public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #79248 from flokli/run-keys-group

Browse Source 
nixos/filesystems: ensure keys gid on /run/keys mountpoint
This commit is contained in:
Franz Pletz 2020-02-08 14:52:20 +00:00 committed by GitHub
commit 64ece8cc9c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
nixos/modules/tasks/filesystems.nix
View File

@ -304,6 +304,10 @@ in
in listToAttrs (map formatDevice (filter (fs: fs.autoFormat) fileSystems)); in listToAttrs (map formatDevice (filter (fs: fs.autoFormat) fileSystems));
systemd.tmpfiles.rules = [
"Z /run/keys 0750 root ${toString config.ids.gids.keys}"
];
# Sync mount options with systemd's src/core/mount-setup.c: mount_table. # Sync mount options with systemd's src/core/mount-setup.c: mount_table.
boot.specialFileSystems = { boot.specialFileSystems = {
"/proc" = { fsType = "proc"; options = [ "nosuid" "noexec" "nodev" ]; }; "/proc" = { fsType = "proc"; options = [ "nosuid" "noexec" "nodev" ]; };
@ -312,8 +316,8 @@ in
"/dev/shm" = { fsType = "tmpfs"; options = [ "nosuid" "nodev" "strictatime" "mode=1777" "size=${config.boot.devShmSize}" ]; }; "/dev/shm" = { fsType = "tmpfs"; options = [ "nosuid" "nodev" "strictatime" "mode=1777" "size=${config.boot.devShmSize}" ]; };
"/dev/pts" = { fsType = "devpts"; options = [ "nosuid" "noexec" "mode=620" "ptmxmode=0666" "gid=${toString config.ids.gids.tty}" ]; }; "/dev/pts" = { fsType = "devpts"; options = [ "nosuid" "noexec" "mode=620" "ptmxmode=0666" "gid=${toString config.ids.gids.tty}" ]; };
# To hold secrets that shouldn't be written to disk (generally used for NixOps, harmless elsewhere) # To hold secrets that shouldn't be written to disk
"/run/keys" = { fsType = "ramfs"; options = [ "nosuid" "nodev" "mode=750" "gid=${toString config.ids.gids.keys}" ]; }; "/run/keys" = { fsType = "ramfs"; options = [ "nosuid" "nodev" "mode=750" ]; };
} // optionalAttrs (!config.boot.isContainer) { } // optionalAttrs (!config.boot.isContainer) {
# systemd-nspawn populates /sys by itself, and remounting it causes all # systemd-nspawn populates /sys by itself, and remounting it causes all
# kinds of weird issues (most noticeably, waiting for host disk device # kinds of weird issues (most noticeably, waiting for host disk device