nixos/redis: allow access to runtime and state directories to only redis user

author: Izorkin <izorkin@elven.pw> 2021-03-24 13:33:34 +0300
committer: Izorkin <izorkin@elven.pw> 2021-04-03 19:07:27 +0300
commit: 9d4aaf236627f8b9d8556fc0ed834a9837b2e76b (patch)
tree: 669dc625a072266b8af81cdff5be3e59d6295809 /nixos/modules/services/databases
parent: 86d8b31e00b267f0ed67798e966c16ef06faf9ba (diff)
1 files changed, 9 insertions, 2 deletions
diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix
index b5921a6dead2..3ddc7aad81e9 100644
--- a/nixos/modules/services/databases/redis.nix
+++ b/nixos/modules/services/databases/redis.nix
@@ -283,11 +283,18 @@ in
 
       serviceConfig = {
         ExecStart = "${cfg.package}/bin/redis-server /run/redis/redis.conf";
-        RuntimeDirectory = "redis";
-        StateDirectory = "redis";
         Type = "notify";
+        # User and group
         User = "redis";
         Group = "redis";
+        # Runtime directory and mode
+        RuntimeDirectory = "redis";
+        RuntimeDirectoryMode = "0750";
+        # State directory and mode
+        StateDirectory = "redis";
+        StateDirectoryMode = "0700";
+        # Access write directories
+        UMask = "0077";
       };
     };
   };
author	Izorkin <izorkin@elven.pw>	2021-03-24 13:33:34 +0300
committer	Izorkin <izorkin@elven.pw>	2021-04-03 19:07:27 +0300
commit	9d4aaf236627f8b9d8556fc0ed834a9837b2e76b (patch)
tree	669dc625a072266b8af81cdff5be3e59d6295809 /nixos/modules/services/databases
parent	86d8b31e00b267f0ed67798e966c16ef06faf9ba (diff)