nixos/modules/services/networking/hylafax/systemd.nix at 23.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / networking / hylafax / systemd.nix
at 23.11-pre 9.1 kB view raw
  1{ config, lib, pkgs, ... }:
  2
  3
  4let
  5
  6  inherit (lib) mkIf mkMerge;
  7  inherit (lib) concatStringsSep optionalString;
  8
  9  cfg = config.services.hylafax;
 10  mapModems = lib.forEach (lib.attrValues cfg.modems);
 11
 12  mkConfigFile = name: conf:
 13    # creates hylafax config file,
 14    # makes sure "Include" is listed *first*
 15    let
 16      mkLines = lib.flip lib.pipe [
 17        (lib.mapAttrsToList (key: map (val: "${key}: ${val}")))
 18        lib.concatLists
 19      ];
 20      include = mkLines { Include = conf.Include or []; };
 21      other = mkLines ( conf // { Include = []; } );
 22    in
 23      pkgs.writeText "hylafax-config${name}"
 24      (concatStringsSep "\n" (include ++ other));
 25
 26  globalConfigPath = mkConfigFile "" cfg.faxqConfig;
 27
 28  modemConfigPath =
 29    let
 30      mkModemConfigFile = { config, name, ... }:
 31        mkConfigFile ".${name}"
 32        (cfg.commonModemConfig // config);
 33      mkLine = { name, type, ... }@modem: ''
 34        # check if modem config file exists:
 35        test -f "${pkgs.hylafaxplus}/spool/config/${type}"
 36        ln \
 37          --symbolic \
 38          --no-target-directory \
 39          "${mkModemConfigFile modem}" \
 40          "$out/config.${name}"
 41      '';
 42    in
 43      pkgs.runCommand "hylafax-config-modems" { preferLocalBuild = true; }
 44      ''mkdir --parents "$out/" ${concatStringsSep "\n" (mapModems mkLine)}'';
 45
 46  setupSpoolScript = pkgs.substituteAll {
 47    name = "hylafax-setup-spool.sh";
 48    src = ./spool.sh;
 49    isExecutable = true;
 50    faxuser = "uucp";
 51    faxgroup = "uucp";
 52    lockPath = "/var/lock";
 53    inherit globalConfigPath modemConfigPath;
 54    inherit (cfg) sendmailPath spoolAreaPath userAccessFile;
 55    inherit (pkgs) hylafaxplus runtimeShell;
 56  };
 57
 58  waitFaxqScript = pkgs.substituteAll {
 59    # This script checks the modems status files
 60    # and waits until all modems report readiness.
 61    name = "hylafax-faxq-wait-start.sh";
 62    src = ./faxq-wait.sh;
 63    isExecutable = true;
 64    timeoutSec = toString 10;
 65    inherit (cfg) spoolAreaPath;
 66    inherit (pkgs) runtimeShell;
 67  };
 68
 69  sockets.hylafax-hfaxd = {
 70    description = "HylaFAX server socket";
 71    documentation = [ "man:hfaxd(8)" ];
 72    wantedBy = [ "multi-user.target" ];
 73    listenStreams = [ "127.0.0.1:4559" ];
 74    socketConfig.FreeBind = true;
 75    socketConfig.Accept = true;
 76  };
 77
 78  paths.hylafax-faxq = {
 79    description = "HylaFAX queue manager sendq watch";
 80    documentation = [ "man:faxq(8)" "man:sendq(5)" ];
 81    wantedBy = [ "multi-user.target" ];
 82    pathConfig.PathExistsGlob = [ "${cfg.spoolAreaPath}/sendq/q*" ];
 83  };
 84
 85  timers = mkMerge [
 86    (
 87      mkIf (cfg.faxcron.enable.frequency!=null)
 88      { hylafax-faxcron.timerConfig.Persistent = true; }
 89    )
 90    (
 91      mkIf (cfg.faxqclean.enable.frequency!=null)
 92      { hylafax-faxqclean.timerConfig.Persistent = true; }
 93    )
 94  ];
 95
 96  hardenService =
 97    # Add some common systemd service hardening settings,
 98    # but allow each service (here) to override
 99    # settings by explicitly setting those to `null`.
