nixos/geoclue2: make configurable, can whitelist applications #45306
Conversation
| @@ -61,6 +88,106 @@ in | |||
| wantedBy = [ "default.target" ]; | |||
| }; | |||
| }; | |||
|
|
|||
| environment.etc."geoclue/geoclue.conf".text = '' | |||
| # Configuration file for Geoclue | |||
There was a problem hiding this comment.
Do we need most of these options or can we leave them implicit?
There was a problem hiding this comment.
I'm seeing other projects just leaving it as is aside from using a custom geolocation api key from google.
There was a problem hiding this comment.
One concern with the explicit defaults is that user cannot override them with extraConfig. If they cannot be omitted, we would need to make them configurable.
There was a problem hiding this comment.
Very true, maybe I'll make an option only to create more application configurations (since that's the only thing I'll need currently), and remove extraConfig. I'll deal with the rest later.
There was a problem hiding this comment.
It is mainly about the things already in the text. For example, someone might want to switch to google services or other provider. Or change their leaderboard name.
There was a problem hiding this comment.
Yeah I also think this config file should be as minimal as possible, because it's not really possible to change anything in it, only add to it. The default upstream file is intended to be modified, which we can't like this
Alternatively, create a config option that transforms a Nix value into the config file syntax, and provide upstream defaults via config.gnome-color-panel.allowed = mkDefault true;. Then it's possible to override everything. I'm doing pretty much the same for #41467 (which I still need to finish)
There was a problem hiding this comment.
The thing is that the config file's syntax and structure is not documented. So doing that fully is unclear.
worldofpeace
force-pushed
the
geoclue2-whitelisted-agents
branch
4 times, most recently
from
27899e3
to
0814aac
Compare
|
|
||
| # Whitelist of desktop IDs (without .desktop part) of all agents we recognise, | ||
| # separated by a ';'. | ||
| whitelist=${optionalString cfg.enableDemoAgent semiColon "geoclue-demo-agent"}${semiColon "gnome-shell"}${semiColon cfg.extraWhitelistedAgents} |
There was a problem hiding this comment.
This should not work for many reasons. I would try something like whitelist=${let whitelist = optional cfg.enableDemoAgent "geoclue-demo-agent" ++ singleton "gnome-shell" ++ cfg.extraWhitelistedAgents; in semiColon whitelist}
worldofpeace
force-pushed
the
geoclue2-whitelisted-agents
branch
from
0814aac
to
b464d6a
Compare
| @@ -61,6 +88,106 @@ in | |||
| wantedBy = [ "default.target" ]; | |||
| }; | |||
| }; | |||
|
|
|||
| environment.etc."geoclue/geoclue.conf".text = '' | |||
| # Configuration file for Geoclue | |||
There was a problem hiding this comment.
Yeah I also think this config file should be as minimal as possible, because it's not really possible to change anything in it, only add to it. The default upstream file is intended to be modified, which we can't like this
Alternatively, create a config option that transforms a Nix value into the config file syntax, and provide upstream defaults via config.gnome-color-panel.allowed = mkDefault true;. Then it's possible to override everything. I'm doing pretty much the same for #41467 (which I still need to finish)
|
So, as I understand it, the reason some gnome apps are hardcoded in is because geoclue doesn't have a "drop-in" mechanism for additional config files. So it's a real pain for installed applications to add themselves. This seems like a mistake, but not much we can do about it. However, if we generate the file like this then we can allow modules to configure their own rules, even though upstream doesn't give us a drop-in mechanism. This seems like a win to me. |
|
This is still relevant - upstream have made some progress in making "system" apps not need the agent, so once they do a release we'll want to switch to whitelisting using an approach like this. |
|
@michaelpj Cool, I'll finish cleaning this up in that case. Edit: That was quick 🤣 |
worldofpeace
force-pushed
the
geoclue2-whitelisted-agents
branch
from
ac1435c
to
e909ed3
Compare
worldofpeace
force-pushed
the
geoclue2-whitelisted-agents
branch
from
e909ed3
to
9ba805d
Compare
|
So I'm ok with this, though it's rather unfortunate that I wrote this without awareness of
I think that means there's no usecase for I think... |
|
Yes, I agree. I'm happy to make that change once this is in, or you can do it. |
All options within geoclue.conf[1] have been made configurable.
Additonally, we can now specify whether or not GeoClue
should ask the agent to authorize an application like so:
```
services.geoclue2.appConfig."redshift" = {
isAllowed = true;
isSystem = true;
};
```
[1]: https://gitlab.freedesktop.org/geoclue/geoclue/blob/master/data/geoclue.conf.in
worldofpeace
force-pushed
the
geoclue2-whitelisted-agents
branch
from
9ba805d
to
84a126f
Compare
|
I've dropped I feel like the removal of @jtojnar Is this ok, or do you still have reservations about it? |
worldofpeace
changed the title
|
I had a brief look at what they actually did to implement "system apps don't need authorization" and I'm not sure that it corresponds to the |
|
Things I would like to see from this:
|
I can do that for gnome, however I can't for |
|
Sure, for things that don't have a module there's nothing we can do at the moment. |
|
Also I guess the whitelisting of the elementary agent could come from that module? |
|
Is there anything we can do to push this forward? @michaelpj are you still interested in rewriting/seeing this rewritten to use |
|
I still think this would be useful indeed! I kind of gave up on geoclue, but it would be nice if it worked better. |
|
Completed in #60681 ✨ |
Motivation for this change
Non-functioning elementary geoclue2 agent
Eventually we'd like something similar to this but I'm unsure also, as mentioned, if elementary should be adding their agent into
geoclue.confupstream.Things done
sandboxinnix.confon non-NixOS)nix-shell -p nox --run "nox-review wip"./result/bin/)nix path-info -Sbefore and after)cc @jtojnar