Merge pull request #165252 from Luflosi/ipfs-hardening
nixos/ipfs: add systemd hardening
This commit is contained in:
commit
954f445608
@ -239,7 +239,10 @@ in
|
||||
"d '${cfg.ipnsMountDir}' - ${cfg.user} ${cfg.group} - -"
|
||||
];
|
||||
|
||||
systemd.packages = [ cfg.package ];
|
||||
# The hardened systemd unit breaks the fuse-mount function according to documentation in the unit file itself
|
||||
systemd.packages = if cfg.autoMount
|
||||
then [ cfg.package.systemd_unit ]
|
||||
else [ cfg.package.systemd_unit_hardened ];
|
||||
|
||||
systemd.services.ipfs = {
|
||||
path = [ "/run/wrappers" cfg.package ];
|
||||
@ -275,6 +278,8 @@ in
|
||||
ExecStart = [ "" "${cfg.package}/bin/ipfs daemon ${ipfsFlags}" ];
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
StateDirectory = "";
|
||||
ReadWritePaths = [ "" cfg.dataDir ];
|
||||
} // optionalAttrs (cfg.serviceFdlimit != null) { LimitNOFILE = cfg.serviceFdlimit; };
|
||||
} // optionalAttrs (!cfg.startWhenNeeded) {
|
||||
wantedBy = [ "default.target" ];
|
||||
|
@ -10,6 +10,7 @@ import ./make-test-python.nix ({ pkgs, ...} : {
|
||||
# Also will add a unix domain socket socket API address, see module.
|
||||
startWhenNeeded = true;
|
||||
apiAddress = "/ip4/127.0.0.1/tcp/2324";
|
||||
dataDir = "/mnt/ipfs";
|
||||
};
|
||||
};
|
||||
|
||||
@ -35,5 +36,9 @@ import ./make-test-python.nix ({ pkgs, ...} : {
|
||||
machine.succeed(
|
||||
f"ipfs --api /unix/run/ipfs.sock cat /ipfs/{ipfs_hash.strip()} | grep fnord2"
|
||||
)
|
||||
|
||||
# Test if setting dataDir works properly with the hardened systemd unit
|
||||
machine.succeed("test -e /mnt/ipfs/config")
|
||||
machine.succeed("test ! -e /var/lib/ipfs/")
|
||||
'';
|
||||
})
|
||||
|
@ -29,15 +29,23 @@ buildGoModule rec {
|
||||
|
||||
vendorSha256 = null;
|
||||
|
||||
outputs = [ "out" "systemd_unit" "systemd_unit_hardened" ];
|
||||
|
||||
postPatch = ''
|
||||
substituteInPlace 'misc/systemd/ipfs.service' \
|
||||
--replace '/usr/bin/ipfs' "$out/bin/ipfs"
|
||||
substituteInPlace 'misc/systemd/ipfs-hardened.service' \
|
||||
--replace '/usr/bin/ipfs' "$out/bin/ipfs"
|
||||
'';
|
||||
|
||||
postInstall = ''
|
||||
install --mode=444 -D misc/systemd/ipfs.service $out/etc/systemd/system/ipfs.service
|
||||
install --mode=444 -D misc/systemd/ipfs-hardened.service $out/etc/systemd/system/ipfs-hardened.service
|
||||
install --mode=444 -D misc/systemd/ipfs-api.socket $out/etc/systemd/system/ipfs-api.socket
|
||||
install --mode=444 -D misc/systemd/ipfs-gateway.socket $out/etc/systemd/system/ipfs-gateway.socket
|
||||
substituteInPlace $out/etc/systemd/system/ipfs.service \
|
||||
--replace /usr/bin/ipfs $out/bin/ipfs
|
||||
substituteInPlace $out/etc/systemd/system/ipfs-hardened.service \
|
||||
--replace /usr/bin/ipfs $out/bin/ipfs
|
||||
install --mode=444 -D 'misc/systemd/ipfs-api.socket' "$systemd_unit/etc/systemd/system/ipfs-api.socket"
|
||||
install --mode=444 -D 'misc/systemd/ipfs-gateway.socket' "$systemd_unit/etc/systemd/system/ipfs-gateway.socket"
|
||||
install --mode=444 -D 'misc/systemd/ipfs.service' "$systemd_unit/etc/systemd/system/ipfs.service"
|
||||
|
||||
install --mode=444 -D 'misc/systemd/ipfs-api.socket' "$systemd_unit_hardened/etc/systemd/system/ipfs-api.socket"
|
||||
install --mode=444 -D 'misc/systemd/ipfs-gateway.socket' "$systemd_unit_hardened/etc/systemd/system/ipfs-gateway.socket"
|
||||
install --mode=444 -D 'misc/systemd/ipfs-hardened.service' "$systemd_unit_hardened/etc/systemd/system/ipfs.service"
|
||||
'';
|
||||
|
||||
meta = with lib; {
|
||||
|
Loading…
Reference in New Issue
Block a user