nixos/ipfs: add systemd hardening

Use the hardened systemd unit from upstream.
2 years ago · 41d45d674a
parent 5dbd4b2b27
commit 41d45d674a
3 changed files with 27 additions and 9 deletions
--- a/nixos/modules/services/network-filesystems/ipfs.nix
+++ b/nixos/modules/services/network-filesystems/ipfs.nix
@ -239,7 +239,10 @@ in
      "d '${cfg.ipnsMountDir}' - ${cfg.user} ${cfg.group} - -"
    ];

-    systemd.packages = [ cfg.package ];
+    # The hardened systemd unit breaks the fuse-mount function according to documentation in the unit file itself
+    systemd.packages = if cfg.autoMount
+      then [ cfg.package.systemd_unit ]
+      else [ cfg.package.systemd_unit_hardened ];

    systemd.services.ipfs = {
      path = [ "/run/wrappers" cfg.package ];
@ -275,6 +278,8 @@ in
        ExecStart = [ "" "${cfg.package}/bin/ipfs daemon ${ipfsFlags}" ];
        User = cfg.user;
        Group = cfg.group;
+        StateDirectory = "";
+        ReadWritePaths = [ "" cfg.dataDir ];
      } // optionalAttrs (cfg.serviceFdlimit != null) { LimitNOFILE = cfg.serviceFdlimit; };
    } // optionalAttrs (!cfg.startWhenNeeded) {
      wantedBy = [ "default.target" ];
--- a/nixos/tests/ipfs.nix
+++ b/nixos/tests/ipfs.nix
@ -10,6 +10,7 @@ import ./make-test-python.nix ({ pkgs, ...} : {
      # Also will add a unix domain socket socket API address, see module.
      startWhenNeeded = true;
      apiAddress = "/ip4/127.0.0.1/tcp/2324";
+      dataDir = "/mnt/ipfs";
    };
  };

@ -35,5 +36,9 @@ import ./make-test-python.nix ({ pkgs, ...} : {
    machine.succeed(
        f"ipfs --api /unix/run/ipfs.sock cat /ipfs/{ipfs_hash.strip()} | grep fnord2"
    )
+
+    # Test if setting dataDir works properly with the hardened systemd unit
+    machine.succeed("test -e /mnt/ipfs/config")
+    machine.succeed("test ! -e /var/lib/ipfs/")
  '';
 })
--- a/pkgs/applications/networking/ipfs/default.nix
+++ b/pkgs/applications/networking/ipfs/default.nix
@ -29,15 +29,23 @@ buildGoModule rec {

  vendorSha256 = null;

+  outputs = [ "out" "systemd_unit" "systemd_unit_hardened" ];
+
+  postPatch = ''
+    substituteInPlace 'misc/systemd/ipfs.service' \
+      --replace '/usr/bin/ipfs' "$out/bin/ipfs"
+    substituteInPlace 'misc/systemd/ipfs-hardened.service' \
+      --replace '/usr/bin/ipfs' "$out/bin/ipfs"
+  '';
+
  postInstall = ''
-    install --mode=444 -D misc/systemd/ipfs.service $out/etc/systemd/system/ipfs.service
-    install --mode=444 -D misc/systemd/ipfs-hardened.service $out/etc/systemd/system/ipfs-hardened.service
-    install --mode=444 -D misc/systemd/ipfs-api.socket $out/etc/systemd/system/ipfs-api.socket
-    install --mode=444 -D misc/systemd/ipfs-gateway.socket $out/etc/systemd/system/ipfs-gateway.socket
-    substituteInPlace $out/etc/systemd/system/ipfs.service \
-      --replace /usr/bin/ipfs $out/bin/ipfs
-    substituteInPlace $out/etc/systemd/system/ipfs-hardened.service \
-      --replace /usr/bin/ipfs $out/bin/ipfs
+    install --mode=444 -D 'misc/systemd/ipfs-api.socket' "$systemd_unit/etc/systemd/system/ipfs-api.socket"
+    install --mode=444 -D 'misc/systemd/ipfs-gateway.socket' "$systemd_unit/etc/systemd/system/ipfs-gateway.socket"
+    install --mode=444 -D 'misc/systemd/ipfs.service' "$systemd_unit/etc/systemd/system/ipfs.service"
+
+    install --mode=444 -D 'misc/systemd/ipfs-api.socket' "$systemd_unit_hardened/etc/systemd/system/ipfs-api.socket"
+    install --mode=444 -D 'misc/systemd/ipfs-gateway.socket' "$systemd_unit_hardened/etc/systemd/system/ipfs-gateway.socket"
+    install --mode=444 -D 'misc/systemd/ipfs-hardened.service' "$systemd_unit_hardened/etc/systemd/system/ipfs.service"
  '';

  meta = with lib; {