Merge pull request #117456 from Izorkin/update-redis-options

nixos/redis: add option and change access to directories
2021-04-10 06:06:19 +01:00 · 2021-04-10 06:06:19 +01:00 · f7e08360b0
parent 7c6aa8400b 9d4aaf2366
commit f7e08360b0
2 changed files with 18 additions and 5 deletions
--- a/nixos/modules/services/databases/redis.nix
+++ b/nixos/modules/services/databases/redis.nix
@ -88,6 +88,13 @@ in
        example = "/run/redis/redis.sock";
      };

+      unixSocketPerm = mkOption {
+        type = types.int;
+        default = 750;
+        description = "Change permissions for the socket";
+        example = 700;
+      };
+
      logLevel = mkOption {
        type = types.str;
        default = "notice"; # debug, verbose, notice, warning
@ -204,7 +211,6 @@ in
        '';
        example = literalExample ''
          {
-            unixsocketperm = "700";
            loadmodule = [ "/path/to/my_module.so" "/path/to/other_module.so" ];
          }
        '';
@ -256,7 +262,7 @@ in
        slowlog-max-len = cfg.slowLogMaxLen;
      }
      (mkIf (cfg.bind != null) { bind = cfg.bind; })
-      (mkIf (cfg.unixSocket != null) { unixsocket = cfg.unixSocket; })
+      (mkIf (cfg.unixSocket != null) { unixsocket = cfg.unixSocket; unixsocketperm = "${toString cfg.unixSocketPerm}"; })
      (mkIf (cfg.slaveOf != null) { slaveof = "${cfg.slaveOf.ip} ${cfg.slaveOf.port}"; })
      (mkIf (cfg.masterAuth != null) { masterauth = cfg.masterAuth; })
      (mkIf (cfg.requirePass != null) { requirepass = cfg.requirePass; })
@ -277,11 +283,18 @@ in

      serviceConfig = {
        ExecStart = "${cfg.package}/bin/redis-server /run/redis/redis.conf";
-        RuntimeDirectory = "redis";
-        StateDirectory = "redis";
        Type = "notify";
+        # User and group
        User = "redis";
        Group = "redis";
+        # Runtime directory and mode
+        RuntimeDirectory = "redis";
+        RuntimeDirectoryMode = "0750";
+        # State directory and mode
+        StateDirectory = "redis";
+        StateDirectoryMode = "0700";
+        # Access write directories
+        UMask = "0077";
      };
    };
  };
--- a/nixos/tests/redis.nix
+++ b/nixos/tests/redis.nix
@ -17,7 +17,7 @@ in
        services.redis.unixSocket = redisSocket;

        # Allow access to the unix socket for the "redis" group.
-        services.redis.settings.unixsocketperm = "770";
+        services.redis.unixSocketPerm = 770;

        users.users."member" = {
          createHome = false;