backups/grapevine
1
0
Fork 0
mirror of https://gitlab.computer.surgery/matrix/grapevine.git synced 2025-12-16 15:21:24 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Validate generated config file in the nixos module

Browse source 
This uses the usual pkgs.runCommand pattern to ensure that no
non-parseable config files can make it to the command line.
This commit is contained in:
Andreas Fuchs 2024-10-30 11:19:10 -04:00
parent a02c551a5e
commit dcf64f03fb
1 changed files with 5 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

6
nix/modules/default/default.nix
View file

@ -11,6 +11,10 @@ let
cfg = config.services.grapevine;
configFile = format.generate "config.toml" cfg.settings;
validateConfig = file: pkgs.runCommand "grapevine-checked-config" {} ''
${lib.getExe cfg.package} check-config -c ${lib.escapeShellArg file}
ln -s ${lib.escapeShellArg file} "$out"
'';
format = pkgs.formats.toml {};
in
@ -79,7 +83,7 @@ in
# Keep sorted
serviceConfig = {
DynamicUser = true;
ExecStart = "${lib.getExe cfg.package} serve --config ${configFile}";
ExecStart = "${lib.getExe cfg.package} serve --config ${validateConfig configFile}";
LockPersonality = true;
MemoryDenyWriteExecute = true;
PrivateDevices = true;