diff --git a/nixos/modules/services/network-filesystems/ipfs.nix b/nixos/modules/services/network-filesystems/ipfs.nix index 17da020bf3e..655785b99d8 100644 --- a/nixos/modules/services/network-filesystems/ipfs.nix +++ b/nixos/modules/services/network-filesystems/ipfs.nix @@ -239,7 +239,10 @@ in "d '${cfg.ipnsMountDir}' - ${cfg.user} ${cfg.group} - -" ]; - systemd.packages = [ cfg.package ]; + # The hardened systemd unit breaks the fuse-mount function according to documentation in the unit file itself + systemd.packages = if cfg.autoMount + then [ cfg.package.systemd_unit ] + else [ cfg.package.systemd_unit_hardened ]; systemd.services.ipfs = { path = [ "/run/wrappers" cfg.package ]; @@ -275,6 +278,8 @@ in ExecStart = [ "" "${cfg.package}/bin/ipfs daemon ${ipfsFlags}" ]; User = cfg.user; Group = cfg.group; + StateDirectory = ""; + ReadWritePaths = [ "" cfg.dataDir ]; } // optionalAttrs (cfg.serviceFdlimit != null) { LimitNOFILE = cfg.serviceFdlimit; }; } // optionalAttrs (!cfg.startWhenNeeded) { wantedBy = [ "default.target" ]; diff --git a/nixos/tests/ipfs.nix b/nixos/tests/ipfs.nix index f8683b0a858..5e7c967028e 100644 --- a/nixos/tests/ipfs.nix +++ b/nixos/tests/ipfs.nix @@ -10,6 +10,7 @@ import ./make-test-python.nix ({ pkgs, ...} : { # Also will add a unix domain socket socket API address, see module. startWhenNeeded = true; apiAddress = "/ip4/127.0.0.1/tcp/2324"; + dataDir = "/mnt/ipfs"; }; }; @@ -35,5 +36,9 @@ import ./make-test-python.nix ({ pkgs, ...} : { machine.succeed( f"ipfs --api /unix/run/ipfs.sock cat /ipfs/{ipfs_hash.strip()} | grep fnord2" ) + + # Test if setting dataDir works properly with the hardened systemd unit + machine.succeed("test -e /mnt/ipfs/config") + machine.succeed("test ! -e /var/lib/ipfs/") ''; }) diff --git a/pkgs/applications/networking/ipfs/default.nix b/pkgs/applications/networking/ipfs/default.nix index 2cceddf0bd7..f6285ae59be 100644 --- a/pkgs/applications/networking/ipfs/default.nix +++ b/pkgs/applications/networking/ipfs/default.nix @@ -29,15 +29,23 @@ buildGoModule rec { vendorSha256 = null; + outputs = [ "out" "systemd_unit" "systemd_unit_hardened" ]; + + postPatch = '' + substituteInPlace 'misc/systemd/ipfs.service' \ + --replace '/usr/bin/ipfs' "$out/bin/ipfs" + substituteInPlace 'misc/systemd/ipfs-hardened.service' \ + --replace '/usr/bin/ipfs' "$out/bin/ipfs" + ''; + postInstall = '' - install --mode=444 -D misc/systemd/ipfs.service $out/etc/systemd/system/ipfs.service - install --mode=444 -D misc/systemd/ipfs-hardened.service $out/etc/systemd/system/ipfs-hardened.service - install --mode=444 -D misc/systemd/ipfs-api.socket $out/etc/systemd/system/ipfs-api.socket - install --mode=444 -D misc/systemd/ipfs-gateway.socket $out/etc/systemd/system/ipfs-gateway.socket - substituteInPlace $out/etc/systemd/system/ipfs.service \ - --replace /usr/bin/ipfs $out/bin/ipfs - substituteInPlace $out/etc/systemd/system/ipfs-hardened.service \ - --replace /usr/bin/ipfs $out/bin/ipfs + install --mode=444 -D 'misc/systemd/ipfs-api.socket' "$systemd_unit/etc/systemd/system/ipfs-api.socket" + install --mode=444 -D 'misc/systemd/ipfs-gateway.socket' "$systemd_unit/etc/systemd/system/ipfs-gateway.socket" + install --mode=444 -D 'misc/systemd/ipfs.service' "$systemd_unit/etc/systemd/system/ipfs.service" + + install --mode=444 -D 'misc/systemd/ipfs-api.socket' "$systemd_unit_hardened/etc/systemd/system/ipfs-api.socket" + install --mode=444 -D 'misc/systemd/ipfs-gateway.socket' "$systemd_unit_hardened/etc/systemd/system/ipfs-gateway.socket" + install --mode=444 -D 'misc/systemd/ipfs-hardened.service' "$systemd_unit_hardened/etc/systemd/system/ipfs.service" ''; meta = with lib; {