100    # More hardening would be nice but makes
101    # customizing hylafax setups very difficult.
102    # If at all, it should only be added along
103    # with some options to customize it.
104    let
105      hardening = {
106        PrivateDevices = true;  # breaks /dev/tty...
107        PrivateNetwork = true;
108        PrivateTmp = true;
109        #ProtectClock = true;  # breaks /dev/tty... (why?)
110        ProtectControlGroups = true;
111        #ProtectHome = true;  # breaks custom spool dirs
112        ProtectKernelLogs = true;
113        ProtectKernelModules = true;
114        ProtectKernelTunables = true;
115        #ProtectSystem = "strict";  # breaks custom spool dirs
116        RestrictNamespaces = true;
117        RestrictRealtime = true;
118      };
119      filter = key: value: (value != null) || ! (lib.hasAttr key hardening);
120      apply = service: lib.filterAttrs filter (hardening // (service.serviceConfig or {}));
121    in
122      service: service // { serviceConfig = apply service; };
123
124  services.hylafax-spool = {
125    description = "HylaFAX spool area preparation";
126    documentation = [ "man:hylafax-server(4)" ];
127    script = ''
128      ${setupSpoolScript}
129      cd "${cfg.spoolAreaPath}"
130      ${cfg.spoolExtraInit}
131      if ! test -f "${cfg.spoolAreaPath}/etc/hosts.hfaxd"
132      then
133        echo hosts.hfaxd is missing
134        exit 1
135      fi
136    '';
137    serviceConfig.ExecStop = "${setupSpoolScript}";
138    serviceConfig.RemainAfterExit = true;
139    serviceConfig.Type = "oneshot";
140    unitConfig.RequiresMountsFor = [ cfg.spoolAreaPath ];
141  };
142
143  services.hylafax-faxq = {
144    description = "HylaFAX queue manager";
145    documentation = [ "man:faxq(8)" ];
146    requires = [ "hylafax-spool.service" ];
147    after = [ "hylafax-spool.service" ];
148    wants = mapModems ( { name, ... }: "hylafax-faxgetty@${name}.service" );
149    wantedBy = mkIf cfg.autostart [ "multi-user.target" ];
150    serviceConfig.Type = "forking";
151    serviceConfig.ExecStart = ''${pkgs.hylafaxplus}/spool/bin/faxq -q "${cfg.spoolAreaPath}"'';
152    # This delays the "readiness" of this service until
153    # all modems are initialized (or a timeout is reached).
154    # Otherwise, sending a fax with the fax service
155    # stopped will always yield a failed send attempt:
156    # The fax service is started when the job is created with
157    # `sendfax`, but modems need some time to initialize.
