public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/pinnwand: add reaper systemd unit/timer

Browse Source 
The reap function culls expired pastes outside of the process serving
the pastes. Previously the database could accumulate a large number of
pastes and while they were expired they would not be deleted unless
accessed from the frontend.
This commit is contained in:
Martin Weinelt 2021-04-29 23:02:59 +02:00
parent ac4b47f823
commit fda2ff4edc
No known key found for this signature in database
GPG Key ID: 87C1E9888F856759
1 changed files with 35 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
nixos/modules/services/misc/pinnwand.nix
View File

@ -40,39 +40,64 @@ in
''; '';
}; };
systemd.services.pinnwand = { systemd.services = let
description = "Pinnwannd HTTP Server"; hardeningOptions = {
after = [ "network.target" ]; User = "pinnwand";
wantedBy = [ "multi-user.target" ]; DynamicUser = true;
unitConfig.Documentation = "https://pinnwand.readthedocs.io/en/latest/";
serviceConfig = {
ExecStart = "${pkgs.pinnwand}/bin/pinnwand --configuration-path ${configFile} http --port ${toString(cfg.port)}";
StateDirectory = "pinnwand"; StateDirectory = "pinnwand";
StateDirectoryMode = "0700"; StateDirectoryMode = "0700";
AmbientCapabilities = []; AmbientCapabilities = [];
CapabilityBoundingSet = ""; CapabilityBoundingSet = "";
DevicePolicy = "closed"; DevicePolicy = "closed";
DynamicUser = true;
LockPersonality = true; LockPersonality = true;
MemoryDenyWriteExecute = true; MemoryDenyWriteExecute = true;
PrivateDevices = true; PrivateDevices = true;
PrivateUsers = true; PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true; ProtectClock = true;
ProtectControlGroups = true; ProtectControlGroups = true;
ProtectKernelLogs = true;
ProtectHome = true; ProtectHome = true;
ProtectHostname = true; ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true; ProtectKernelModules = true;
ProtectKernelTunables = true; ProtectKernelTunables = true;
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; ProtectProc = "invisible";
RestrictAddressFamilies = [
"AF_UNIX"
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = true; RestrictNamespaces = true;
RestrictRealtime = true; RestrictRealtime = true;
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
SystemCallFilter = "@system-service"; SystemCallFilter = "@system-service";
UMask = "0077"; UMask = "0077";
}; };
command = "${pkgs.pinnwand}/bin/pinnwand --configuration-path ${configFile}";
in {
pinnwand = {
description = "Pinnwannd HTTP Server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
unitConfig.Documentation = "https://pinnwand.readthedocs.io/en/latest/";
serviceConfig = {
ExecStart = "${command} http --port ${toString(cfg.port)}";
} // hardeningOptions;
};
pinnwand-reaper = {
description = "Pinnwand Reaper";
startAt = "daily";
serviceConfig = {
ExecStart = "${command} -vvvv reap"; # verbosity increased to show number of deleted pastes
} // hardeningOptions;
};
}; };
}; };
} }