Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/molly-brown: init #92220

Merged
merged 2 commits into from Jul 24, 2020
Merged

nixos/molly-brown: init #92220

merged 2 commits into from Jul 24, 2020

Conversation

ehmry
Copy link
Contributor

@ehmry ehmry commented Jul 3, 2020
edited

Motivation for this change

Time for our first Gemini server module.

https://tildegit.org/solderpunk/molly-brown

The TLS certificate stuff is not ideal, clients complain about self-signed certificates. It would be nice to arrange an ACME certificate automatically, but I'm not sure how best to do that without enabling an HTTP server borrowing certs from HTTP servers can be reasonably done.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

aanderse
aanderse requested changes Jul 5, 2020
View reviewed changes
Copy link
Member

@aanderse aanderse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I took a look at the module and provided some feedback. I hope you find it useful. If you need any further details please don't hesitate to ask.

nixos/modules/misc/ids.nix Outdated Show resolved Hide resolved
nixos/modules/services/web-servers/molly-brown.nix Outdated Show resolved Hide resolved
nixos/modules/services/web-servers/molly-brown.nix Outdated Show resolved Hide resolved
nixos/modules/services/web-servers/molly-brown.nix Outdated Show resolved Hide resolved
nixos/modules/services/web-servers/molly-brown.nix Outdated Show resolved Hide resolved
nixos/modules/services/web-servers/molly-brown.nix Outdated Show resolved Hide resolved
nixos/modules/services/web-servers/molly-brown.nix Outdated Show resolved Hide resolved
nixos/modules/services/web-servers/molly-brown.nix Outdated Show resolved Hide resolved
nixos/modules/services/web-servers/molly-brown.nix
rm /tmp/request.pem
fi
'');
serviceConfig = {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any hardening options we could apply?

@ehmry
Copy link
Contributor Author

ehmry commented Jul 7, 2020

@aanderse thank you for the thorough review, I think I've fixed everything you found except for the systemd hardening. Since the server is running as an unprivileged user I hope its not an issue. I'm not comfortable throwing a systemd security salad at it, unless there were a set of re-usable rules that I could apply.

@ehmry ehmry marked this pull request as ready for review July 7, 2020 11:45
@ehmry ehmry requested review from fgaz and sikmir July 7, 2020 11:57
fgaz
fgaz reviewed Jul 8, 2020
View reviewed changes
Copy link
Member

@fgaz fgaz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just some style stuff on the package

pkgs/servers/gemini/molly-brown/default.nix
goPackagePath = "tildegit.org/solderpunk/molly-brown";

src = fetchgit {
inherit rev;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd put the revision directly here and remove rec since it seems to be used here only

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The go2nix tool placed rec here and I don't know why. If it is harmless I would keep it as.

pkgs/servers/gemini/molly-brown/default.nix Outdated Show resolved Hide resolved
pkgs/servers/gemini/molly-brown/default.nix Outdated Show resolved Hide resolved
pkgs/servers/gemini/molly-brown/default.nix Outdated Show resolved Hide resolved
@aanderse
Copy link
Member

aanderse commented Jul 9, 2020

@ehmry I didn't initially realize this is a web server... in this case DynamicUser may not be appropriate (as a default). Sorry for potentially steering you down the wrong path there 😞

I took a quick pass at the module to explain more along the lines of what I was thinking with settings. See my work here. Note that we still have some regular options, which can be used by NixOS to provide extra value (like say adding an openFirewall option), and then the settings option which more detailed configuration can go into. The settings option absorbs all the regular options, but still allows users to override those via services.molly-brown.settings.Port = lib.mkForce 4000;.

How does this look?

@ehmry
Copy link
Contributor Author

ehmry commented Jul 12, 2020

Looks better to me. What is the problem with using DynamicUser here? Can we get away with DynamicUser for now?

@aanderse
Copy link
Member

@ehmry the issue in using DynamicUser here is that you have a logDir option. If you hard-coded the logging directory to /var/log/molly-brown and create it with systemd via LogsDirectory then this wouldn't be an issue.

@ehmry
Copy link
Contributor Author

ehmry commented Jul 14, 2020

Then I think hardcoding the log directory is reasonable.

@aanderse
Copy link
Member

@ehmry I'm that case feel free to remove the users.user and users.group declarations and and DynamicUser back 👍

@ehmry
Copy link
Contributor Author

ehmry commented Jul 15, 2020

Ok, rebased and squashed it all against master.

@aanderse
Copy link
Member

I had never even heard of this protocol until this PR and now we have this too: https://github.com/NixOS/nixpkgs/pull/93209/files
I'll try this out in the next couple days and approve the module part of this PR, but we still need someone to review the package.

@sikmir
Copy link
Member

sikmir commented Jul 16, 2020

I had never even heard of this protocol until this PR and now we have this too: https://github.com/NixOS/nixpkgs/pull/93209/files

Another one Gemini client: #91453

aanderse
aanderse requested changes Jul 18, 2020
View reviewed changes
Copy link
Member

@aanderse aanderse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did some testing and aside from the two minor outstanding comments I have I approve the module part of this PR. Great job 🎉

nixos/modules/services/web-servers/molly-brown.nix Outdated Show resolved Hide resolved
@ehmry ehmry force-pushed the molly-brown branch 2 times, most recently from 0aa1e2e to 74539f8 Compare July 21, 2020 21:34
@aanderse
Copy link
Member

@ehmry are we good to merge this?
@sikmir and @fgaz did you both review and approve the package portion of this PR? I only looked at the module.

@ehmry
Copy link
Contributor Author

ehmry commented Jul 23, 2020

I'd say its ready to merge, I just tested the SupplimentaryGroups change and its working - gemini://depot.1337.cx/init.gmi

@sikmir
Copy link
Member

sikmir commented Jul 23, 2020

LGTM, approved.

@ehmry ehmry merged commit 76d60b0 into NixOS:master Jul 24, 2020
@ehmry ehmry deleted the molly-brown branch July 24, 2020 09:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fgaz fgaz fgaz left review comments

@aanderse aanderse aanderse requested changes

@sikmir sikmir sikmir approved these changes

Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 8.has: package (new) 10.rebuild-darwin: 1-10 10.rebuild-darwin: 1 10.rebuild-linux: 1-10 11.by: package-maintainer
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@ehmry @aanderse @sikmir @fgaz