commit a8e7d96eb22efc716a5447e0461dae37f47748e5 · pyrox.dev/nixpkgs

+39 -2

nixos/modules/services/databases/redis.nix

···

       5
        
       let

     

       6
        
         cfg = config.services.redis;

     

       7
        
       

     

       0
        
       
     

       0
        
       
     

       8
        
         mkValueString = value:

     

       9
        
           if value == true then "yes"

     

       10
        
           else if value == false then "no"

     
···

       14
        
           listsAsDuplicateKeys = true;

     

       15
        
           mkKeyValue = generators.mkKeyValueDefault { inherit mkValueString; } " ";

     

       16
        
         } cfg.settings);

     

       17
       -
       in

     

       18
       -
       {

     

       19
        
         imports = [

     

       20
        
           (mkRemovedOptionModule [ "services" "redis" "user" ] "The redis module now is hardcoded to the redis user.")

     

       21
        
           (mkRemovedOptionModule [ "services" "redis" "dbpath" ] "The redis module now uses /var/lib/redis as data directory.")

     
···

       121
        
               description = "Set the number of databases.";

     

       122
        
             };

     

       123
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       124
        
             save = mkOption {

     

       125
        
               type = with types; listOf (listOf int);

     

       126
        
               default = [ [900 1] [300 10] [60 10000] ];

     
···

       253
        
               logfile = cfg.logfile;

     

       254
        
               syslog-enabled = cfg.syslog;

     

       255
        
               databases = cfg.databases;

     

       0
        
       
     

       256
        
               save = map (d: "${toString (builtins.elemAt d 0)} ${toString (builtins.elemAt d 1)}") cfg.save;

     

       257
        
               dbfilename = "dump.rdb";

     

       258
        
               dir = "/var/lib/redis";

     
···

       295
        
               StateDirectoryMode = "0700";

     

       296
        
               # Access write directories

     

       297
        
               UMask = "0077";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       298
        
             };

     

       299
        
           };

     

       300
        
         };

···

       5
        
       let

     

       6
        
         cfg = config.services.redis;

     

       7
        
       

     

       8
       +
         ulimitNofile = cfg.maxclients + 32;

     

       9
       +
       

     

       10
        
         mkValueString = value:

     

       11
        
           if value == true then "yes"

     

       12
        
           else if value == false then "no"

     
···

       16
        
           listsAsDuplicateKeys = true;

     

       17
        
           mkKeyValue = generators.mkKeyValueDefault { inherit mkValueString; } " ";

     

       18
        
         } cfg.settings);

     

       19
       +
       

     

       20
       +
       in {

     

       21
        
         imports = [

     

       22
        
           (mkRemovedOptionModule [ "services" "redis" "user" ] "The redis module now is hardcoded to the redis user.")

     

       23
        
           (mkRemovedOptionModule [ "services" "redis" "dbpath" ] "The redis module now uses /var/lib/redis as data directory.")

     
···

       123
        
               description = "Set the number of databases.";

     

       124
        
             };

     

       125
        
       

     

       126
       +
             maxclients = mkOption {

     

       127
       +
               type = types.int;

     

       128
       +
               default = 10000;

     

       129
       +
               description = "Set the max number of connected clients at the same time.";

     

       130
       +
             };

     

       131
       +
       

     

       132
        
             save = mkOption {

     

       133
        
               type = with types; listOf (listOf int);

     

       134
        
               default = [ [900 1] [300 10] [60 10000] ];

     
···

       261
        
               logfile = cfg.logfile;

     

       262
        
               syslog-enabled = cfg.syslog;

     

       263
        
               databases = cfg.databases;

     

       264
       +
               maxclients = cfg.maxclients;

     

       265
        
               save = map (d: "${toString (builtins.elemAt d 0)} ${toString (builtins.elemAt d 1)}") cfg.save;

     

       266
        
               dbfilename = "dump.rdb";

     

       267
        
               dir = "/var/lib/redis";

     
···

       304
        
               StateDirectoryMode = "0700";

     

       305
        
               # Access write directories

     

       306
        
               UMask = "0077";

     

       307
       +
               # Capabilities

     

       308
       +
               CapabilityBoundingSet = "";

     

       309
       +
               # Security

     

       310
       +
               NoNewPrivileges = true;

     

       311
       +
               # Process Properties

     

       312
       +
               LimitNOFILE = "${toString ulimitNofile}";

     

       313
       +
               # Sandboxing

     

       314
       +
               ProtectSystem = "strict";

     

       315
       +
               ProtectHome = true;

     

       316
       +
               PrivateTmp = true;

     

       317
       +
               PrivateDevices = true;

     

       318
       +
               PrivateUsers = true;

     

       319
       +
               ProtectClock = true;

     

       320
       +
               ProtectHostname = true;

     

       321
       +
               ProtectKernelLogs = true;

     

       322
       +
               ProtectKernelModules = true;

     

       323
       +
               ProtectKernelTunables = true;

     

       324
       +
               ProtectControlGroups = true;

     

       325
       +
               RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];

     

       326
       +
               RestrictNamespaces = true;

     

       327
       +
               LockPersonality = true;

     

       328
       +
               MemoryDenyWriteExecute = true;

     

       329
       +
               RestrictRealtime = true;

     

       330
       +
               RestrictSUIDSGID = true;

     

       331
       +
               PrivateMounts = true;

     

       332
       +
               # System Call Filtering

     

       333
       +
               SystemCallArchitectures = "native";

     

       334
       +
               SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @raw-io @reboot @resources @setuid @swap";

     

       335
        
             };

     

       336
        
           };

     

       337
        
         };