3
0
Fork 0
forked from mirrors/nixpkgs
nixpkgs/nixos/modules/security/apparmor.nix
Austin Seipp da6bc44dd7 nixos: transmission improvements
This mostly upgrades transmission, and does some very minor touchups on
AppArmor support.

In particular, there is now no need to ever specify the umask as part of
the settings, as it will be mixed in by default (which is essentially
always what you want). Also, the default configuration is now more
sensible: Downloads are put in /var/lib/transmission/Downloads, and
incomplete files are put in /var/lib/transmission/.incomplete - this
also allows easy use of file syncing probrams, like BitTorrent Sync.

Finally, this unconditionally enables the AppArmor profiles for the
daemon, if AppArmor is enabled - rather than letting the user specify
profile support, it's best to default to supporting profiles for daemons
transparently in all places.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-15 06:54:51 -05:00

51 lines
1.4 KiB
Nix

{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.security.apparmor;
in
{
options = {
security.apparmor = {
enable = mkOption {
type = types.bool;
default = false;
description = "Enable the AppArmor Mandatory Access Control system.";
};
profiles = mkOption {
type = types.listOf types.path;
default = [];
description = "List of files containing AppArmor profiles.";
};
};
};
config = mkIf cfg.enable {
assertions =
[ { assertion = config.boot.kernelPackages.kernel.features ? apparmor
&& config.boot.kernelPackages.kernel.features.apparmor;
message = "Your selected kernel does not have AppArmor support";
}
];
environment.systemPackages = [ pkgs.apparmor ];
systemd.services.apparmor = {
wantedBy = [ "local-fs.target" ];
path = [ pkgs.apparmor ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = "yes";
ExecStart = concatMapStrings (profile:
''${pkgs.apparmor}/sbin/apparmor_parser -rKv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}" ; ''
) cfg.profiles;
ExecStop = concatMapStrings (profile:
''${pkgs.apparmor}/sbin/apparmor_parser -Rv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}" ; ''
) cfg.profiles;
};
};
};
}