blob: 235d4f348e5e3ae805098dafeca21c1b05f2b780 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.atd;
inherit (pkgs) at;
in
{
###### interface
options = {
services.atd.enable = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
Whether to enable the {command}`at` daemon, a command scheduler.
'';
};
services.atd.allowEveryone = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
Whether to make {file}`/var/spool/at{jobs,spool}`
writeable by everyone (and sticky). This is normally not
needed since the {command}`at` commands are
setuid/setgid `atd`.
'';
};
};
###### implementation
config = mkIf cfg.enable {
# Not wrapping "batch" because it's a shell script (kernel drops perms
# anyway) and it's patched to invoke the "at" setuid wrapper.
security.wrappers = builtins.listToAttrs (
map (program: { name = "${program}"; value = {
source = "${at}/bin/${program}";
owner = "atd";
group = "atd";
setuid = true;
setgid = true;
};}) [ "at" "atq" "atrm" ]);
environment.systemPackages = [ at ];
security.pam.services.atd = {};
users.users.atd =
{
uid = config.ids.uids.atd;
group = "atd";
description = "atd user";
home = "/var/empty";
};
users.groups.atd.gid = config.ids.gids.atd;
systemd.services.atd = {
description = "Job Execution Daemon (atd)";
wantedBy = [ "multi-user.target" ];
path = [ at ];
preStart = ''
# Snippets taken and adapted from the original `install' rule of
# the makefile.
# We assume these values are those actually used in Nixpkgs for
# `at'.
spooldir=/var/spool/atspool
jobdir=/var/spool/atjobs
etcdir=/etc/at
install -dm755 -o atd -g atd "$etcdir"
spool_and_job_dir_perms=${if cfg.allowEveryone then "1777" else "1770"}
install -dm"$spool_and_job_dir_perms" -o atd -g atd "$spooldir" "$jobdir"
if [ ! -f "$etcdir"/at.deny ]; then
touch "$etcdir"/at.deny
chown root:atd "$etcdir"/at.deny
chmod 640 "$etcdir"/at.deny
fi
if [ ! -f "$jobdir"/.SEQ ]; then
touch "$jobdir"/.SEQ
chown atd:atd "$jobdir"/.SEQ
chmod 600 "$jobdir"/.SEQ
fi
'';
script = "atd";
serviceConfig.Type = "forking";
};
};
}
|