description = ''
The prosody home directory used to store all data. If left as the default value
this directory will automatically be created before the prosody server starts, otherwise
you are responsible for ensuring the directory exists with appropriate ownership
and permissions.
'';
};
disco_items = mkOption {
@ -524,13 +529,29 @@ in
user = mkOption {
type = types.str;
default = "prosody";
description = "User account under which prosody runs.";
description = ''
User account under which prosody runs.
<note><para>
If left as the default value this user will automatically be created
on system activation, otherwise you are responsible for
ensuring the user exists before the prosody service starts.
</para></note>
'';
};
group = mkOption {
type = types.str;
default = "prosody";
description = "Group account under which prosody runs.";
description = ''
Group account under which prosody runs.
<note><para>
If left as the default value this group will automatically be created
on system activation, otherwise you are responsible for
ensuring the group exists before the prosody service starts.
</para></note>
'';
};
allowRegistration = mkOption {
@ -839,9 +860,8 @@ in
users.users.prosody = mkIf (cfg.user == "prosody") {
uid = config.ids.uids.prosody;
description = "Prosody user";
createHome = true;
inherit (cfg) group;
home = "${cfg.dataDir}";
home = cfg.dataDir;
};
users.groups.prosody = mkIf (cfg.group == "prosody") {
@ -854,28 +874,33 @@ in
wants = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
restartTriggers = [ config.environment.etc."prosody/prosody.cfg.lua".source ];
serviceConfig = {
User = cfg.user;
Group = cfg.group;
Type = "forking";
RuntimeDirectory = [ "prosody" ];
PIDFile = "/run/prosody/prosody.pid";
ExecStart = "${cfg.package}/bin/prosodyctl start";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
serviceConfig = mkMerge [
{
User = cfg.user;
Group = cfg.group;
Type = "forking";
RuntimeDirectory = [ "prosody" ];
PIDFile = "/run/prosody/prosody.pid";
ExecStart = "${cfg.package}/bin/prosodyctl start";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
MemoryDenyWriteExecute = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
};
MemoryDenyWriteExecute = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
}
(mkIf (cfg.dataDir == "/var/lib/prosody") {
StateDirectory = "prosody";
})
];
};
};