nixos/bepasty: Kind of modernize the module #61883
Conversation
|
@GrahamcOfBorg build bepasty |
|
@GrahamcOfBorg build bepasty |
- Switch to Python 3 which fixes bepasty not being found (and requires a patch to work which is already on bepasty master) - Remove the enable option - Hardcode directories and let systemd manage permissions - Sandbox the service using systemd - Switch to a dynamic user and run nothing as root (except for preStart) - Allow users to set permissions without adding them to the store (extraConfigFile) - Make assertion more clear
|
@dasJ After a quick review it looks like this will make existing installs lose all data if custom directories were specified. Is this correct? |
| @@ -136,48 +128,50 @@ in | |||
| extraLibs = [ bepasty gevent ]; | |||
| }; | |||
| in { | |||
| BEPASTY_CONFIG = "${server.workDir}/bepasty-${name}.conf"; | |||
| BEPASTY_CONFIG = "/tmp/bepasty.conf"; | |||
There was a problem hiding this comment.
You cannot assume that /tmp/bepasty.conf doesn't exist yet.
There was a problem hiding this comment.
You seem to have removed PrivateTmp= enabled. If you add that again, it might work as you intended.
There was a problem hiding this comment.
No worries, DynamicUser also enables PrivateTmp
|
@aanderse Yes, it's a a little downside. On the upside, systemd will manage the permissions of the directory and make the path writable in the sandbox. |
|
@dasJ You might want to consider keeping the |
|
@aanderse The problem is: How do I ensure the directories are owned by the proper user and have the proper permissions? |
|
I assume some scripts could be written to take the existing |
patch to work which is already on bepasty master)
(extraConfigFile)
Motivation for this change
Things done
sandboxinnix.confon non-NixOS)nix-shell -p nix-review --run "nix-review wip"./result/bin/)nix path-info -Sbefore and after)