nixos/modules/misc/locate.nix at 18.09-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / misc / locate.nix
at 18.09-beta 6.5 kB view raw
  1{ config, lib, pkgs, ... }:
  2
  3with lib;
  4
  5let
  6  cfg = config.services.locate;
  7  isMLocate = hasPrefix "mlocate" cfg.locate.name;
  8  isFindutils = hasPrefix "findutils" cfg.locate.name;
  9in {
 10  options.services.locate = with types; {
 11    enable = mkOption {
 12      type = bool;
 13      default = false;
 14      description = ''
 15        If enabled, NixOS will periodically update the database of
 16        files used by the <command>locate</command> command.
 17      '';
 18    };
 19
 20    locate = mkOption {
 21      type = package;
 22      default = pkgs.findutils;
 23      defaultText = "pkgs.findutils";
 24      example = "pkgs.mlocate";
 25      description = ''
 26        The locate implementation to use
 27      '';
 28    };
 29
 30    interval = mkOption {
 31      type = str;
 32      default = "02:15";
 33      example = "hourly";
 34      description = ''
 35        Update the locate database at this interval. Updates by
 36        default at 2:15 AM every day.
 37
 38        The format is described in
 39        <citerefentry><refentrytitle>systemd.time</refentrytitle>
 40        <manvolnum>7</manvolnum></citerefentry>.
 41      '';
 42    };
 43
 44    extraFlags = mkOption {
 45      type = listOf str;
 46      default = [ ];
 47      description = ''
 48        Extra flags to pass to <command>updatedb</command>.
 49      '';
 50    };
 51
 52    output = mkOption {
 53      type = path;
 54      default = "/var/cache/locatedb";
 55      description = ''
 56        The database file to build.
 57      '';
 58    };
 59
 60    localuser = mkOption {
 61      type = nullOr str;
 62      default = "nobody";
 63      description = ''
 64        The user to search non-network directories as, using
 65        <command>su</command>.
 66      '';
 67    };
 68
 69    pruneFS = mkOption {
 70      type = listOf str;
 71      default = ["afs" "anon_inodefs" "auto" "autofs" "bdev" "binfmt" "binfmt_misc" "cgroup" "cifs" "coda" "configfs" "cramfs" "cpuset" "debugfs" "devfs" "devpts" "devtmpfs" "ecryptfs" "eventpollfs" "exofs" "futexfs" "ftpfs" "fuse" "fusectl" "gfs" "gfs2" "hostfs" "hugetlbfs" "inotifyfs" "iso9660" "jffs2" "lustre" "misc" "mqueue" "ncpfs" "nnpfs" "ocfs" "ocfs2" "pipefs" "proc" "ramfs" "rpc_pipefs" "securityfs" "selinuxfs" "sfs" "shfs" "smbfs" "sockfs" "spufs" "nfs" "NFS" "nfs4" "nfsd" "sshfs" "subfs" "supermount" "sysfs" "tmpfs" "ubifs" "udf" "usbfs" "vboxsf" "vperfctrfs" ];
 72      description = ''
 73        Which filesystem types to exclude from indexing
 74      '';
 75    };
 76
 77    prunePaths = mkOption {
 78      type = listOf path;
 79      default = ["/tmp" "/var/tmp" "/var/cache" "/var/lock" "/var/run" "/var/spool" "/nix/store"];
 80      description = ''
 81        Which paths to exclude from indexing
 82      '';
 83    };
 84
 85    pruneNames = mkOption {
 86      type = listOf str;
 87      default = [];
 88      description = ''
 89        Directory components which should exclude paths containing them from indexing
 90      '';
 91    };
 92
 93    pruneBindMounts = mkOption {
 94      type = bool;
 95      default = false;
 96      description = ''
 97        Whether not to index bind mounts
 98      '';
 99    };
100
101  };
102
103  config = mkIf cfg.enable {
104    users.groups = mkIf isMLocate { mlocate = {}; };
105
106    security.wrappers = mkIf isMLocate {
107      locate = {
108        group = "mlocate";
109        owner = "root";
110        permissions = "u+rx,g+x,o+x";
111        setgid = true;
112        setuid = false;
113        source = "${cfg.locate}/bin/locate";
114      };
115    };
116
117    nixpkgs.config = { locate.dbfile = cfg.output; };
118
119    environment.systemPackages = [ cfg.locate ];
120
121    environment.variables = mkIf (!isMLocate)
122      { LOCATE_PATH = cfg.output;
123      };
124
125    warnings = optional (isMLocate && cfg.localuser != null) "mlocate does not support searching as user other than root"
126            ++ optional (isFindutils && cfg.pruneNames != []) "findutils locate does not support pruning by directory component"
127            ++ optional (isFindutils && cfg.pruneBindMounts) "findutils locate does not support skipping bind mounts";
128
129    # directory creation needs to be separated from main service
130    # because ReadWritePaths fails when the directory doesn't already exist
131    systemd.tmpfiles.rules = [ "d ${dirOf cfg.output} 0755 root root -" ];
132
133    systemd.services.update-locatedb =
134      { description = "Update Locate Database";
135        path = mkIf (!isMLocate) [ pkgs.su ];
136
137        # mlocate's updatedb takes flags via a configuration file or
138        # on the command line, but not by environment variable.
139        script =
140          if isMLocate
141          then let toFlags = x: optional (cfg.${x} != [])
142                                         "--${lib.toLower x} '${concatStringsSep " " cfg.${x}}'";
143                   args = concatLists (map toFlags ["pruneFS" "pruneNames" "prunePaths"]);
144               in ''
145            exec ${cfg.locate}/bin/updatedb \
146              --output ${toString cfg.output} ${concatStringsSep " " args} \
147              --prune-bind-mounts ${if cfg.pruneBindMounts then "yes" else "no"} \
148              ${concatStringsSep " " cfg.extraFlags}
149          ''
150          else ''
151            exec ${cfg.locate}/bin/updatedb \
152              ${optionalString (cfg.localuser != null && ! isMLocate) ''--localuser=${cfg.localuser}''} \
153              --output=${toString cfg.output} ${concatStringsSep " " cfg.extraFlags}
154          '';
155        environment = optionalAttrs (!isMLocate) {
156          PRUNEFS = concatStringsSep " " cfg.pruneFS;
157          PRUNEPATHS = concatStringsSep " " cfg.prunePaths;
158          PRUNENAMES = concatStringsSep " " cfg.pruneNames;
159          PRUNE_BIND_MOUNTS = if cfg.pruneBindMounts then "yes" else "no";
160        };
161        serviceConfig.Nice = 19;
162        serviceConfig.IOSchedulingClass = "idle";
163        serviceConfig.PrivateTmp = "yes";
164        serviceConfig.PrivateNetwork = "yes";
165        serviceConfig.NoNewPrivileges = "yes";
166        serviceConfig.ReadOnlyPaths = "/";
167        # Use dirOf cfg.output because mlocate creates temporary files next to
168        # the actual database. We could specify and create them as well,
169        # but that would make this quite brittle when they change something.
170        # NOTE: If /var/cache does not exist, this leads to the misleading error message:
171        # update-locatedb.service: Failed at step NAMESPACE spawning …/update-locatedb-start: No such file or directory
172        serviceConfig.ReadWritePaths = dirOf cfg.output;
173      };
174
175    systemd.timers.update-locatedb =
176      { description = "Update timer for locate database";
177        partOf      = [ "update-locatedb.service" ];
178        wantedBy    = [ "timers.target" ];
179        timerConfig.OnCalendar = cfg.interval;
180      };
181  };
182}