New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/molly-brown: init #92220
nixos/molly-brown: init #92220
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I took a look at the module and provided some feedback. I hope you find it useful. If you need any further details please don't hesitate to ask.
rm /tmp/request.pem | ||
fi | ||
''); | ||
serviceConfig = { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any hardening options we could apply?
@aanderse thank you for the thorough review, I think I've fixed everything you found except for the systemd hardening. Since the server is running as an unprivileged user I hope its not an issue. I'm not comfortable throwing a systemd security salad at it, unless there were a set of re-usable rules that I could apply. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just some style stuff on the package
goPackagePath = "tildegit.org/solderpunk/molly-brown"; | ||
|
||
src = fetchgit { | ||
inherit rev; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd put the revision directly here and remove rec
since it seems to be used here only
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The go2nix tool placed rec
here and I don't know why. If it is harmless I would keep it as.
@ehmry I didn't initially realize this is a web server... in this case I took a quick pass at the module to explain more along the lines of what I was thinking with How does this look? |
Looks better to me. What is the problem with using |
@ehmry the issue in using |
Then I think hardcoding the log directory is reasonable. |
@ehmry I'm that case feel free to remove the |
Ok, rebased and squashed it all against master. |
I had never even heard of this protocol until this PR and now we have this too: https://github.com/NixOS/nixpkgs/pull/93209/files |
Another one Gemini client: #91453 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did some testing and aside from the two minor outstanding comments I have I approve the module part of this PR. Great job 🎉
0aa1e2e
to
74539f8
Compare
I'd say its ready to merge, I just tested the |
LGTM, approved. |
Motivation for this change
Time for our first Gemini server module.
https://tildegit.org/solderpunk/molly-brown
The TLS certificate stuff is not ideal, clients complain about self-signed certificates. It would be nice to arrange an ACME certificate automatically, but
I'm not sure how best to do that without enabling an HTTP serverborrowing certs from HTTP servers can be reasonably done.Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)