From ce1d00939358d272c04454599d3156f9c5065a5c Mon Sep 17 00:00:00 2001
From: Sander van der Burg <svanderburg@gmail.com>
Date: Sun, 28 Feb 2021 14:41:25 +0100
Subject: [PATCH] Add initial version of dbus-service and disnix-service

---
 example-deployments/disnix/processes.nix     |  34 +++++
 service-containers-agnostic/constructors.nix |   3 +-
 services-agnostic/constructors.nix           |  10 ++
 services-agnostic/dbus-daemon/default.nix    | 127 +++++++++++++++++++
 services-agnostic/disnix-service/default.nix |  25 ++++
 5 files changed, 198 insertions(+), 1 deletion(-)
 create mode 100644 example-deployments/disnix/processes.nix
 create mode 100644 services-agnostic/dbus-daemon/default.nix
 create mode 100644 services-agnostic/disnix-service/default.nix

diff --git a/example-deployments/disnix/processes.nix b/example-deployments/disnix/processes.nix
new file mode 100644
index 0000000..9a81b10
--- /dev/null
+++ b/example-deployments/disnix/processes.nix
@@ -0,0 +1,34 @@
+{ pkgs ? import <nixpkgs> { inherit system; }
+, system ? builtins.currentSystem
+, stateDir ? "/var"
+, runtimeDir ? "${stateDir}/run"
+, logDir ? "${stateDir}/log"
+, spoolDir ? "${stateDir}/spool"
+, cacheDir ? "${stateDir}/cache"
+, tmpDir ? (if stateDir == "/var" then "/tmp" else "${stateDir}/tmp")
+, forceDisableUserChange ? false
+, processManager
+}:
+
+let
+  constructors = import ../../services-agnostic/constructors.nix {
+    inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager;
+  };
+in
+rec {
+  openssh = rec {
+    pkg = constructors.openssh {};
+  };
+
+  dbus-daemon = {
+    pkg = constructors.dbus-daemon {
+      packages = [ pkgs.disnix ];
+    };
+  };
+
+  disnix-service = {
+    pkg = constructors.disnix-service {
+      inherit dbus-daemon;
+    };
+  };
+}
diff --git a/service-containers-agnostic/constructors.nix b/service-containers-agnostic/constructors.nix
index 638bbb4..a101f31 100644
--- a/service-containers-agnostic/constructors.nix
+++ b/service-containers-agnostic/constructors.nix
@@ -4,6 +4,7 @@
 , logDir
 , runtimeDir
 , cacheDir
+, spoolDir
 , tmpDir
 , forceDisableUserChange
 , processManager
@@ -12,7 +13,7 @@
 
 let
   constructors = import ../services-agnostic/constructors.nix {
-    inherit nix-processmgmt pkgs stateDir logDir runtimeDir cacheDir tmpDir forceDisableUserChange processManager ids;
+    inherit nix-processmgmt pkgs stateDir logDir runtimeDir cacheDir spoolDir tmpDir forceDisableUserChange processManager ids;
   };
 in
 {
diff --git a/services-agnostic/constructors.nix b/services-agnostic/constructors.nix
index 5dbbae4..38cf2f7 100644
--- a/services-agnostic/constructors.nix
+++ b/services-agnostic/constructors.nix
@@ -46,6 +46,16 @@ in
     tomcat = pkgs.tomcat9;
   };
 
