nixos/beanstalkd: new service for existing package #55953
Conversation
|
@GrahamcOfBorg test beanstalkd |
|
@GrahamcOfBorg test beanstalkd |
|
@zimbatm as the listed maintainer for the beanstalkd package do you have any issue with this? |
| DynamicUser = true; | ||
| Restart = "always"; | ||
| ExecStart = "${pkg}/bin/beanstalkd -l ${cfg.listen.address} -p ${toString cfg.listen.port}"; | ||
| }; |
There was a problem hiding this comment.
@flokli are there any more options that could be used to sandbox the service even more?
There was a problem hiding this comment.
From what I read, beanstalkd doesn't really use local files, so you could use
TemporaryFileSystem= to mask out most of the filesystem too.
Apart from that, you could look into SystemCallFilter=, and some resource limits.
There was a problem hiding this comment.
That sounds great! Unfortunately I'm not overly familiar with beanstalkd and the inner workings (I have an old application currently running on Debian which uses beanstalkd and I'm trying to move the app to NixOS), or setting up limitations with systemd to this extent. Do you have specific suggestions as to what limitations I should add?
| DynamicUser = true; | ||
| Restart = "always"; | ||
| ExecStart = "${pkg}/bin/beanstalkd -l ${cfg.listen.address} -p ${toString cfg.listen.port}"; | ||
| }; |
There was a problem hiding this comment.
From what I read, beanstalkd doesn't really use local files, so you could use
TemporaryFileSystem= to mask out most of the filesystem too.
Apart from that, you could look into SystemCallFilter=, and some resource limits.
|
merging as it's good enough. My bad for holding the PR back with additional requirements. |
Motivation for this change
No service for beanstalkd exists.
Things done
sandboxinnix.confon non-NixOS)nix-shell -p nox --run "nox-review wip"./result/bin/)nix path-info -Sbefore and after)