public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
nixpkgs/nixos/modules/services/web-servers/unit/default.nix

154 lines
4.6 KiB
Nix
Raw Normal View History

nixos/unit: init service unit
2019-02-25 17:08:01 +03:00
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.unit;
configFile = pkgs.writeText "unit.json" cfg.config;
in {
options = {
services.unit = {
enable = mkEnableOption "Unit App Server";
package = mkOption {
type = types.package;
default = pkgs.unit;
defaultText = "pkgs.unit";
description = "Unit package to use.";
};
user = mkOption {
type = types.str;
default = "unit";
description = "User account under which unit runs.";
};
group = mkOption {
type = types.str;
default = "unit";
description = "Group account under which unit runs.";
};
stateDir = mkOption {
default = "/var/spool/unit";
description = "Unit data directory.";
};
logDir = mkOption {
default = "/var/log/unit";
description = "Unit log directory.";
};
config = mkOption {
type = types.str;
default = ''
{
"listeners": {},
"applications": {}
}
'';
example = literalExample ''
{
"listeners": {
"*:8300": {
"application": "example-php-72"
}
},
"applications": {
"example-php-72": {
"type": "php 7.2",
"processes": 4,
"user": "nginx",
"group": "nginx",
"root": "/var/www",
"index": "index.php",
"options": {
"file": "/etc/php.d/default.ini",
"admin": {
"max_execution_time": "30",
"max_input_time": "30",
"display_errors": "off",
"display_startup_errors": "off",
"open_basedir": "/dev/urandom:/proc/cpuinfo:/proc/meminfo:/etc/ssl/certs:/var/www",
"disable_functions": "exec,passthru,shell_exec,system"
}
}
}
}
}
'';
description = "Unit configuration in JSON format. More details here https://unit.nginx.org/configuration";
};
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ cfg.package ];
systemd.tmpfiles.rules = [
"d '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -"
"d '${cfg.logDir}' 0750 ${cfg.user} ${cfg.group} - -"
nixos/unit: enable sanboxing
2019-12-09 21:03:48 +03:00
];
nixos/unit: init service unit
2019-02-25 17:08:01 +03:00
systemd.services.unit = {
description = "Unit App Server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
preStart = ''
nixos/unit: fix starting service
2020-04-14 14:04:04 +03:00
[ ! -e '${cfg.stateDir}/conf.json' ] || rm -f '${cfg.stateDir}/conf.json'
nixos/unit: init service unit
2019-02-25 17:08:01 +03:00
'';
postStart = ''
nixos/unit: fix starting service
2020-04-14 14:04:04 +03:00
${pkgs.curl}/bin/curl -X PUT --data-binary '@${configFile}' --unix-socket '/run/unit/control.unit.sock' 'http://localhost/config'
nixos/unit: init service unit
2019-02-25 17:08:01 +03:00
'';
serviceConfig = {
nixos/unit: fix starting service
2020-04-14 14:04:04 +03:00
Type = "forking";
PIDFile = "/run/unit/unit.pid";
nixos/unit: init service unit
2019-02-25 17:08:01 +03:00
ExecStart = ''
${cfg.package}/bin/unitd --control 'unix:/run/unit/control.unit.sock' --pid '/run/unit/unit.pid' \
nixos/unit: add 'tmp' directory
2020-07-17 19:14:39 +03:00
--log '${cfg.logDir}/unit.log' --state '${cfg.stateDir}' --tmp '/tmp' \
nixos/unit: init service unit
2019-02-25 17:08:01 +03:00
--user ${cfg.user} --group ${cfg.group}
'';
nixos/unit: fix starting service
2020-04-14 14:04:04 +03:00
ExecStop = ''
${pkgs.curl}/bin/curl -X DELETE --unix-socket '/run/unit/control.unit.sock' 'http://localhost/config'
'';
nixos/unit: update sandboxing mode
2020-04-14 16:07:30 +03:00
# Runtime directory and mode
RuntimeDirectory = "unit";
RuntimeDirectoryMode = "0750";
# Access write directories
ReadWritePaths = [ cfg.stateDir cfg.logDir ];
nixos/unit: enable sanboxing
2019-12-09 21:03:48 +03:00
# Security
NoNewPrivileges = true;
nixos/unit: fix typo
2019-12-28 22:12:45 +03:00
# Sandboxing
nixos/unit: update sandboxing mode
2020-04-14 16:07:30 +03:00
ProtectSystem = "strict";
nixos/unit: enable sanboxing
2019-12-09 21:03:48 +03:00
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
nixos/unit: update sandboxing options
2020-08-15 11:13:44 +03:00
PrivateUsers = false;
nixos/unit: enable sanboxing
2019-12-09 21:03:48 +03:00
ProtectHostname = true;
nixos/unit: update sandboxing options
2020-08-15 11:13:44 +03:00
ProtectClock = true;
nixos/unit: enable sanboxing
2019-12-09 21:03:48 +03:00
ProtectKernelTunables = true;
ProtectKernelModules = true;
nixos/unit: update sandboxing options
2020-08-15 11:13:44 +03:00
ProtectKernelLogs = true;
nixos/unit: enable sanboxing
2019-12-09 21:03:48 +03:00
ProtectControlGroups = true;
nixos/unit: update sandboxing mode
2020-04-14 16:07:30 +03:00
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
nixos/unit: enable sanboxing
2019-12-09 21:03:48 +03:00
LockPersonality = true;
MemoryDenyWriteExecute = true;
RestrictRealtime = true;
nixos/unit: update sandboxing mode
2020-04-14 16:07:30 +03:00
RestrictSUIDSGID = true;
nixos/unit: enable sanboxing
2019-12-09 21:03:48 +03:00
PrivateMounts = true;
nixos/unit: update sandboxing mode
2020-04-14 16:07:30 +03:00
# System Call Filtering
SystemCallArchitectures = "native";
nixos/unit: init service unit
2019-02-25 17:08:01 +03:00
};
};
treewide: use attrs instead of list for types.loaOf options
2019-09-14 19:51:29 +02:00
users.users = optionalAttrs (cfg.user == "unit") {
nixos/unit: fix attrs
2020-01-23 20:39:33 +03:00
unit = {
group = cfg.group;
isSystemUser = true;
};
treewide: use attrs instead of list for types.loaOf options
2019-09-14 19:51:29 +02:00
};
users.groups = optionalAttrs (cfg.group == "unit") {
unit = { };
};
nixos/unit: init service unit
2019-02-25 17:08:01 +03:00
};
}
Reference in New Issue Copy Permalink