New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/haproxy: Revive the haproxy user and group #80904
Conversation
@GrahamcOfBorg test haproxy |
@infinisil is there a way to solve this tls issue with dynamicuser? |
Instead of having haproxy be responsible for reading the cert from a certain location, why not have a 3rd party service take care of it? That way you separate the concerns. |
@jonringer I believe the suggested way of doing so is to place the sensitive data under the I have tested this technique with a @peterhoeg I assume you mean something like |
@talyz I really don't want to leave you hanging on this, especially if the situation were that this is causing you prod issues. Have any of our comments been helpful, or is this PR still the way you would like to proceed? |
@aanderse Sorry, I haven't had the time to investigate this further yet, but reading up on the Don't worry, it's not an issue for me yet, since I'm running stable in production. :) Glad to hear you liked the talk, btw. :) |
I'm not entirely getting what this TLS issue is exactly, but there's settings like |
@infinisil The issue is about setting strict permissions on a file so that only haproxy is able to read it - the TLS private key and certificate in this case. |
@aanderse I've tried getting this to work with
Therefore we end up with a chicken-or-egg problem here where the service needs the secrets to start, but refuses to start when the files are already there. I also tried putting the files directly into Curiously, specifying With all this in mind, I don't really see any other options than going forward with this PR, unless someone else knows a better way. |
In future we might have a better solution using NixOS/rfcs#59 However not using DynamicUser should be fine. |
I was under the impression |
nixos/modules/misc/ids.nix
Outdated
@@ -448,7 +448,7 @@ in | |||
#tcpcryptd = 93; # unused | |||
firebird = 95; | |||
keys = 96; | |||
#haproxy = 97; # DynamicUser as of 2019-11-08 | |||
haproxy = 97; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We probably don't need to allocate a fixed uid/gid though. All files could be chowned at startup.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
AH yeah indeed, see also https://github.com/NixOS/rfcs/blob/master/rfcs/0052-dynamic-ids.md
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated to use dynamically allocated ids instead.
Running haproxy with "DynamicUser = true" doesn't really work, since it prohibits specifying a TLS certificate bundle with limited permissions. This revives the haproxy user and group, but makes them dynamically allocated by NixOS, rather than statically allocated. It also adds options to specify which user and group haproxy runs as.
@Mic92 Yup, that rfc sounds like a good solution when it's implemented, but for now, I think this is the way to go. |
@GrahamcOfBorg test haproxy |
Being a little late to the party obviously doesn't give me much right to complain but there is one regression from this change - the additional restrictions implied by
|
Motivation for this change
Running haproxy with
DynamicUser = true
doesn't really work, since it prohibits specifying a TLS certificate bundle with limited permissions. This revives thehaproxy
user and group without reverting the other useful changes made in 954e234 and also adds options to specify which user and group haproxy runs as.Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)