diff options
| author | Arun Isaac | 2022-10-17 17:17:14 +0530 |
|---|---|---|
| committer | Arun Isaac | 2022-10-17 17:29:15 +0530 |
| commit | e7e227c774e61cc54ac4a8326a65d4440838cacf (patch) | |
| tree | ff9683eb1345b5f153bcd9fa4f2a9551db44e649 | |
| parent | 98d54369c459372327c8ec156f8c5a0f4ddc76fb (diff) | |
| download | guix-forge-e7e227c774e61cc54ac4a8326a65d4440838cacf.tar.gz guix-forge-e7e227c774e61cc54ac4a8326a65d4440838cacf.tar.lz guix-forge-e7e227c774e61cc54ac4a8326a65d4440838cacf.zip | |
webhook: Run as webhook user and group.
* guix/forge/webhook.scm (%webhook-accounts): New variable.
(webhook-activation): chown log directory to webhook user and group.
(webhook-shepherd-service): Run as webhook user and group.
(webhook-service-type): Extend account-service-type.
| -rw-r--r-- | guix/forge/webhook.scm | 29 |
1 files changed, 26 insertions, 3 deletions
diff --git a/guix/forge/webhook.scm b/guix/forge/webhook.scm index 39bb7d0..7b73de6 100644 --- a/guix/forge/webhook.scm +++ b/guix/forge/webhook.scm @@ -125,9 +125,28 @@ Everything else is the responsibility of the command's author.") (id webhook-hook-id) (run webhook-hook-run)) +(define %webhook-accounts + (list (user-account + (name "webhook") + (group "webhook") + (system? #t) + (comment "webhook user") + (home-directory "/var/empty") + (shell (file-append shadow "/sbin/nologin"))) + (user-group + (name "webhook") + (system? #t)))) + (define (webhook-activation config) - ;; Create log directory. - #~(mkdir-p #$(webhook-configuration-log-directory config))) + (match-record config <webhook-configuration> + (log-directory) + #~(begin + ;; Create log directory and set permissions. + (mkdir-p #$log-directory) + (let ((user (getpw "webhook"))) + (for-each (lambda (file) + (chown file (passwd:uid user) (passwd:gid user))) + (find-files #$log-directory #:directories? #t)))))) (define (hooks-json-gexp config) (with-extensions (list guile-json-4) @@ -183,6 +202,8 @@ Everything else is the responsibility of the command's author.") "-port" #$(number->string (forge-ip-socket-port (webhook-configuration-socket config))) "-logfile" #$(string-append (webhook-configuration-log-directory config) "/webhook.log")) + #:user "webhook" + #:group "webhook" #:log-file "/var/log/webhook.log"))) (stop #~(make-kill-destructor))))) @@ -190,7 +211,9 @@ Everything else is the responsibility of the command's author.") (service-type (name 'webhook) (description "Run webhook.") - (extensions (list (service-extension activation-service-type + (extensions (list (service-extension account-service-type + (const %webhook-accounts)) + (service-extension activation-service-type webhook-activation) (service-extension shepherd-root-service-type (compose list webhook-shepherd-service)))) |