diff --git a/nixos/modules/services/torrent/rtorrent.nix b/nixos/modules/services/torrent/rtorrent.nix index 009c2ffe0a5b..e0ce33d13462 100644 --- a/nixos/modules/services/torrent/rtorrent.nix +++ b/nixos/modules/services/torrent/rtorrent.nix @@ -8,6 +8,8 @@ let opt = options.services.rtorrent; in { + meta.maintainers = with lib.maintainers; [ thiagokokada ]; + options.services.rtorrent = { enable = mkEnableOption "rtorrent"; @@ -202,7 +204,31 @@ in { ExecStartPre=''${pkgs.bash}/bin/bash -c "if test -e ${cfg.dataDir}/session/rtorrent.lock && test -z $(${pkgs.procps}/bin/pidof rtorrent); then rm -f ${cfg.dataDir}/session/rtorrent.lock; fi"''; ExecStart="${cfg.package}/bin/rtorrent -n -o system.daemon.set=true -o import=${rtorrentConfigFile}"; RuntimeDirectory = "rtorrent"; - RuntimeDirectoryMode = 755; + RuntimeDirectoryMode = 750; + + CapabilityBoundingSet = [ "" ]; + LockPersonality = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; + # If the default user is changed, there is a good chance that they + # want to store data in e.g.: $HOME directory + # Relax hardening in this case + ProtectHome = lib.mkIf (cfg.user == "rtorrent") true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "full"; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@privileged" ]; }; }; }; diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 1db9f702e241..d9551c33d8f6 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -824,6 +824,7 @@ in { rstudio-server = handleTest ./rstudio-server.nix {}; rsyncd = handleTest ./rsyncd.nix {}; rsyslogd = handleTest ./rsyslogd.nix {}; + rtorrent = handleTest ./rtorrent.nix {}; rxe = handleTest ./rxe.nix {}; sabnzbd = handleTest ./sabnzbd.nix {}; samba = handleTest ./samba.nix {}; diff --git a/nixos/tests/rtorrent.nix b/nixos/tests/rtorrent.nix new file mode 100644 index 000000000000..77e78b549a96 --- /dev/null +++ b/nixos/tests/rtorrent.nix @@ -0,0 +1,25 @@ +import ./make-test-python.nix ({ pkgs, ... }: +let + port = 50001; +in +{ + name = "rtorrent"; + meta = { + maintainers = with pkgs.lib.maintainers; [ thiagokokada ]; + }; + + nodes.machine = { pkgs, ... }: { + services.rtorrent = { + inherit port; + enable = true; + }; + }; + + testScript = /* python */ '' + machine.start() + machine.wait_for_unit("rtorrent.service") + machine.wait_for_open_port(${toString port}) + + machine.succeed("nc -z localhost ${toString port}") + ''; +}) diff --git a/pkgs/applications/networking/p2p/rakshasa-rtorrent/default.nix b/pkgs/applications/networking/p2p/rakshasa-rtorrent/default.nix index bc3989f1ee67..52ef3f735001 100644 --- a/pkgs/applications/networking/p2p/rakshasa-rtorrent/default.nix +++ b/pkgs/applications/networking/p2p/rakshasa-rtorrent/default.nix @@ -13,9 +13,10 @@ , pkg-config , xmlrpc_c , zlib +, nixosTests }: -stdenv.mkDerivation rec { +stdenv.mkDerivation { pname = "rakshasa-rtorrent"; version = "0.9.8+date=2022-06-20"; @@ -53,6 +54,10 @@ stdenv.mkDerivation rec { "--with-posix-fallocate" ]; + passthru.tests = { + inherit (nixosTests) rtorrent; + }; + enableParallelBuilding = true; postInstall = ''