New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/geoclue2: make configurable, can whitelist applications #45306
nixos/geoclue2: make configurable, can whitelist applications #45306
Conversation
@@ -61,6 +88,106 @@ in | |||
wantedBy = [ "default.target" ]; | |||
}; | |||
}; | |||
|
|||
environment.etc."geoclue/geoclue.conf".text = '' | |||
# Configuration file for Geoclue |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need most of these options or can we leave them implicit?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm seeing other projects just leaving it as is aside from using a custom geolocation api key from google.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One concern with the explicit defaults is that user cannot override them with extraConfig
. If they cannot be omitted, we would need to make them configurable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very true, maybe I'll make an option only to create more application configurations (since that's the only thing I'll need currently), and remove extraConfig
. I'll deal with the rest later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is mainly about the things already in the text. For example, someone might want to switch to google services or other provider. Or change their leaderboard name.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah I also think this config file should be as minimal as possible, because it's not really possible to change anything in it, only add to it. The default upstream file is intended to be modified, which we can't like this
Alternatively, create a config
option that transforms a Nix value into the config file syntax, and provide upstream defaults via config.gnome-color-panel.allowed = mkDefault true;
. Then it's possible to override everything. I'm doing pretty much the same for #41467 (which I still need to finish)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The thing is that the config file's syntax and structure is not documented. So doing that fully is unclear.
27899e3
to
0814aac
Compare
|
||
# Whitelist of desktop IDs (without .desktop part) of all agents we recognise, | ||
# separated by a ';'. | ||
whitelist=${optionalString cfg.enableDemoAgent semiColon "geoclue-demo-agent"}${semiColon "gnome-shell"}${semiColon cfg.extraWhitelistedAgents} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should not work for many reasons. I would try something like whitelist=${let whitelist = optional cfg.enableDemoAgent "geoclue-demo-agent" ++ singleton "gnome-shell" ++ cfg.extraWhitelistedAgents; in semiColon whitelist}
0814aac
to
b464d6a
Compare
@@ -61,6 +88,106 @@ in | |||
wantedBy = [ "default.target" ]; | |||
}; | |||
}; | |||
|
|||
environment.etc."geoclue/geoclue.conf".text = '' | |||
# Configuration file for Geoclue |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah I also think this config file should be as minimal as possible, because it's not really possible to change anything in it, only add to it. The default upstream file is intended to be modified, which we can't like this
Alternatively, create a config
option that transforms a Nix value into the config file syntax, and provide upstream defaults via config.gnome-color-panel.allowed = mkDefault true;
. Then it's possible to override everything. I'm doing pretty much the same for #41467 (which I still need to finish)
So, as I understand it, the reason some gnome apps are hardcoded in is because geoclue doesn't have a "drop-in" mechanism for additional config files. So it's a real pain for installed applications to add themselves. This seems like a mistake, but not much we can do about it. However, if we generate the file like this then we can allow modules to configure their own rules, even though upstream doesn't give us a drop-in mechanism. This seems like a win to me. |
This is still relevant - upstream have made some progress in making "system" apps not need the agent, so once they do a release we'll want to switch to whitelisting using an approach like this. |
@michaelpj Cool, I'll finish cleaning this up in that case. Edit: That was quick 🤣 |
ac1435c
to
e909ed3
Compare
e909ed3
to
9ba805d
Compare
So I'm ok with this, though it's rather unfortunate that I wrote this without awareness of
I think that means there's no usecase for
I think... |
Yes, I agree. I'm happy to make that change once this is in, or you can do it. |
All options within geoclue.conf[1] have been made configurable. Additonally, we can now specify whether or not GeoClue should ask the agent to authorize an application like so: ``` services.geoclue2.appConfig."redshift" = { isAllowed = true; isSystem = true; }; ``` [1]: https://gitlab.freedesktop.org/geoclue/geoclue/blob/master/data/geoclue.conf.in
9ba805d
to
84a126f
Compare
I've dropped I feel like the removal of @jtojnar Is this ok, or do you still have reservations about it? |
I had a brief look at what they actually did to implement "system apps don't need authorization" and I'm not sure that it corresponds to the |
Things I would like to see from this:
|
I can do that for gnome, however I can't for |
Sure, for things that don't have a module there's nothing we can do at the moment. |
Also I guess the whitelisting of the elementary agent could come from that module? |
Is there anything we can do to push this forward? @michaelpj are you still interested in rewriting/seeing this rewritten to use |
I still think this would be useful indeed! I kind of gave up on geoclue, but it would be nice if it worked better. |
Completed in #60681 ✨ |
Motivation for this change
Non-functioning elementary geoclue2 agent
Eventually we'd like something similar to this but I'm unsure also, as mentioned, if elementary should be adding their agent into
geoclue.conf
upstream.Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)nix path-info -S
before and after)cc @jtojnar