| blob | 4506bbbc5eb73de3dec19b0f23b2b26e4595b5ad |
1 { config, lib, pkgs, ... }:
4 let
6 inherit (lib) mkIf mkMerge;
7 inherit (lib) concatStringsSep optionalString;
9 cfg = config.services.hylafax;
10 mapModems = lib.forEach (lib.attrValues cfg.modems);
12 mkConfigFile = name: conf:
13 # creates hylafax config file,
14 # makes sure "Include" is listed *first*
15 let
16 mkLines = lib.flip lib.pipe [
17 (lib.mapAttrsToList (key: map (val: "${key}: ${val}")))
18 lib.concatLists
19 ];
20 include = mkLines { Include = conf.Include or []; };
21 other = mkLines ( conf // { Include = []; } );
22 in
23 pkgs.writeText "hylafax-config${name}"
24 (concatStringsSep "\n" (include ++ other));
26 globalConfigPath = mkConfigFile "" cfg.faxqConfig;
28 modemConfigPath =
29 let
30 mkModemConfigFile = { config, name, ... }:
31 mkConfigFile ".${name}"
32 (cfg.commonModemConfig // config);
33 mkLine = { name, type, ... }@modem: ''
34 # check if modem config file exists:
35 test -f "${pkgs.hylafaxplus}/spool/config/${type}"
36 ln \
37 --symbolic \
38 --no-target-directory \
39 "${mkModemConfigFile modem}" \
40 "$out/config.${name}"
41 '';
42 in
43 pkgs.runCommand "hylafax-config-modems" { preferLocalBuild = true; }
44 ''mkdir --parents "$out/" ${concatStringsSep "\n" (mapModems mkLine)}'';
46 setupSpoolScript = pkgs.substituteAll {
47 name = "hylafax-setup-spool.sh";
48 src = ./spool.sh;
49 isExecutable = true;
50 faxuser = "uucp";
51 faxgroup = "uucp";
52 lockPath = "/var/lock";
53 inherit globalConfigPath modemConfigPath;
54 inherit (cfg) sendmailPath spoolAreaPath userAccessFile;
55 inherit (pkgs) hylafaxplus runtimeShell;
56 };
58 waitFaxqScript = pkgs.substituteAll {
59 # This script checks the modems status files
60 # and waits until all modems report readiness.
61 name = "hylafax-faxq-wait-start.sh";
62 src = ./faxq-wait.sh;
63 isExecutable = true;
64 timeoutSec = toString 10;
65 inherit (cfg) spoolAreaPath;
66 inherit (pkgs) runtimeShell;
67 };
69 sockets.hylafax-hfaxd = {
70 description = "HylaFAX server socket";
71 documentation = [ "man:hfaxd(8)" ];
72 wantedBy = [ "multi-user.target" ];
73 listenStreams = [ "127.0.0.1:4559" ];
74 socketConfig.FreeBind = true;
75 socketConfig.Accept = true;
76 };
78 paths.hylafax-faxq = {
79 description = "HylaFAX queue manager sendq watch";
80 documentation = [ "man:faxq(8)" "man:sendq(5)" ];
81 wantedBy = [ "multi-user.target" ];
82 pathConfig.PathExistsGlob = [ "${cfg.spoolAreaPath}/sendq/q*" ];
83 };
85 timers = mkMerge [
86 (
87 mkIf (cfg.faxcron.enable.frequency!=null)
88 { hylafax-faxcron.timerConfig.Persistent = true; }
89 )
90 (
91 mkIf (cfg.faxqclean.enable.frequency!=null)
92 { hylafax-faxqclean.timerConfig.Persistent = true; }
93 )
94 ];
96 hardenService =
97 # Add some common systemd service hardening settings,
98 # but allow each service (here) to override
99 # settings by explicitely setting those to `null`.
100 # More hardening would be nice but makes
101 # customizing hylafax setups very difficult.
102 # If at all, it should only be added along
103 # with some options to customize it.
104 let
105 hardening = {
106 PrivateDevices = true; # breaks /dev/tty...
107 PrivateNetwork = true;
108 PrivateTmp = true;
109 #ProtectClock = true; # breaks /dev/tty... (why?)
110 ProtectControlGroups = true;
111 #ProtectHome = true; # breaks custom spool dirs
112 ProtectKernelLogs = true;
113 ProtectKernelModules = true;
114 ProtectKernelTunables = true;
115 #ProtectSystem = "strict"; # breaks custom spool dirs
116 RestrictNamespaces = true;
117 RestrictRealtime = true;
118 };
119 filter = key: value: (value != null) || ! (lib.hasAttr key hardening);
120 apply = service: lib.filterAttrs filter (hardening // (service.serviceConfig or {}));
121 in
122 service: service // { serviceConfig = apply service; };
124 services.hylafax-spool = {
125 description = "HylaFAX spool area preparation";
126 documentation = [ "man:hylafax-server(4)" ];
127 script = ''
128 ${setupSpoolScript}
129 cd "${cfg.spoolAreaPath}"
130 ${cfg.spoolExtraInit}
131 if ! test -f "${cfg.spoolAreaPath}/etc/hosts.hfaxd"
132 then
133 echo hosts.hfaxd is missing
134 exit 1
135 fi
136 '';
137 serviceConfig.ExecStop = "${setupSpoolScript}";
138 serviceConfig.RemainAfterExit = true;
139 serviceConfig.Type = "oneshot";
140 unitConfig.RequiresMountsFor = [ cfg.spoolAreaPath ];
141 };
143 services.hylafax-faxq = {
144 description = "HylaFAX queue manager";
145 documentation = [ "man:faxq(8)" ];
146 requires = [ "hylafax-spool.service" ];
147 after = [ "hylafax-spool.service" ];
148 wants = mapModems ( { name, ... }: "hylafax-faxgetty@${name}.service" );
149 wantedBy = mkIf cfg.autostart [ "multi-user.target" ];
150 serviceConfig.Type = "forking";
151 serviceConfig.ExecStart = ''${pkgs.hylafaxplus}/spool/bin/faxq -q "${cfg.spoolAreaPath}"'';
152 # This delays the "readiness" of this service until
153 # all modems are initialized (or a timeout is reached).
