ddclient nixos module: follow best practice for running daemons

Couple of changes: - move home to /var/lib/ddclient so we can enable ProtectSystem=full - do not stick binary into systemPackages as it will only run as a daemon - run as dedicated user/group - document why we cannot run as type=forking (output is swallowed) - secure things by running with ProtectSystem and PrivateTmp - .pid file goes into /run/ddclient - let nix create the home directory instead of handling it manually - make the interval configurable
2017-08-13 21:46:13 +08:00 · 2017-08-13 21:46:13 +08:00 · 4ce76d9e1a
commit 4ce76d9e1a
parent d4f4f418b3
1 changed files with 55 additions and 43 deletions
--- a/nixos/modules/services/networking/ddclient.nix
+++ b/nixos/modules/services/networking/ddclient.nix
@ -1,17 +1,33 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.ddclient;
  boolToStr = bool: if bool then "yes" else "no";
-  inherit (lib) mkOption mkIf singleton;
+  configText = ''
-  inherit (pkgs) ddclient;
+    # This file can be used as a template for configFile or is automatically generated by Nix options.
-
+    daemon=${toString cfg.interval}
-  stateDir = "/var/spool/ddclient";
+    cache=${cfg.homeDir}/ddclient.cache
-  ddclientUser = "ddclient";
+    pid=/run/ddclient/ddclient.pid
-  ddclientFlags = "-foreground -file ${config.services.ddclient.configFile}";
+    foreground=NO
-  ddclientPIDFile = "${stateDir}/ddclient.pid";
+    use=${cfg.use}
    login=${cfg.username}
    password=${cfg.password}
    protocol=${cfg.protocol}
    ${let server = cfg.server; in
      lib.optionalString (server != "") "server=${server}"}
    ssl=${boolToStr cfg.ssl}
    wildcard=YES
    quiet=${boolToStr cfg.quiet}
    verbose=${boolToStr cfg.verbose}
    ${cfg.domain}
    ${cfg.extraConfig}
  '';
 in
 with lib;
 {
  ###### interface
@ -28,6 +44,12 @@ in
        '';
      };
      homeDir = mkOption {
        default = "/var/lib/ddclient";
        type = str;
        description = "Home directory for the daemon user.";
      };
      domain = mkOption {
        default = "";
        type = str;
@ -52,6 +74,12 @@ in
        '';
      };
      interval = mkOption {
        default = 600;
        type = int;
        description = "The interval at which to run the check and update.";
      };
      configFile = mkOption {
        default = "/etc/ddclient.conf";
        type = path;
@ -126,37 +154,24 @@ in
  config = mkIf config.services.ddclient.enable {
-    environment.systemPackages = [ ddclient ];
+    users = {
      extraGroups.ddclient.gid = config.ids.gids.ddclient;
-    users.extraUsers = singleton {
+      extraUsers.ddclient = {
      name = ddclientUser;
        uid = config.ids.uids.ddclient;
        description = "ddclient daemon user";
-      home = stateDir;
+        group = "ddclient";
        home = cfg.homeDir;
        createHome = true;
      };
    };
    environment.etc."ddclient.conf" = {
-      enable = config.services.ddclient.configFile == "/etc/ddclient.conf";
+      enable = cfg.configFile == "/etc/ddclient.conf";
      uid = config.ids.uids.ddclient;
      gid = config.ids.gids.ddclient;
      mode = "0600";
-      text = ''
+      text = configText;
        # This file can be used as a template for configFile or is automatically generated by Nix options.
        daemon=600
        cache=${stateDir}/ddclient.cache
        pid=${ddclientPIDFile}
        use=${config.services.ddclient.use}
        login=${config.services.ddclient.username}
        password=${config.services.ddclient.password}
        protocol=${config.services.ddclient.protocol}
        ${let server = config.services.ddclient.server; in
          lib.optionalString (server != "") "server=${server}"}
        ssl=${if config.services.ddclient.ssl then "yes" else "no"}
        wildcard=YES
        quiet=${if config.services.ddclient.quiet then "yes" else "no"}
        verbose=${if config.services.ddclient.verbose then "yes" else "no"}
        ${config.services.ddclient.domain}
        ${config.services.ddclient.extraConfig}
      '';
    };
    systemd.services.ddclient = {
@ -166,17 +181,14 @@ in
      restartTriggers = [ config.environment.etc."ddclient.conf".source ];
      serviceConfig = {
-        # Uncomment this if too many problems occur:
+        RuntimeDirectory = "ddclient";
-        # Type = "forking";
+        # we cannot run in forking mode as it swallows all the program output
-        User = ddclientUser;
+        Type = "simple";
-        Group = "nogroup"; #TODO get this to work
+        User = "ddclient";
-        PermissionsStartOnly = "true";
+        Group = "ddclient";
-        PIDFile = ddclientPIDFile;
+        ExecStart = "${lib.getBin pkgs.ddclient}/bin/ddclient -foreground -file ${cfg.configFile}";
-        ExecStartPre = ''
+        ProtectSystem = "full";
-          ${pkgs.stdenv.shell} -c "${pkgs.coreutils}/bin/mkdir -m 0755 -p ${stateDir} && ${pkgs.coreutils}/bin/chown ${ddclientUser} ${stateDir}"
+        PrivateTmp = true;
        '';
        ExecStart = "${ddclient}/bin/ddclient ${ddclientFlags}";
        #ExecStartPost = "${pkgs.coreutils}/bin/rm -r ${stateDir}"; # Should we have this?
      };
    };
  };