nixos/modules/services/scheduling/atd.nix at 23.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / scheduling / atd.nix
at 23.11-pre 2.5 kB view raw
  1{ config, lib, pkgs, ... }:
  2
  3with lib;
  4
  5let
  6
  7  cfg = config.services.atd;
  8
  9  inherit (pkgs) at;
 10
 11in
 12
 13{
 14
 15  ###### interface
 16
 17  options = {
 18
 19    services.atd.enable = mkOption {
 20      type = types.bool;
 21      default = false;
 22      description = lib.mdDoc ''
 23        Whether to enable the {command}`at` daemon, a command scheduler.
 24      '';
 25    };
 26
 27    services.atd.allowEveryone = mkOption {
 28      type = types.bool;
 29      default = false;
 30      description = lib.mdDoc ''
 31        Whether to make {file}`/var/spool/at{jobs,spool}`
 32        writeable by everyone (and sticky).  This is normally not
 33        needed since the {command}`at` commands are
 34        setuid/setgid `atd`.
 35     '';
 36    };
 37
 38  };
 39
 40
 41  ###### implementation
 42
 43  config = mkIf cfg.enable {
 44
 45    # Not wrapping "batch" because it's a shell script (kernel drops perms
 46    # anyway) and it's patched to invoke the "at" setuid wrapper.
 47    security.wrappers = builtins.listToAttrs (
 48      map (program: { name = "${program}"; value = {
 49      source = "${at}/bin/${program}";
 50      owner = "atd";
 51      group = "atd";
 52      setuid = true;
 53      setgid = true;
 54    };}) [ "at" "atq" "atrm" ]);
 55
 56    environment.systemPackages = [ at ];
 57
 58    security.pam.services.atd = {};
 59
 60    users.users.atd =
 61      {
 62        uid = config.ids.uids.atd;
 63        group = "atd";
 64        description = "atd user";
 65        home = "/var/empty";
 66      };
 67
 68    users.groups.atd.gid = config.ids.gids.atd;
 69
 70    systemd.services.atd = {
 71      description = "Job Execution Daemon (atd)";
 72      wantedBy = [ "multi-user.target" ];
 73
 74      path = [ at ];
 75
 76      preStart = ''
 77        # Snippets taken and adapted from the original `install' rule of
 78        # the makefile.
 79
 80        # We assume these values are those actually used in Nixpkgs for
 81        # `at'.
 82        spooldir=/var/spool/atspool
 83        jobdir=/var/spool/atjobs
 84        etcdir=/etc/at
 85
 86        install -dm755 -o atd -g atd "$etcdir"
 87        spool_and_job_dir_perms=${if cfg.allowEveryone then "1777" else "1770"}
 88        install -dm"$spool_and_job_dir_perms" -o atd -g atd "$spooldir" "$jobdir"
 89        if [ ! -f "$etcdir"/at.deny ]; then
 90            touch "$etcdir"/at.deny
 91            chown root:atd "$etcdir"/at.deny
 92            chmod 640 "$etcdir"/at.deny
 93        fi
 94        if [ ! -f "$jobdir"/.SEQ ]; then
 95            touch "$jobdir"/.SEQ
 96            chown atd:atd "$jobdir"/.SEQ
 97            chmod 600 "$jobdir"/.SEQ
 98        fi
 99      '';
100
101      script = "atd";
102
103      serviceConfig.Type = "forking";
104    };
105  };
106}