commit a8e7d96eb22efc716a5447e0461dae37f47748e5 · pyrox.dev/nixpkgs

+39 -2
nixos/modules/services/databases/redis.nix
···

       5
       5
        
       let

     

       6
       6
        
         cfg = config.services.redis;

     

       7
       7
        
       

     

       8
       8
       +
         ulimitNofile = cfg.maxclients + 32;

     

       9
       9
       +
       

     

       8
       10
        
         mkValueString = value:

     

       9
       11
        
           if value == true then "yes"

     

       10
       12
        
           else if value == false then "no"

     
···

       14
       16
        
           listsAsDuplicateKeys = true;

     

       15
       17
        
           mkKeyValue = generators.mkKeyValueDefault { inherit mkValueString; } " ";

     

       16
       18
        
         } cfg.settings);

     

       17
       17
       -
       in

     

       18
       18
       -
       {

     

       19
       19
       +
       

     

       20
       20
       +
       in {

     

       19
       21
        
         imports = [

     

       20
       22
        
           (mkRemovedOptionModule [ "services" "redis" "user" ] "The redis module now is hardcoded to the redis user.")

     

       21
       23
        
           (mkRemovedOptionModule [ "services" "redis" "dbpath" ] "The redis module now uses /var/lib/redis as data directory.")

     
···

       121
       123
        
               description = "Set the number of databases.";

     

       122
       124
        
             };

     

       123
       125
        
       

     

       126
       126
       +
             maxclients = mkOption {

     

       127
       127
       +
               type = types.int;

     

       128
       128
       +
               default = 10000;

     

       129
       129
       +
               description = "Set the max number of connected clients at the same time.";

     

       130
       130
       +
             };

     

       131
       131
       +
       

     

       124
       132
        
             save = mkOption {

     

       125
       133
        
               type = with types; listOf (listOf int);

     

       126
       134
        
               default = [ [900 1] [300 10] [60 10000] ];

     
···

       253
       261
        
               logfile = cfg.logfile;

     

       254
       262
        
               syslog-enabled = cfg.syslog;

     

       255
       263
        
               databases = cfg.databases;

     

       264
       264
       +
               maxclients = cfg.maxclients;

     

       256
       265
        
               save = map (d: "${toString (builtins.elemAt d 0)} ${toString (builtins.elemAt d 1)}") cfg.save;

     

       257
       266
        
               dbfilename = "dump.rdb";

     

       258
       267
        
               dir = "/var/lib/redis";

     
···

       295
       304
        
               StateDirectoryMode = "0700";

     

       296
       305
        
               # Access write directories

     

       297
       306
        
               UMask = "0077";

     

       307
       307
       +
               # Capabilities

     

       308
       308
       +
               CapabilityBoundingSet = "";

     

       309
       309
       +
               # Security

     

       310
       310
       +
               NoNewPrivileges = true;

     

       311
       311
       +
               # Process Properties

     

       312
       312
       +
               LimitNOFILE = "${toString ulimitNofile}";

     

       313
       313
       +
               # Sandboxing

     

       314
       314
       +
               ProtectSystem = "strict";

     

       315
       315
       +
               ProtectHome = true;

     

       316
       316
       +
               PrivateTmp = true;

     

       317
       317
       +
               PrivateDevices = true;

     

       318
       318
       +
               PrivateUsers = true;

     

       319
       319
       +
               ProtectClock = true;

     

       320
       320
       +
               ProtectHostname = true;

     

       321
       321
       +
               ProtectKernelLogs = true;

     

       322
       322
       +
               ProtectKernelModules = true;

     

       323
       323
       +
               ProtectKernelTunables = true;

     

       324
       324
       +
               ProtectControlGroups = true;

     

       325
       325
       +
               RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];

     

       326
       326
       +
               RestrictNamespaces = true;

     

       327
       327
       +
               LockPersonality = true;

     

       328
       328
       +
               MemoryDenyWriteExecute = true;

     

       329
       329
       +
               RestrictRealtime = true;

     

       330
       330
       +
               RestrictSUIDSGID = true;

     

       331
       331
       +
               PrivateMounts = true;

     

       332
       332
       +
               # System Call Filtering

     

       333
       333
       +
               SystemCallArchitectures = "native";

     

       334
       334
       +
               SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @raw-io @reboot @resources @setuid @swap";

     

       298
       335
        
             };

     

       299
       336
        
           };

     

       300
       337
        
         };