Merge pull request #144895 from arcnmx/ddclient-privs

nixos/ddclient: password permission fixes
2021-11-06 12:17:01 -04:00 · 2021-11-06 12:17:01 -04:00 · a97d32da9c
commit a97d32da9c
parent c6c29d5845 cdd385510a
1 changed files with 22 additions and 10 deletions
--- a/nixos/modules/services/networking/ddclient.nix
+++ b/nixos/modules/services/networking/ddclient.nix
@ -28,6 +28,16 @@ let
  '';
  configFile = if (cfg.configFile != null) then cfg.configFile else configFile';

+  preStart = ''
+    install ${configFile} /run/${RuntimeDirectory}/ddclient.conf
+    ${lib.optionalString (cfg.configFile == null) (if (cfg.passwordFile != null) then ''
+      password=$(head -n 1 ${cfg.passwordFile})
+      sed -i "s/^password=$/password=$password/" /run/${RuntimeDirectory}/ddclient.conf
+    '' else ''
+      sed -i '/^password=$/d' /run/${RuntimeDirectory}/ddclient.conf
+    '')}
+  '';
+
 in

 with lib;
@ -57,6 +67,15 @@ with lib;
        '';
      };

+      package = mkOption {
+        type = package;
+        default = pkgs.ddclient;
+        defaultText = "pkgs.ddclient";
+        description = ''
+          The ddclient executable package run by the service.
+        '';
+      };
+
      domains = mkOption {
        default = [ "" ];
        type = listOf str;
@ -195,20 +214,13 @@ with lib;

      serviceConfig = {
        DynamicUser = true;
+        RuntimeDirectoryMode = "0700";
        inherit RuntimeDirectory;
        inherit StateDirectory;
        Type = "oneshot";
-        ExecStart = "${lib.getBin pkgs.ddclient}/bin/ddclient -file /run/${RuntimeDirectory}/ddclient.conf";
+        ExecStartPre = "!${pkgs.writeShellScript "ddclient-prestart" preStart}";
+        ExecStart = "${lib.getBin cfg.package}/bin/ddclient -file /run/${RuntimeDirectory}/ddclient.conf";
      };
-      preStart = ''
-        install -m 600 ${configFile} /run/${RuntimeDirectory}/ddclient.conf
-        ${optionalString (cfg.configFile == null) (if (cfg.passwordFile != null) then ''
-          password=$(head -n 1 ${cfg.passwordFile})
-          sed -i "s/^password=$/password=$password/" /run/${RuntimeDirectory}/ddclient.conf
-        '' else ''
-          sed -i '/^password=$/d' /run/${RuntimeDirectory}/ddclient.conf
-        '')}
-      '';
    };

    systemd.timers.ddclient = {