Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update public-inbox to 1.8.0 and add systemd services #104457

Merged
merged 7 commits into from May 12, 2022
Merged

Update public-inbox to 1.8.0 and add systemd services #104457

merged 7 commits into from May 12, 2022

Conversation

ju1m
Copy link
Contributor

@ju1m ju1m commented Nov 21, 2020
edited

Works for me and is ready for review.

Motivation for this change

Add a public-inbox NixOS service.

Things done
# systemd-analyze security | grep public-inbox
public-inbox-httpd.service                0.6 SAFE      😀    
public-inbox-imapd.service                0.6 SAFE      😀
public-inbox-nntpd.service                0.6 SAFE      😀
  • Support enabling systemd-confinement for the services.
  • Add myself as maintainer to both the package and the service.
  • Use generators.toGitINI and introduce a formats.gitIni.
  • Add nixos/tests/public-inbox.nix.
  • Add option services.public-inbox.postfix.enable for configuring postfix using a dedicated transport, and support recipientDelimiter. No longer use a .forward file.
  • Adding a release note (not sure if I should).
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

Ping @alyssais, @catern, @spacekookie

@ju1m ju1m force-pushed the public-inbox branch 5 times, most recently from 9f79ab7 to 67c9564 Compare November 25, 2020 06:42
@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-ready-for-review/3032/385

infinisil
infinisil requested changes Nov 28, 2020
View reviewed changes
nixos/modules/services/mail/public-inbox.nix Outdated Show resolved Hide resolved
nixos/modules/services/mail/public-inbox.nix Outdated Show resolved Hide resolved
nixos/modules/services/mail/public-inbox.nix Outdated Show resolved Hide resolved
nixos/modules/services/mail/public-inbox.nix Outdated Show resolved Hide resolved
@infinisil
Copy link
Member

Looking pretty good overall!

@teto teto mentioned this pull request Dec 21, 2020
Closed
10 tasks
@matthiasbeyer
Copy link
Contributor

@ju1m any plans on updating this PR so we can merge it?

Would be nice to use this to provide an archive for nixpkgs-dev.

alyssais
alyssais reviewed Apr 15, 2021
View reviewed changes
Copy link
Member

@alyssais alyssais left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm very sorry for taking so long to get to this. I should have more time available for it now. I'm also happy to help, or to take back over, if you'd prefer.

pkgs/servers/mail/public-inbox/default.nix Outdated Show resolved Hide resolved
pkgs/servers/mail/public-inbox/default.nix Outdated
git
/* for InlineC */
gnumake
stdenv.cc
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will break if cross-compiled. Is there no way to compile InlineC stuff up front at build time?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, according to public-inbox-tuning, recent public-inbox generates and compiles C code at runtime to increase performance:

  Process spawning
    Our optional use of Inline::C speeds up subprocess spawning from large
    daemon processes.

    To enable Inline::C, either set the "PERL_INLINE_DIRECTORY" environment
    variable to point to a writable directory, or create
    "~/.cache/public-inbox/inline-c" for any user(s) running public-inbox
    processes.

    More (optional) Inline::C use will be introduced in the future to lower
    memory use and improve scalability.

I've little experience with cross-compiling using Nixpkgs, so I don't know when or how it will break, nor how to address that concern. Should I use something else than stdenv.cc to get the target's compiler? Should I put InlineC usage behind a package option?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, I see -- Inline::C is different to XS, in that the code is generated at runtime. So we can't compile at ahead of time and will need a C compiler. In that case, the usual approach I've seen here (that is cross-friendly) is to wrap with gcc instead of stdenv.cc.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Inline::C is cool and all, but...
Has anyone mentioned to upstream that the lack of support for ahead of time compilation/the dependency on a compiler at runtime, is fairly annoying for packaging? I'm sure other package managers would also prefer to not add a dependency on gcc to public-inbox, I don't think that's just us. (And the public-inbox maintainer is, I think, very responsive to such concerns)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Inline::C is optional

pkgs/servers/mail/public-inbox/default.nix Outdated Show resolved Hide resolved
alyssais
alyssais requested changes Apr 19, 2021
View reviewed changes
Copy link
Member

