New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
searx: allow running on priviledged ports. #91587
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of running searx as root you should add CAP_NET_BIND_SERVICE
if you want it to run on a privileged port. Running it as root gives it far too many capabilities by default.
@mweinelt I modified the PR to reflect your suggestion, thanks for pointing it out. Did not know about it. |
uid = config.ids.uids.searx; | ||
description = "Searx user"; | ||
createHome = true; | ||
home = "/var/lib/searx"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should use the systemd StateDirectory
mechanism, instead.
Basically, remove the two lines here and add a serviceConfig.StateDirectory = "searx";
, this will create a directory with the right permissions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done, thanks for the tip.
a bit offtopic... how do we also facilitate running searx under https with letsencrypt? |
I run searx and my setup is based on nginx as a reverse proxy. The nginx module integrates ACME via the option |
@rnhmjoj Can we close this if you mean it is ready-to-go, I'll try to use searx with a proxy. |
Yeah, it looks good to me. To squash the commits you should do an interactive rebase. If you've never used it before, here's how it works: you need to edit the last 4 commits of your branch history, so run
This will open a file in your text editor containing the list of the commits and some instructions, you should read them. If you mess up, use git reflog to undo the rebase, otherwise |
5b7ab98
to
572af75
Compare
@@ -66,6 +64,9 @@ in | |||
serviceConfig = { | |||
User = "searx"; | |||
ExecStart = "${cfg.package}/bin/searx-run"; | |||
StateDirectory = "searx"; | |||
# Allow running the service on priviledged ports. | |||
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure if we want to raise that capability for everyone using searx (AFAICS we don't do it that often for web-services atm).
If you prefer that kind of solution you can still modify the service in your configuration.nix
:
{
services.searx.enable = true;
systemd.services.searx.serviceConfig.AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, got it... I managed to use searx as a proxy with apache, so I don't need a priviledged port either.
# Startup a searx server.
services.searx.enable = true;
services.searx.configFile = "/etc/nixos/searx-config.yml";
# Apache httpd server configuration.
services.httpd.enable = true;
services.httpd.package = pkgs.apacheHttpd_2_4;
services.httpd.extraModules = [ "headers" "proxy" "proxy_http" ];
services.httpd.virtualHosts."searx.example.com" = {
extraConfig = ''
ProxyPass "/" "http://127.0.0.1:8100/"
ProxyPassReverse "/" "http://127.0.0.1:8100/"
'';
};
Since there is no longer a need for the searx service to run directly on privileged ports, I close this PR as it does not bring anything of value code-wise. The discussion is valuable and should be somehow extracted into some form of documentation. |
Motivation for this change
Added
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
to allow running the service on priviledged ports. (0-1024)Thanks @mweinelt for pointing that out. I changed this PR to the new strategy for allowing priviledged ports.
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)CC @rnhmjoj