Skip to content

Commit

Permalink
nixos/nfsd: run rpc-statd as a normal user
Browse files Browse the repository at this point in the history
  • Loading branch information
@peterhoeg
peterhoeg committed Sep 7, 2020
1 parent 2b1ce61 commit d626441
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 35 deletions.
60 changes: 33 additions & 27 deletions nixos/modules/services/network-filesystems/nfsd.nix
View file
Expand Up @@ -8,6 +8,8 @@ let

exports = pkgs.writeText "exports" cfg.exports;

rpcUser = "statd";

in

{
Expand Down Expand Up @@ -140,36 +142,40 @@ in

environment.etc.exports.source = exports;

systemd.services.nfs-server =
{ enable = true;
wantedBy = [ "multi-user.target" ];
systemd.services.nfs-server = {
enable = true;
wantedBy = [ "multi-user.target" ];
};

preStart =
''
mkdir -p /var/lib/nfs/v4recovery
'';
};
systemd.services.nfs-mountd = {
enable = true;
restartTriggers = [ exports ];

preStart = optionalString cfg.createMountPoints ''
# create export directories:
# skip comments, take first col which may either be a quoted
# "foo bar" or just foo (-> man export)
sed '/^#.*/d;s/^"\([^"]*\)".*/\1/;t;s/[ ].*//' ${exports} \
| xargs -d '\n' mkdir -p
'';
};

systemd.services.nfs-mountd =
{ enable = true;
restartTriggers = [ exports ];

preStart =
''
mkdir -p /var/lib/nfs
${optionalString cfg.createMountPoints
''
# create export directories:
# skip comments, take first col which may either be a quoted
# "foo bar" or just foo (-> man export)
sed '/^#.*/d;s/^"\([^"]*\)".*/\1/;t;s/[ ].*//' ${exports} \
| xargs -d '\n' mkdir -p
''
}
'';
# rpc-statd will drop privileges by changing user from root to the owner of
# /var/lib/nfs
systemd.tmpfiles.rules = [
"d /var/lib/nfs 0700 ${rpcUser} ${rpcUser} - -"
] ++ map (e:
"d /var/lib/nfs/${e} 0755 root root - -"
) [ "recovery" "v4recovery" "sm" "sm.bak" ];

users = {
groups."${rpcUser}" = {};
users."${rpcUser}" = {
description = "NFS RPC user";
group = rpcUser;
isSystemUser = true;
};

};
};

}
9 changes: 1 addition & 8 deletions nixos/modules/tasks/filesystems/nfs.nix
View file
Expand Up @@ -101,13 +101,6 @@ in
};

systemd.services.rpc-statd =
{ restartTriggers = [ nfsConfFile ];

preStart =
''
mkdir -p /var/lib/nfs/{sm,sm.bak}
'';
};

{ restartTriggers = [ nfsConfFile ]; };
};
}

0 comments on commit d626441

Please sign in to comment.