New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/croc: init #93629
nixos/croc: init #93629
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking good. A few minor comments.
Rebasing, nothing changed. |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Full bonus points awarded for having upstream add the ability to specify a password file 🎉
I'm happy to merge this PR now. Thanks for your hard work. Call it a stretch goal... but if you were to submit a PR upstream to get your relevant changes into the upstream unit I'm sure it would be greatly appreciated. Then we could open a PR in nixpkgs to stop providing our own systemd
unit and just include+customize the upstream unit via systemd.packages
, significantly reducing the lines of code in this module.
@GrahamcOfBorg test croc |
@GrahamcOfBorg eval |
I'm not sure about the |
Rebased after cc8a422 added a conflicting line in @aanderse indeed it would make sense to upstream a few relevant settings (eg.
So, even though I can understand the immediate gain you mention in identifying and upstreaming relevant changes, my opinion so far is that:
|
Alright, well as long as you know more about this software than developers of it do I completely support you 👍 I do find it unfortunate that other distributions won't be able to benefit from our (the NixOS community, a group of people generally keen on pushing the bar for security, as you mentioned) knowledge and efforts, though. |
Of course I don't. But I would argue that even though developpers' intimate knowledge of their software may be useful to speed up elucidating all the permissions the software needs to have, and required in some cases, what matters most is knowledge of systemd/Linux and being concerned about security above other concerns. That is to say:
I agree, and I'm not arguing against someone taking now time to argue with upstream to push some of those options, and this could be one of the secondary objectives of such NixOS security team. I'm just saying that concerning that software I'm exhausted and that:
|
You definitely have some good points. I have noticed some upstream developers are @GrahamcOfBorg test croc |
@ju1m I agree with you on deviating here. You have spent a reasonable amount of time to propose your changes to upstream. To have users of other systems still benefit of your work, you might ask upstream to link back from their documentation to nixpkgs as an example for a more elaborate systemd setup. |
I can merge this now, right? |
I've notified upstream in schollz/croc#335 about this hardening. Also, I've just seen that there are new hardening options |
@ju1m would you like me to merge this now or wait on that? |
I've successfully tested
@aanderse thanks, for me it's good for merging. |
@aanderse i think you can merge |
Thanks team! |
Motivation for this change
Run a
croc relay
.Things done
services.croc
, with security parameters.sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)