nixos: add services.rsyncd.socketActivated option

Define systemd-socket activation using the upstream configuration files as a reference. The "rsyncd" systemd unit has been renamed to "rsync" for consistency with upstream.
2021-01-26 11:12:20 +01:00 · 2021-01-26 11:12:20 +01:00 · f32d7e4e03
parent 750510ee7c
commit f32d7e4e03
2 changed files with 80 additions and 19 deletions
--- a/nixos/modules/services/network-filesystems/rsyncd.nix
+++ b/nixos/modules/services/network-filesystems/rsyncd.nix
@ -46,6 +46,13 @@ in {
        '';
      };
      socketActivated = mkOption {
        default = false;
        type = types.bool;
        description =
          "If enabled Rsync will be socket-activated rather than run persistently.";
      };
    };
  };
@ -63,12 +70,55 @@ in {
    services.rsyncd.settings.global.port = toString cfg.port;
-    systemd.services.rsyncd = {
+    systemd = let
-      description = "Rsync daemon";
+      serviceConfigSecurity = {
-      wantedBy = [ "multi-user.target" ];
+        ProtectSystem = "full";
-      serviceConfig.ExecStart =
+        PrivateDevices = "on";
-        "${pkgs.rsync}/bin/rsync --daemon --no-detach --config=${configFile}";
+        NoNewPrivileges = "on";
      };
    in {
      services.rsync = {
        enable = !cfg.socketActivated;
        aliases = [ "rsyncd" ];
        description = "fast remote file copy program daemon";
        after = [ "network.target" ];
        documentation = [ "man:rsync(1)" "man:rsyncd.conf(5)" ];
        serviceConfig = serviceConfigSecurity // {
          ExecStart =
            "${pkgs.rsync}/bin/rsync --daemon --no-detach --config=${configFile}";
          RestartSec = 1;
        };
        wantedBy = [ "multi-user.target" ];
      };
      services."rsync@" = {
        description = "fast remote file copy program daemon";
        after = [ "network.target" ];
        serviceConfig = serviceConfigSecurity // {
          ExecStart = "${pkgs.rsync}/bin/rsync --daemon --config=${configFile}";
          StandardInput = "socket";
          StandardOutput = "inherit";
          StandardError = "journal";
        };
      };
      sockets.rsync = {
        enable = cfg.socketActivated;
        description = "socket for fast remote file copy program daemon";
        conflicts = [ "rsync.service" ];
        listenStreams = [ (toString cfg.port) ];
        socketConfig.Accept = true;
        wantedBy = [ "sockets.target" ];
      };
    };
  };
  meta.maintainers = with lib.maintainers; [ ehmry ];
--- a/nixos/tests/rsyncd.nix
+++ b/nixos/tests/rsyncd.nix
@ -2,24 +2,35 @@ import ./make-test-python.nix ({ pkgs, ... }: {
  name = "rsyncd";
  meta.maintainers = with pkgs.lib.maintainers; [ ehmry ];
-  nodes.machine.services.rsyncd = {
+  nodes = let
-    enable = true;
+    mkNode = socketActivated:
-    settings = {
+      { config, ... }: {
-      global = {
+        networking.firewall.allowedTCPPorts = [ config.services.rsyncd.port ];
-        "reverse lookup" = false;
+        services.rsyncd = {
-        "forward lookup" = false;
+          enable = true;
          inherit socketActivated;
          settings = {
            global = {
              "reverse lookup" = false;
              "forward lookup" = false;
            };
            tmp = {
              path = "/nix/store";
              comment = "test module";
            };
          };
        };
      };
-      tmp = {
+  in {
-        path = "/nix/store";
+    a = mkNode false;
-        comment = "test module";
+    b = mkNode true;
      };
    };
  };
  testScript = ''
    start_all()
-    machine.wait_for_unit("rsyncd")
+    a.wait_for_unit("rsync")
-    machine.succeed("rsync localhost::")
+    b.wait_for_unit("sockets.target")
    b.succeed("rsync a::")
    a.succeed("rsync b::")
  '';
 })