nixos/modules/services/monitoring/incron.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / monitoring / incron.nix
at 25.11-pre 2.8 kB view raw
  1{
  2  config,
  3  lib,
  4  pkgs,
  5  ...
  6}:
  7let
  8
  9  cfg = config.services.incron;
 10
 11in
 12
 13{
 14  options = {
 15
 16    services.incron = {
 17
 18      enable = lib.mkOption {
 19        type = lib.types.bool;
 20        default = false;
 21        description = ''
 22          Whether to enable the incron daemon.
 23
 24          Note that commands run under incrontab only support common Nix profiles for the {env}`PATH` provided variable.
 25        '';
 26      };
 27
 28      allow = lib.mkOption {
 29        type = lib.types.nullOr (lib.types.listOf lib.types.str);
 30        default = null;
 31        description = ''
 32          Users allowed to use incrontab.
 33
 34          If empty then no user will be allowed to have their own incrontab.
 35          If `null` then will defer to {option}`deny`.
 36          If both {option}`allow` and {option}`deny` are null
 37          then all users will be allowed to have their own incrontab.
 38        '';
 39      };
 40
 41      deny = lib.mkOption {
 42        type = lib.types.nullOr (lib.types.listOf lib.types.str);
 43        default = null;
 44        description = "Users forbidden from using incrontab.";
 45      };
 46
 47      systab = lib.mkOption {
 48        type = lib.types.lines;
 49        default = "";
 50        description = "The system incrontab contents.";
 51        example = ''
 52          /var/mail IN_CLOSE_WRITE abc $@/$#
 53          /tmp IN_ALL_EVENTS efg $@/$# $&
 54        '';
 55      };
 56
 57      extraPackages = lib.mkOption {
 58        type = lib.types.listOf lib.types.package;
 59        default = [ ];
 60        example = lib.literalExpression "[ pkgs.rsync ]";
 61        description = "Extra packages available to the system incrontab.";
 62      };
 63
 64    };
 65
 66  };
 67
 68  config = lib.mkIf cfg.enable {
 69
 70    warnings = lib.optional (
 71      cfg.allow != null && cfg.deny != null
 72    ) "If `services.incron.allow` is set then `services.incron.deny` will be ignored.";
 73
 74    environment.systemPackages = [ pkgs.incron ];
 75
 76    security.wrappers.incrontab = {
 77      setuid = true;
 78      owner = "root";
 79      group = "root";
 80      source = "${pkgs.incron}/bin/incrontab";
 81    };
 82
 83    # incron won't read symlinks
 84    environment.etc."incron.d/system" = {
 85      mode = "0444";
 86      text = cfg.systab;
 87    };
 88    environment.etc."incron.allow" = lib.mkIf (cfg.allow != null) {
 89      text = lib.concatStringsSep "\n" cfg.allow;
 90    };
 91    environment.etc."incron.deny" = lib.mkIf (cfg.deny != null) {
 92      text = lib.concatStringsSep "\n" cfg.deny;
 93    };
 94
 95    systemd.services.incron = {
 96      description = "File System Events Scheduler";
 97      wantedBy = [ "multi-user.target" ];
 98      path = cfg.extraPackages;
 99      serviceConfig.PIDFile = "/run/incrond.pid";
100      serviceConfig.ExecStartPre = "${pkgs.coreutils}/bin/mkdir -m 710 -p /var/spool/incron";
101      serviceConfig.ExecStart = "${pkgs.incron}/bin/incrond --foreground";
102    };
103  };
104
105}