@alyssais alyssais left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's going to take me a little while to review this because it's so big and so different to my version, so this isn't going to be my last round of comments. But we're getting there. :)

nixos/modules/services/mail/public-inbox.nix Outdated Show resolved Hide resolved
nixos/modules/services/mail/public-inbox.nix
to be used as a reverse proxy, eg. in nginx:
<code>locations."/inbox".proxyPass = "http://unix:''${config.services.public-inbox.http.port}:/inbox";</code>
Set to null and use <code>systemd.sockets.public-inbox-httpd.listenStreams</code>
if you need a more advanced listening.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think the extra complexity of taking two different kinds of values here is worth the small convenience of being able to open the firewall automatically.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure to understand what you want, isn't openFirewall working well enough?

nixos/modules/services/mail/public-inbox.nix Show resolved Hide resolved
nixos/modules/services/mail/public-inbox.nix Outdated Show resolved Hide resolved
nixos/modules/services/mail/public-inbox.nix Outdated Show resolved Hide resolved
@ju1m ju1m changed the title Update public-inbox to 1.6.0 and add systemd services Update public-inbox to 1.6.1 and add systemd services Apr 23, 2021
@ju1m
Copy link
Contributor Author

ju1m commented Apr 23, 2021

Thanks for all your feedbacks.
I've uploaded some changes in a "release early" spirit because of the recent regain in interest for this PR, but before taking time to test them nor finishing to address all the concerns raised. I'll make another pass in a few days.

infinisil
infinisil requested changes May 3, 2021
View reviewed changes
nixos/modules/services/mail/public-inbox.nix Outdated Show resolved Hide resolved
nixos/modules/services/mail/public-inbox.nix Outdated Show resolved Hide resolved
@ju1m ju1m force-pushed the public-inbox branch 2 times, most recently from 00d31cb to 9b6cab8 Compare May 11, 2021 03:09
@ju1m ju1m requested a review from alyssais May 11, 2021 03:27
@ju1m
Copy link
Contributor Author

ju1m commented May 2, 2022

  • Fix git clone inboxes by reallowing @timer syscalls

@ju1m
Copy link
Contributor Author

ju1m commented May 2, 2022

  • Enable confinement. It was not that hard after all, but obviously I may very well have overlooked some corner cases (eg. missing BindPaths=/BindReadOnlyPaths= for some directory in /run).
    Ping @Gaelan.

@aanderse
Copy link
Member

aanderse commented May 3, 2022

Currently there isn't a single module within NixOS that uses confinement. Merging this PR as-is would set a precedent. I'm not saying that is a good or bad precedent, but I'm saying it is a precedent people should understand and agree to. Given how overzealous this community is about hardening services I see it as almost a certainty that countless modules will start using confinement as soon as developers are aware of the change this PR introduces.

So what are all of the implications of using confinement? Should you remove confinement from this PR, merge, then take this discussion elsewhere and depending on the outcome of that conversation start a new PR to add confinement back?

@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/nixos-policy-regarding-systemd-confinement/18976/1

@ju1m
Copy link
Contributor Author

ju1m commented May 4, 2022

  • Revert confinement.enable = true, but keep supporting its enabling by the user.
  • Started a discussion about the policy to follow regarding systemd-confinement.

@ju1m ju1m changed the title Update public-inbox to 1.7.0 and add systemd services Update public-inbox to 1.8.0 and add systemd services May 6, 2022
@ju1m
Copy link
Contributor Author

ju1m commented May 11, 2022

  • Reenable on all platforms but disable tests on Darwin

@ju1m
Copy link
Contributor Author

ju1m commented May 11, 2022

  • Use stdenv.cc.cc instead of gcc directly.

@infinisil infinisil merged commit fd50826 into NixOS:master May 12, 2022
@infinisil
Copy link
Member

This PR has had enough feedback, imo it looks good enough for a merge, any further improvements can be done with other PRs. Thanks for the hard work @ju1m!

@ju1m ju1m deleted the public-inbox branch December 26, 2022 20:21
@infinisil infinisil mentioned this pull request Oct 10, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Gaelan Gaelan Gaelan left review comments

@catern catern catern left review comments

@SuperSandro2000 SuperSandro2000 SuperSandro2000 left review comments

@infinisil infinisil infinisil approved these changes

@aanderse aanderse Awaiting requested review from aanderse

@alyssais alyssais Awaiting requested review from alyssais

Assignees
No one assigned
Labels
6.topic: nixos 8.has: clean-up 8.has: module (update) 10.rebuild-darwin: 1-10 10.rebuild-darwin: 1 10.rebuild-linux: 1-10 11.by: package-maintainer 12.approvals: 2
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet