| blob | a2ec0d2c80e1f3c0f6a4ab72430e41b691c676c5 |
1 { pkgs, lib, config, ... }:
2 let
3 cfg = config.services.nixseparatedebuginfod;
4 url = "127.0.0.1:${toString cfg.port}";
5 in
6 {
7 options = {
8 services.nixseparatedebuginfod = {
9 enable = lib.mkEnableOption "separatedebuginfod, a debuginfod server providing source and debuginfo for nix packages";
10 port = lib.mkOption {
11 description = "port to listen";
12 default = 1949;
13 type = lib.types.port;
14 };
15 nixPackage = lib.mkOption {
16 type = lib.types.package;
17 default = pkgs.nix;
18 defaultText = lib.literalExpression "pkgs.nix";
19 description = ''
20 The version of nix that nixseparatedebuginfod should use as client for the nix daemon. It is strongly advised to use nix version >= 2.18, otherwise some debug info may go missing.
21 '';
22 };
23 allowOldNix = lib.mkOption {
24 type = lib.types.bool;
25 default = false;
26 description = ''
27 Do not fail evaluation when {option}`services.nixseparatedebuginfod.nixPackage` is older than nix 2.18.
28 '';
29 };
30 };
31 };
32 config = lib.mkIf cfg.enable {
33 assertions = [ {
34 assertion = cfg.allowOldNix || (lib.versionAtLeast cfg.nixPackage.version "2.18");
35 message = "nixseparatedebuginfod works better when `services.nixseparatedebuginfod.nixPackage` is set to nix >= 2.18 (instead of ${cfg.nixPackage.name}). Set `services.nixseparatedebuginfod.allowOldNix` to bypass.";
36 } ];
38 systemd.services.nixseparatedebuginfod = {
39 wantedBy = [ "multi-user.target" ];
40 wants = [ "nix-daemon.service" ];
41 after = [ "nix-daemon.service" ];
42 path = [ cfg.nixPackage ];
43 serviceConfig = {
44 ExecStart = [ "${pkgs.nixseparatedebuginfod}/bin/nixseparatedebuginfod -l ${url}" ];
45 Restart = "on-failure";
46 CacheDirectory = "nixseparatedebuginfod";
47 # nix does not like DynamicUsers in allowed-users
48 User = "nixseparatedebuginfod";
49 Group = "nixseparatedebuginfod";
51 # hardening
52 # Filesystem stuff
53 ProtectSystem = "strict"; # Prevent writing to most of /
54 ProtectHome = true; # Prevent accessing /home and /root
55 PrivateTmp = true; # Give an own directory under /tmp
56 PrivateDevices = true; # Deny access to most of /dev
57 ProtectKernelTunables = true; # Protect some parts of /sys
58 ProtectControlGroups = true; # Remount cgroups read-only
59 RestrictSUIDSGID = true; # Prevent creating SETUID/SETGID files
60 PrivateMounts = true; # Give an own mount namespace
61 RemoveIPC = true;
62 UMask = "0077";
64 # Capabilities
65 CapabilityBoundingSet = ""; # Allow no capabilities at all
66 NoNewPrivileges = true; # Disallow getting more capabilities. This is also implied by other options.
68 # Kernel stuff
69 ProtectKernelModules = true; # Prevent loading of kernel modules
70 SystemCallArchitectures = "native"; # Usually no need to disable this
71 ProtectKernelLogs = true; # Prevent access to kernel logs
72 ProtectClock = true; # Prevent setting the RTC
74 # Networking
75 RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
77 # Misc
78 LockPersonality = true; # Prevent change of the personality
79 ProtectHostname = true; # Give an own UTS namespace
80 RestrictRealtime = true; # Prevent switching to RT scheduling
81 MemoryDenyWriteExecute = true; # Maybe disable this for interpreters like python
82 RestrictNamespaces = true;
83 };
84 };
86 users.users.nixseparatedebuginfod = {
87 isSystemUser = true;
88 group = "nixseparatedebuginfod";
89 };
91 users.groups.nixseparatedebuginfod = { };
93 nix.settings = lib.optionalAttrs (lib.versionAtLeast config.nix.package.version "2.4") {
94 extra-allowed-users = [ "nixseparatedebuginfod" ];
95 };
97 environment.variables.DEBUGINFOD_URLS = "http://${url}";
99 environment.systemPackages = [
100 # valgrind support requires debuginfod-find on PATH
101 (lib.getBin pkgs.elfutils)
102 ];
104 environment.etc."gdb/gdbinit.d/nixseparatedebuginfod.gdb".text = "set debuginfod enabled on";
106 };
107 }