Add support for burp client/server services #48762
Conversation
unode
force-pushed
the
burp
branch
2 times, most recently
from
7b1a9c5
to
0f519b4
Compare
unode
changed the title
| type = types.str; | ||
| default = "burp"; | ||
| description = '' | ||
| Run server as user |
There was a problem hiding this comment.
Is this the client or the server config?
There was a problem hiding this comment.
The server but I'm not sure I understand what the question is getting at.
|
|
||
| preStart = '' | ||
| if [ ! -f "${cfg.server.ssl_cert}" ]; then | ||
| mkdir -m 0750 -p ${cfg.server.libDir} |
There was a problem hiding this comment.
Why allow group read access to that directory?
| # See also https://github.com/grke/burp/issues/620 | ||
| cp -f ${burp_conf} ${cfg.client.libDir}/burp.conf | ||
|
|
||
| # This may fail so keep trying until we get ${cfg.client.ssl_cert} from the server |
There was a problem hiding this comment.
As this may fail there should be some kind of throttle on it. Having this fail more than once a minute probably doesn't make any sense.
There was a problem hiding this comment.
Any suggestion on how to achieve that? I've seen this pattern used in other services but didn't notice a throttling mechanism.
|
All points but the throttling have been addressed. I'm unsure how to proceed on that front. |
|
If systemd gives up or throttles on its own after a few attempts, that's probably good enough. Looks good to me. I think it's ready for merge. |
|
Not sure what I think of adding another 50+ options. Every options currently As an alternative, check out what I did in #45470, and try to apply the same strategy to this PR. This can reduce the option count to a minimum while still being able to set all current and future config values conveniently, but giving up having them all documented and type checked by the module system. |
I'm guessing you mean "increases" there 😀 otherwise this would actually be a good thing. I was not aware of this being an issue. Most of the options aren't actually required to start the service. As for the solution you linked, was that a one-off or is this a pattern that is growing in popularity? |
Yes thanks, fixed now :)
That would be fine too by me
Well, I'm very much a favor of this approach, but I've only seen it used a couple other times, it's not very popular. I'm encouraging people to use it though. I'm thinking about writing some nixpkgs tooling to make writing such config options easier, by providing standard types and converters for common config file formats like JSON/YAML/INI. I've also started writing some general guidelines for writing NixOS services which should limit the amount of options one needs to use and increase code reuse. |
|
@infinisil What pattern are you talking off exactly? Is it documented? I'm willing to put some time in to get this merged. |
|
I believe one of the issues is that burp's config looks like an INI file, but isn't. It must support multiple lines with the same key for some options like "keep". So this would need a special converter. |
|
I've since opened an RFC for this, see NixOS/rfcs#42. I'm currently in the process of rewriting it to address the discussions. The second part of it is that it encourages people to keep option counts low. I think it's always a good idea to start with options that make sense for most people and tell users to use a structural And while yes, the RFC isn't accepted yet (although it most likely will be eventually), and the general convenience functions aren't yet written, I'm still encouraging that approach, because it just makes so much sense. Every module I merge that doesn't adhere to that approach is a module that can't really be changed to that approach ever. So I'm not really feeling comfortable merging ones like this (which use |
|
I've removed some non-essential options. Didn't yet manage to implement @infinisil 's suggestion above. 2 checks are now failing but this seems to be unrelated, at least the previous commit fails locally as well. |
|
It's been some time, but with 20.03 split off, maybe this could be merged if it still works? |
|
I've been using it on my laptop without issues ever since I opened the PR. |
|
I marked this as stale due to inactivity. → More info |
stale
bot
added
the
2.status: stale
|
I'm still using the original recipe and would like to get it merged at some point. |
stale
bot
removed
the
2.status: stale
nixos/modules/misc/ids.nix
Outdated
| @@ -346,6 +346,7 @@ in | |||
| zoneminder = 314; | |||
| paperless = 315; | |||
| #mailman = 316; # removed 2019-08-30 | |||
| burp = 317; | |||
There was a problem hiding this comment.
Can we use dynamic users?
There was a problem hiding this comment.
I'm not familiar with this feature. Do you have a link I could read up on? Thanks!
There was a problem hiding this comment.
IIRC dynamic users potentially requires a chown run on start of the service, which is not practical on a big data store with potentially millions of files, so I don't think using dynamic users feasable for burp.
http://0pointer.net/blog/dynamic-users-with-systemd.html
| enable = mkEnableOption "BURP client"; | ||
|
|
||
| frequency = mkOption { | ||
| type = types.str; |
There was a problem hiding this comment.
Should this be an enum?
There was a problem hiding this comment.
This translates to systemd OnCalendar time specifications. A enum may restrict more than desired.
|
I marked this as stale due to inactivity. → More info |
stale
bot
added
2.status: stale
|
Addressed the conflict, which is likely to reappear if new services are added. Working fine on 21.05. |
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
| @@ -353,6 +353,7 @@ in | |||
| distcc = 321; | |||
| webdav = 322; | |||
| pipewire = 323; | |||
| burp = 324; | |||
There was a problem hiding this comment.
Static ids shouldn't be used anymore, see NixOS/rfcs#52. This was also previously discussed in #48762 (comment), but I don't think that's a problem, because no chown needs to be run in normal circumstances, since systemd reuses the same dynamic uids for users if possible.
| @@ -281,6 +281,8 @@ | |||
| ./services/backup/btrbk.nix | |||
| ./services/backup/duplicati.nix | |||
| ./services/backup/duplicity.nix | |||
| ./services/backup/burp.nix | |||
| ./services/backup/crashplan.nix | |||
| burp_conf = pkgs.writeText "burp.conf" '' | ||
| mode = client | ||
| pidfile = /run/burp/burp.pid | ||
|
|
||
| port = ${toString cfg.client.port} |
There was a problem hiding this comment.
Already mentioned this in #48762 (comment), but by now we should really be using the approach from NixOS/rfcs#42 for this, see also #144575. By now there are a lot of NixOS modules which make use of that approach which you can use for reference. Grep for freeformType in nixpkgs to see them. You can also check out the documentation.
| }; | ||
| }; | ||
|
|
||
| config = mkIf cfg.client.enable or cfg.server.enable { |
There was a problem hiding this comment.
or isn't a boolean operator in Nix, check out the list of operators. You meant to use || here instead. Also needs parenthesis.
stale
bot
added
the
2.status: stale
|
Are you still planning to work on this. @unode ? I could really use it. :) |
stale
bot
removed
the
2.status: stale
|
I'm still using the original recipe and didn't get to implement the suggested approach. |
wegank
added
2.status: stale
stale
bot
removed
the
2.status: stale
Motivation for this change
BURP is currently available in nixpkgs but provides no services
Things done
sandboxinnix.confon non-NixOS)nix-shell -p nox --run "nox-review wip"./result/bin/)nix path-info -Sbefore and after)This is a reiteration of #30553 but basing on
unode/nixpkgs:burpinstead ofunode/nixpkgs:masterto avoid accidental mixing of work. Unfortunately GitHub doesn't allow editing the head branch.This setup is mostly functional but there is currently a problem with validity of the SSL certificates after pairing - see grke/burp#769.If anyone wants to give this a try feedback is welcome.