+  dbus-daemon = import ./dbus-daemon {
+    inherit createManagedProcess stateDir runtimeDir;
+    inherit (pkgs) stdenv dbus writeTextFile;
+  };
+
+  disnix-service = import ./disnix-service {
+    inherit createManagedProcess;
+    inherit (pkgs) stdenv disnix nix;
+  };
+
   docker = import ./docker {
     inherit createManagedProcess;
     inherit (pkgs) docker kmod;
diff --git a/services-agnostic/dbus-daemon/default.nix b/services-agnostic/dbus-daemon/default.nix
new file mode 100644
index 0000000..bed7c07
--- /dev/null
+++ b/services-agnostic/dbus-daemon/default.nix
@@ -0,0 +1,127 @@
+{createManagedProcess, stdenv, writeTextFile, dbus, stateDir, runtimeDir}:
+{extraConfig ? "", packages ? []}:
+
+let
+  user = "messagebus";
+  group = "messagebus";
+
+  dbusRuntimeDir = "${runtimeDir}/dbus";
+
+  configFile = writeTextFile {
+    name = "system.conf";
+    text = ''
+      <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
+        "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+
+      <busconfig>
+        <!-- Our well-known bus type, do not change this -->
+        <type>system</type>
+
+        <!-- Run as special user -->
+        <user>${user}</user>
+
+        <!-- Write a pid file -->
+        <pidfile>${runtimeDir}/dbus-daemon.pid</pidfile>
+
+        <!-- Only allow socket-credentials-based authentication -->
+        <auth>EXTERNAL</auth>
+
+        <!-- Only listen on a local socket. (abstract=/path/to/socket
+             means use abstract namespace, don't really create filesystem
+             file; only Linux supports this. Use path=/whatever on other
+             systems.) -->
+
+        <listen>unix:path=${dbusRuntimeDir}/system_bus_socket</listen>
+
+        <policy context="default">
+          <!-- All users can connect to system bus -->
+          <allow user="*"/>
+
+          <!-- Holes must be punched in service configuration files for
+               name ownership and sending method calls -->
+          <deny own="*"/>
+          <deny send_type="method_call"/>
+
+          <!-- Signals and reply messages (method returns, errors) are allowed
+               by default -->
+          <allow send_type="signal"/>
+          <allow send_requested_reply="true" send_type="method_return"/>
+          <allow send_requested_reply="true" send_type="error"/>
+
+          <!-- All messages may be received by default -->
+          <allow receive_type="method_call"/>
+          <allow receive_type="method_return"/>
+          <allow receive_type="error"/>
+          <allow receive_type="signal"/>
+
+          <!-- Allow anyone to talk to the message bus -->
+          <allow send_destination="org.freedesktop.DBus" send_interface="org.freedesktop.DBus"/>
+          <allow send_destination="org.freedesktop.DBus" send_interface="org.freedesktop.DBus.Introspectable"/>
+          <allow send_destination="org.freedesktop.DBus" send_interface="org.freedesktop.DBus.Properties"/>
+          <!-- But disallow some specific bus services -->
+          <deny send_destination="org.freedesktop.DBus" send_interface="org.freedesktop.DBus" send_member="UpdateActivationEnvironment"/>
+          <deny send_destination="org.freedesktop.DBus" send_interface="org.freedesktop.DBus.Debug.Stats"/>
+          <deny send_destination="org.freedesktop.DBus" send_interface="org.freedesktop.systemd1.Activator"/>
+        </policy>
+
+        <!-- Only systemd, which runs as root, may report activation failures. -->
+        <policy user="root">
+          <allow send_destination="org.freedesktop.DBus" send_interface="org.freedesktop.systemd1.Activator"/>
+        </policy>
+
+        <!-- root may monitor the system bus. -->
+        <policy user="root">
+          <allow send_destination="org.freedesktop.DBus" send_interface="org.freedesktop.DBus.Monitoring"/>
+        </policy>
+
+        <!-- If the Stats interface was enabled at compile-time, root may use it.
+             Copy this into system.local.conf or system.d/*.conf if you want to
+             enable other privileged users to view statistics and debug info -->
+        <policy user="root">
+          <allow send_destination="org.freedesktop.DBus" send_interface="org.freedesktop.DBus.Debug.Stats"/>
+        </policy>
+
+        <!-- Generate service and include directories for each package -->
+        ${stdenv.lib.concatMapStrings (package: ''
+          <servicedir>${package}/share/dbus-1/system-services</servicedir>
+          <includedir>${package}/etc/dbus-1/system.d</includedir>
+          <includedir>${package}/share/dbus-1/system.d</includedir>
+        '') packages}
+
+        <!-- Extra configuration options -->
+        ${extraConfig}
+      </busconfig>
+    '';
+  };
+in
+createManagedProcess {
+  name = "dbus-daemon";
+  initialize = ''
+    mkdir -p ${stateDir}/lib/dbus
+    mkdir -p ${dbusRuntimeDir}
+    ${dbus}/bin/dbus-uuidgen --ensure
+  '';
+  process = "${dbus}/bin/dbus-daemon";
+  args = [ "--config-file" configFile ];
+  foregroundProcessExtraArgs = [ "--nofork" "--nopidfile" ];
+  daemonExtraArgs = [ "--fork" ];
+
+  credentials = {
+    groups = {
+      "${group}" = {};
+    };
+    users = {
+      "${user}" = {
+        inherit group;
+        homeDir = dbusRuntimeDir;
+        description = "D-Bus system message bus daemon user";
+      };
+    };
+  };
+
+  overrides = {
+    sysvinit = {
+      runlevels = [ 2 3 4 5 ];
+    };
+  };
+}
diff --git a/services-agnostic/disnix-service/default.nix b/services-agnostic/disnix-service/default.nix
new file mode 100644
index 0000000..9f271aa
--- /dev/null
+++ b/services-agnostic/disnix-service/default.nix
@@ -0,0 +1,25 @@
+{createManagedProcess, stdenv, disnix, nix}:
+{dbus-daemon ? null}:
+
+let
+  group = "disnix";
+in
+createManagedProcess {
+  name = "disnix-service";
+  process = "${disnix}/bin/disnix-service";
+  path = [ nix ];
+  daemonExtraArgs = [ "--daemon" ];
+  dependencies = stdenv.lib.optional (dbus-daemon != null) dbus-daemon.pkg;
+
+  credentials = {
+    groups = {
+      "${group}" = {};
+    };
+  };
+
+  overrides = {
+    sysvinit = {
+      runlevels = [ 2 3 4 5 ];
+    };
+  };
+}