158    serviceConfig.ExecStartPost = [ "${waitFaxqScript}" ];
159    # faxquit fails if the pipe is already gone
160    # (e.g. the service is already stopping)
161    serviceConfig.ExecStop = ''-${pkgs.hylafaxplus}/spool/bin/faxquit -q "${cfg.spoolAreaPath}"'';
162    # disable some systemd hardening settings
163    serviceConfig.PrivateDevices = null;
164    serviceConfig.RestrictRealtime = null;
165  };
166
167  services."hylafax-hfaxd@" = {
168    description = "HylaFAX server";
169    documentation = [ "man:hfaxd(8)" ];
170    after = [ "hylafax-faxq.service" ];
171    requires = [ "hylafax-faxq.service" ];
172    serviceConfig.StandardInput = "socket";
173    serviceConfig.StandardOutput = "socket";
174    serviceConfig.ExecStart = ''${pkgs.hylafaxplus}/spool/bin/hfaxd -q "${cfg.spoolAreaPath}" -d -I'';
175    unitConfig.RequiresMountsFor = [ cfg.userAccessFile ];
176    # disable some systemd hardening settings
177    serviceConfig.PrivateDevices = null;
178    serviceConfig.PrivateNetwork = null;
179  };
180
181  services.hylafax-faxcron = rec {
182    description = "HylaFAX spool area maintenance";
183    documentation = [ "man:faxcron(8)" ];
184    after = [ "hylafax-spool.service" ];
185    requires = [ "hylafax-spool.service" ];
186    wantedBy = mkIf cfg.faxcron.enable.spoolInit requires;
187    startAt = mkIf (cfg.faxcron.enable.frequency!=null) cfg.faxcron.enable.frequency;
188    serviceConfig.ExecStart = concatStringsSep " " [
189      "${pkgs.hylafaxplus}/spool/bin/faxcron"
190      ''-q "${cfg.spoolAreaPath}"''
191      ''-info ${toString cfg.faxcron.infoDays}''
192      ''-log  ${toString cfg.faxcron.logDays}''
193      ''-rcv  ${toString cfg.faxcron.rcvDays}''
194    ];
195  };
196
197  services.hylafax-faxqclean = rec {
198    description = "HylaFAX spool area queue cleaner";
199    documentation = [ "man:faxqclean(8)" ];
200    after = [ "hylafax-spool.service" ];
201    requires = [ "hylafax-spool.service" ];
202    wantedBy = mkIf cfg.faxqclean.enable.spoolInit requires;
203    startAt = mkIf (cfg.faxqclean.enable.frequency!=null) cfg.faxqclean.enable.frequency;
204    serviceConfig.ExecStart = concatStringsSep " " [
205      "${pkgs.hylafaxplus}/spool/bin/faxqclean"
206      ''-q "${cfg.spoolAreaPath}"''
207      "-v"
208      (optionalString (cfg.faxqclean.archiving!="never") "-a")
209      (optionalString (cfg.faxqclean.archiving=="always")  "-A")
210      ''-j ${toString (cfg.faxqclean.doneqMinutes*60)}''
211      ''-d ${toString (cfg.faxqclean.docqMinutes*60)}''
212    ];
213  };
214
215  mkFaxgettyService = { name, ... }:
216    lib.nameValuePair "hylafax-faxgetty@${name}" rec {
217      description = "HylaFAX faxgetty for %I";
218      documentation = [ "man:faxgetty(8)" ];
219      bindsTo = [ "dev-%i.device" ];
220      requires = [ "hylafax-spool.service" ];
221      after = bindsTo ++ requires;
222      before = [ "hylafax-faxq.service" "getty.target" ];
223      unitConfig.StopWhenUnneeded = true;
224      unitConfig.AssertFileNotEmpty = "${cfg.spoolAreaPath}/etc/config.%I";
225      serviceConfig.UtmpIdentifier = "%I";
226      serviceConfig.TTYPath = "/dev/%I";
227      serviceConfig.Restart = "always";
228      serviceConfig.KillMode = "process";
229      serviceConfig.IgnoreSIGPIPE = false;
230      serviceConfig.ExecStart = ''-${pkgs.hylafaxplus}/spool/bin/faxgetty -q "${cfg.spoolAreaPath}" /dev/%I'';
231      # faxquit fails if the pipe is already gone
232      # (e.g. the service is already stopping)
233      serviceConfig.ExecStop = ''-${pkgs.hylafaxplus}/spool/bin/faxquit -q "${cfg.spoolAreaPath}" %I'';
234      # disable some systemd hardening settings
235      serviceConfig.PrivateDevices = null;
236      serviceConfig.RestrictRealtime = null;
237    };
238
239  modemServices =
240    lib.listToAttrs (mapModems mkFaxgettyService);
241
242in
243
244{
245  config.systemd = mkIf cfg.enable {
246    inherit sockets timers paths;
247    services = lib.mapAttrs (lib.const hardenService) (services // modemServices);
248  };
249}