Projects/muscl
12
4
Fork 0
Code Issues 73 Pull Requests Actions Packages Releases Activity

nix: vendor systemd units

Browse Source
This commit is contained in:
Oystein Kristoffer Tveit
2025-11-29 15:20:15 +09:00
parent fe87f72b00
commit 877f45c103
5 changed files with 20 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
assets/systemd/muscl.service
View File

@@ -8,6 +8,8 @@ ExecStart=/usr/bin/muscl server --systemd socket-activate
WatchdogSec=15
# Although this is a multi-instance unit, the constant `User` field is needed
# for authentication via mysql's auth_socket plugin to work.
User=muscl
Group=muscl
DynamicUser=yes

4
assets/systemd/muscl.socket
View File

@@ -1,8 +1,10 @@
[Unit]
Description=MySQL administration tool for non-admin users
WantedBy=sockets.target
[Socket]
ListenStream=/run/muscl/muscl.sock
Accept=no
PassCredentials=true
[Install]
WantedBy=sockets.target

1
flake.nix
View File

@@ -82,6 +82,7 @@
root = ./.;
fileset = lib.fileset.unions [
(craneLib.fileset.commonCargoSources ./.)
./assets
];
};
in {

7
nix/default.nix
View File

@@ -31,7 +31,12 @@ buildFunction {
shell = [ "bash" "zsh" "fish" ];
command = [ "muscl" "mysql-dbadm" "mysql-useradm" ];
};
in lib.concatStringsSep "\n" commands;
in lib.concatStringsSep "\n" commands + ''
install -Dm444 assets/systemd/muscl.socket -t "$out/lib/systemd/system"
install -Dm644 assets/systemd/muscl.service -t "$out/lib/systemd/system"
substituteInPlace "$out/lib/systemd/system/muscl.service" \
--replace-fail '/usr/bin/muscl' "$out/bin/muscl"
'';
meta = with lib; {
license = licenses.mit;

72
nix/module.nix
View File

@@ -96,31 +96,17 @@ in
}
];
systemd.packages = [ cfg.package ];
systemd.sockets."muscl".wantedBy = [ "sockets.target" ];
systemd.services."muscl" = {
description = "MySQL administration tool for non-admin users";
restartTriggers = [ config.environment.etc."muscl/config.toml".source ];
requires = [ "muscl.socket" ];
serviceConfig = {
Type = "notify";
ExecStart = "${lib.getExe cfg.package} ${cfg.logLevel} server --systemd socket-activate";
WatchdogSec = 15;
# Although this is a multi-instance unit, the constant `User` field is needed
# for authentication via mysql's auth_socket plugin to work.
User = "muscl";
Group = "muscl";
DynamicUser = true;
ConfigurationDirectory = "muscl";
RuntimeDirectory = "muscl";
# This is required to read unix user/group details.
PrivateUsers = false;
# Needed to communicate with MySQL.
PrivateNetwork = false;
PrivateIPC = false;
ExecStart = [
""
"${lib.getExe cfg.package} ${cfg.logLevel} server --systemd socket-activate"
];
IPAddressDeny = "any";
IPAddressAllow = [
@@ -131,48 +117,6 @@ in
RestrictAddressFamilies = [ "AF_UNIX" ]
++ (lib.optionals (cfg.settings.mysql.host != null) [ "AF_INET" "AF_INET6" ]);
AmbientCapabilities = [ "" ];
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = "yes";
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = "strict";
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RemoveIPC = true;
UMask = "0777";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SocketBindDeny = [ "any" ];
SystemCallFilter = [
"@system-service"
"~@privileged"
"~@resources"
];
};
};
systemd.sockets."muscl" = {
description = "MySQL administration tool for non-admin users";
wantedBy = [ "sockets.target" ];
socketConfig = {
ListenStream = cfg.settings.server.socket_path;
Accept = "no";
PassCredentials = true;
};
};
};