nixos/mastodon: optimize permissions
This commit is contained in:
Izorkin
erictapen
parent
424e7b0f5d
commit
4255954d97
@ -31,6 +31,22 @@ let
|
|||||||
// (if cfg.smtp.authenticate then { SMTP_LOGIN = cfg.smtp.user; } else {})
|
// (if cfg.smtp.authenticate then { SMTP_LOGIN = cfg.smtp.user; } else {})
|
||||||
// cfg.extraConfig;
|
// cfg.extraConfig;
|
||||||
|
|
||||||
|
cfgService = {
|
||||||
|
# User and group
|
||||||
|
User = cfg.user;
|
||||||
|
Group = cfg.group;
|
||||||
|
# State directory and mode
|
||||||
|
StateDirectory = "mastodon";
|
||||||
|
StateDirectoryMode = "0750";
|
||||||
|
# Logs directory and mode
|
||||||
|
LogsDirectory = "mastodon";
|
||||||
|
LogsDirectoryMode = "0750";
|
||||||
|
# Access write directories
|
||||||
|
UMask = "0027";
|
||||||
|
# Sandboxing
|
||||||
|
PrivateTmp = true;
|
||||||
|
};
|
||||||
|
|
||||||
envFile = pkgs.writeText "mastodon.env" (lib.concatMapStrings (s: s + "\n") (
|
envFile = pkgs.writeText "mastodon.env" (lib.concatMapStrings (s: s + "\n") (
|
||||||
(lib.concatLists (lib.mapAttrsToList (name: value:
|
(lib.concatLists (lib.mapAttrsToList (name: value:
|
||||||
if value != null then [
|
if value != null then [
|
||||||
@ -392,12 +408,9 @@ in {
|
|||||||
environment = env;
|
environment = env;
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "oneshot";
|
Type = "oneshot";
|
||||||
User = cfg.user;
|
|
||||||
Group = cfg.group;
|
|
||||||
WorkingDirectory = cfg.package;
|
WorkingDirectory = cfg.package;
|
||||||
LogsDirectory = "mastodon";
|
} // cfgService;
|
||||||
StateDirectory = "mastodon";
|
|
||||||
};
|
|
||||||
after = [ "network.target" ];
|
after = [ "network.target" ];
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
};
|
};
|
||||||
@ -419,14 +432,9 @@ in {
|
|||||||
environment = env;
|
environment = env;
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "oneshot";
|
Type = "oneshot";
|
||||||
User = cfg.user;
|
|
||||||
Group = cfg.group;
|
|
||||||
EnvironmentFile = "/var/lib/mastodon/.secrets_env";
|
EnvironmentFile = "/var/lib/mastodon/.secrets_env";
|
||||||
PrivateTmp = true;
|
|
||||||
LogsDirectory = "mastodon";
|
|
||||||
StateDirectory = "mastodon";
|
|
||||||
WorkingDirectory = cfg.package;
|
WorkingDirectory = cfg.package;
|
||||||
};
|
} // cfgService;
|
||||||
after = [ "mastodon-init-dirs.service" "network.target" ] ++ (if databaseActuallyCreateLocally then [ "postgresql.service" ] else []);
|
after = [ "mastodon-init-dirs.service" "network.target" ] ++ (if databaseActuallyCreateLocally then [ "postgresql.service" ] else []);
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
};
|
};
|
||||||
@ -445,17 +453,12 @@ in {
|
|||||||
ExecStart = "${pkgs.nodejs-slim}/bin/node streaming";
|
ExecStart = "${pkgs.nodejs-slim}/bin/node streaming";
|
||||||
Restart = "always";
|
Restart = "always";
|
||||||
RestartSec = 20;
|
RestartSec = 20;
|
||||||
User = cfg.user;
|
|
||||||
Group = cfg.group;
|
|
||||||
WorkingDirectory = cfg.package;
|
|
||||||
EnvironmentFile = "/var/lib/mastodon/.secrets_env";
|
EnvironmentFile = "/var/lib/mastodon/.secrets_env";
|
||||||
PrivateTmp = true;
|
WorkingDirectory = cfg.package;
|
||||||
LogsDirectory = "mastodon";
|
|
||||||
StateDirectory = "mastodon";
|
|
||||||
# Runtime directory and mode
|
# Runtime directory and mode
|
||||||
RuntimeDirectory = "mastodon-streaming";
|
RuntimeDirectory = "mastodon-streaming";
|
||||||
RuntimeDirectoryMode = "0750";
|
RuntimeDirectoryMode = "0750";
|
||||||
};
|
} // cfgService;
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.mastodon-web = {
|
systemd.services.mastodon-web = {
|
||||||
@ -472,17 +475,12 @@ in {
|
|||||||
ExecStart = "${cfg.package}/bin/puma -C config/puma.rb";
|
ExecStart = "${cfg.package}/bin/puma -C config/puma.rb";
|
||||||
Restart = "always";
|
Restart = "always";
|
||||||
RestartSec = 20;
|
RestartSec = 20;
|
||||||
User = cfg.user;
|
|
||||||
Group = cfg.group;
|
|
||||||
WorkingDirectory = cfg.package;
|
|
||||||
EnvironmentFile = "/var/lib/mastodon/.secrets_env";
|
EnvironmentFile = "/var/lib/mastodon/.secrets_env";
|
||||||
PrivateTmp = true;
|
WorkingDirectory = cfg.package;
|
||||||
LogsDirectory = "mastodon";
|
|
||||||
StateDirectory = "mastodon";
|
|
||||||
# Runtime directory and mode
|
# Runtime directory and mode
|
||||||
RuntimeDirectory = "mastodon-web";
|
RuntimeDirectory = "mastodon-web";
|
||||||
RuntimeDirectoryMode = "0750";
|
RuntimeDirectoryMode = "0750";
|
||||||
};
|
} // cfgService;
|
||||||
path = with pkgs; [ file imagemagick ffmpeg ];
|
path = with pkgs; [ file imagemagick ffmpeg ];
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -499,14 +497,9 @@ in {
|
|||||||
ExecStart = "${cfg.package}/bin/sidekiq -c 25 -r ${cfg.package}";
|
ExecStart = "${cfg.package}/bin/sidekiq -c 25 -r ${cfg.package}";
|
||||||
Restart = "always";
|
Restart = "always";
|
||||||
RestartSec = 20;
|
RestartSec = 20;
|
||||||
User = cfg.user;
|
|
||||||
Group = cfg.group;
|
|
||||||
WorkingDirectory = cfg.package;
|
|
||||||
EnvironmentFile = "/var/lib/mastodon/.secrets_env";
|
EnvironmentFile = "/var/lib/mastodon/.secrets_env";
|
||||||
PrivateTmp = true;
|
WorkingDirectory = cfg.package;
|
||||||
LogsDirectory = "mastodon";
|
} // cfgService;
|
||||||
StateDirectory = "mastodon";
|
|
||||||
};
|
|
||||||
path = with pkgs; [ file imagemagick ffmpeg ];
|
path = with pkgs; [ file imagemagick ffmpeg ];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user