From 7ccda42007b892d82b0a89d511d93acec771a83e Mon Sep 17 00:00:00 2001
From: Dan Peebles <pumpkin@me.com>
Date: Sat, 23 Jan 2016 19:28:01 +0000
Subject: [PATCH] nixos: uptimed - rewrite and harden a bit (#7220)

This is mostly @thoughtpolice's work, but I cleaned it up a bit.
---
 nixos/modules/services/system/uptimed.nix | 71 ++++++++++-------------
 1 file changed, 30 insertions(+), 41 deletions(-)

diff --git a/nixos/modules/services/system/uptimed.nix b/nixos/modules/services/system/uptimed.nix
index 5f8916bbf9a47..b20d60968032d 100644
--- a/nixos/modules/services/system/uptimed.nix
+++ b/nixos/modules/services/system/uptimed.nix
@@ -1,66 +1,55 @@
-{pkgs, config, lib, ...}:
+{ config, lib, pkgs, ... }:
 
-let
-
-  inherit (lib) mkOption mkIf singleton;
-
-  inherit (pkgs) uptimed;
+with lib;
 
+let
+  cfg = config.services.uptimed;
   stateDir = "/var/spool/uptimed";
-
-  uptimedUser = "uptimed";
-
 in
-
 {
-
-  ###### interface
-
   options = {
-
     services.uptimed = {
-
       enable = mkOption {
         default = false;
         description = ''
-          Uptimed allows you to track your highest uptimes.
+          Enable <literal>uptimed</literal>, allowing you to track
+          your highest uptimes.
         '';
       };
-
     };
-
   };
 
-
-  ###### implementation
-
-  config = mkIf config.services.uptimed.enable {
-
-    environment.systemPackages = [ uptimed ];
-
-    users.extraUsers = singleton
-      { name = uptimedUser;
-        uid = config.ids.uids.uptimed;
-        description = "Uptimed daemon user";
-        home = stateDir;
-      };
+  config = mkIf cfg.enable {
+    users.extraUsers.uptimed = {
+      description = "Uptimed daemon user";
+      home        = stateDir;
+      createHome  = true;
+      uid         = config.ids.uids.uptimed;
+    };
 
     systemd.services.uptimed = {
-      description = "Uptimed daemon";
-      wantedBy = [ "multi-user.target" ];
+      unitConfig.Documentation = "man:uptimed(8) man:uprecords(1)";
+      description = "uptimed service";
+      wantedBy    = [ "multi-user.target" ];
+
+      serviceConfig = {
+        Restart                 = "on-failure";
+        User                    = "uptimed";
+        Nice                    = 19;
+        IOSchedulingClass       = "idle";
+        PrivateTmp              = "yes";
+        PrivateNetwork          = "yes";
+        NoNewPrivileges         = "yes";
+        ReadWriteDirectories    = stateDir;
+        InaccessibleDirectories = "/home";
+        ExecStart               = "${pkgs.uptimed}/sbin/uptimed -f -p ${stateDir}/pid";
+      };
 
       preStart = ''
-        mkdir -m 0755 -p ${stateDir}
-        chown ${uptimedUser} ${stateDir}
-
         if ! test -f ${stateDir}/bootid ; then
-          ${uptimed}/sbin/uptimed -b
+          ${pkgs.uptimed}/sbin/uptimed -b
         fi
       '';
-
-      script = "${uptimed}/sbin/uptimed";
     };
-
   };
-
 }