154 # Otherwise, sending a fax with the fax service
155 # stopped will always yield a failed send attempt:
156 # The fax service is started when the job is created with
157 # `sendfax`, but modems need some time to initialize.
158 serviceConfig.ExecStartPost = [ "${waitFaxqScript}" ];
159 # faxquit fails if the pipe is already gone
160 # (e.g. the service is already stopping)
161 serviceConfig.ExecStop = ''-${pkgs.hylafaxplus}/spool/bin/faxquit -q "${cfg.spoolAreaPath}"'';
162 # disable some systemd hardening settings
163 serviceConfig.PrivateDevices = null;
164 serviceConfig.RestrictRealtime = null;
165 };
167 services."hylafax-hfaxd@" = {
168 description = "HylaFAX server";
169 documentation = [ "man:hfaxd(8)" ];
170 after = [ "hylafax-faxq.service" ];
171 requires = [ "hylafax-faxq.service" ];
172 serviceConfig.StandardInput = "socket";
173 serviceConfig.StandardOutput = "socket";
174 serviceConfig.ExecStart = ''${pkgs.hylafaxplus}/spool/bin/hfaxd -q "${cfg.spoolAreaPath}" -d -I'';
175 unitConfig.RequiresMountsFor = [ cfg.userAccessFile ];
176 # disable some systemd hardening settings
177 serviceConfig.PrivateDevices = null;
178 serviceConfig.PrivateNetwork = null;
179 };
181 services.hylafax-faxcron = rec {
182 description = "HylaFAX spool area maintenance";
183 documentation = [ "man:faxcron(8)" ];
184 after = [ "hylafax-spool.service" ];
185 requires = [ "hylafax-spool.service" ];
186 wantedBy = mkIf cfg.faxcron.enable.spoolInit requires;
187 startAt = mkIf (cfg.faxcron.enable.frequency!=null) cfg.faxcron.enable.frequency;
188 serviceConfig.ExecStart = concatStringsSep " " [
189 "${pkgs.hylafaxplus}/spool/bin/faxcron"
190 ''-q "${cfg.spoolAreaPath}"''
191 ''-info ${toString cfg.faxcron.infoDays}''
192 ''-log ${toString cfg.faxcron.logDays}''
193 ''-rcv ${toString cfg.faxcron.rcvDays}''
194 ];
195 };
197 services.hylafax-faxqclean = rec {
198 description = "HylaFAX spool area queue cleaner";
199 documentation = [ "man:faxqclean(8)" ];
200 after = [ "hylafax-spool.service" ];
201 requires = [ "hylafax-spool.service" ];
202 wantedBy = mkIf cfg.faxqclean.enable.spoolInit requires;
203 startAt = mkIf (cfg.faxqclean.enable.frequency!=null) cfg.faxqclean.enable.frequency;
204 serviceConfig.ExecStart = concatStringsSep " " [
205 "${pkgs.hylafaxplus}/spool/bin/faxqclean"
206 ''-q "${cfg.spoolAreaPath}"''
207 "-v"
208 (optionalString (cfg.faxqclean.archiving!="never") "-a")
209 (optionalString (cfg.faxqclean.archiving=="always") "-A")
210 ''-j ${toString (cfg.faxqclean.doneqMinutes*60)}''
211 ''-d ${toString (cfg.faxqclean.docqMinutes*60)}''
212 ];
213 };
215 mkFaxgettyService = { name, ... }:
216 lib.nameValuePair "hylafax-faxgetty@${name}" rec {
217 description = "HylaFAX faxgetty for %I";
218 documentation = [ "man:faxgetty(8)" ];
219 bindsTo = [ "dev-%i.device" ];
220 requires = [ "hylafax-spool.service" ];
221 after = bindsTo ++ requires;
222 before = [ "hylafax-faxq.service" "getty.target" ];
223 unitConfig.StopWhenUnneeded = true;
224 unitConfig.AssertFileNotEmpty = "${cfg.spoolAreaPath}/etc/config.%I";
225 serviceConfig.UtmpIdentifier = "%I";
226 serviceConfig.TTYPath = "/dev/%I";
227 serviceConfig.Restart = "always";
228 serviceConfig.KillMode = "process";
229 serviceConfig.IgnoreSIGPIPE = false;
230 serviceConfig.ExecStart = ''-${pkgs.hylafaxplus}/spool/bin/faxgetty -q "${cfg.spoolAreaPath}" /dev/%I'';
231 # faxquit fails if the pipe is already gone
232 # (e.g. the service is already stopping)
233 serviceConfig.ExecStop = ''-${pkgs.hylafaxplus}/spool/bin/faxquit -q "${cfg.spoolAreaPath}" %I'';
234 # disable some systemd hardening settings
235 serviceConfig.PrivateDevices = null;
236 serviceConfig.RestrictRealtime = null;
237 };
239 modemServices =
240 lib.listToAttrs (mapModems mkFaxgettyService);
242 in
244 {
245 config.systemd = mkIf cfg.enable {
246 inherit sockets timers paths;
247 services = lib.mapAttrs (lib.const hardenService) (services // modemServices);
248 };
249 }