New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/bepasty: Kind of modernize the module #61883
Conversation
@GrahamcOfBorg build bepasty |
@GrahamcOfBorg build bepasty |
- Switch to Python 3 which fixes bepasty not being found (and requires a patch to work which is already on bepasty master) - Remove the enable option - Hardcode directories and let systemd manage permissions - Sandbox the service using systemd - Switch to a dynamic user and run nothing as root (except for preStart) - Allow users to set permissions without adding them to the store (extraConfigFile) - Make assertion more clear
@dasJ After a quick review it looks like this will make existing installs lose all data if custom directories were specified. Is this correct? |
@@ -136,48 +128,50 @@ in | |||
extraLibs = [ bepasty gevent ]; | |||
}; | |||
in { | |||
BEPASTY_CONFIG = "${server.workDir}/bepasty-${name}.conf"; | |||
BEPASTY_CONFIG = "/tmp/bepasty.conf"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You cannot assume that /tmp/bepasty.conf doesn't exist yet.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You seem to have removed PrivateTmp= enabled
. If you add that again, it might work as you intended.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No worries, DynamicUser
also enables PrivateTmp
@aanderse Yes, it's a a little downside. On the upside, systemd will manage the permissions of the directory and make the path writable in the sandbox. |
@dasJ You might want to consider keeping the |
@aanderse The problem is: How do I ensure the directories are owned by the proper user and have the proper permissions? |
I assume some scripts could be written to take the existing |
patch to work which is already on bepasty master)
(extraConfigFile)
Motivation for this change
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nix-review --run "nix-review wip"
./result/bin/
)nix path-info -S
before and after)