New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/beanstalkd: new service for existing package #55953
Conversation
@GrahamcOfBorg test beanstalkd |
@GrahamcOfBorg test beanstalkd |
@zimbatm as the listed maintainer for the beanstalkd package do you have any issue with this? |
DynamicUser = true; | ||
Restart = "always"; | ||
ExecStart = "${pkg}/bin/beanstalkd -l ${cfg.listen.address} -p ${toString cfg.listen.port}"; | ||
}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@flokli are there any more options that could be used to sandbox the service even more?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From what I read, beanstalkd doesn't really use local files, so you could use
TemporaryFileSystem= to mask out most of the filesystem too.
Apart from that, you could look into SystemCallFilter=, and some resource limits.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That sounds great! Unfortunately I'm not overly familiar with beanstalkd and the inner workings (I have an old application currently running on Debian which uses beanstalkd and I'm trying to move the app to NixOS), or setting up limitations with systemd to this extent. Do you have specific suggestions as to what limitations I should add?
DynamicUser = true; | ||
Restart = "always"; | ||
ExecStart = "${pkg}/bin/beanstalkd -l ${cfg.listen.address} -p ${toString cfg.listen.port}"; | ||
}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From what I read, beanstalkd doesn't really use local files, so you could use
TemporaryFileSystem= to mask out most of the filesystem too.
Apart from that, you could look into SystemCallFilter=, and some resource limits.
merging as it's good enough. My bad for holding the PR back with additional requirements. |
Motivation for this change
No service for beanstalkd exists.
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)nix path-info -S
before and after)