New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for burp client/server services #48762
base: master
Are you sure you want to change the base?
Conversation
7b1a9c5
to
0f519b4
Compare
type = types.str; | ||
default = "burp"; | ||
description = '' | ||
Run server as user |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this the client or the server config?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The server but I'm not sure I understand what the question is getting at.
|
||
preStart = '' | ||
if [ ! -f "${cfg.server.ssl_cert}" ]; then | ||
mkdir -m 0750 -p ${cfg.server.libDir} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why allow group read access to that directory?
# See also https://github.com/grke/burp/issues/620 | ||
cp -f ${burp_conf} ${cfg.client.libDir}/burp.conf | ||
|
||
# This may fail so keep trying until we get ${cfg.client.ssl_cert} from the server |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As this may fail there should be some kind of throttle on it. Having this fail more than once a minute probably doesn't make any sense.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any suggestion on how to achieve that? I've seen this pattern used in other services but didn't notice a throttling mechanism.
All points but the throttling have been addressed. I'm unsure how to proceed on that front. |
If systemd gives up or throttles on its own after a few attempts, that's probably good enough. Looks good to me. I think it's ready for merge. |
Not sure what I think of adding another 50+ options. Every options currently As an alternative, check out what I did in #45470, and try to apply the same strategy to this PR. This can reduce the option count to a minimum while still being able to set all current and future config values conveniently, but giving up having them all documented and type checked by the module system. |
I'm guessing you mean "increases" there 😀 otherwise this would actually be a good thing. I was not aware of this being an issue. Most of the options aren't actually required to start the service. As for the solution you linked, was that a one-off or is this a pattern that is growing in popularity? |
Yes thanks, fixed now :)
That would be fine too by me
Well, I'm very much a favor of this approach, but I've only seen it used a couple other times, it's not very popular. I'm encouraging people to use it though. I'm thinking about writing some nixpkgs tooling to make writing such config options easier, by providing standard types and converters for common config file formats like JSON/YAML/INI. I've also started writing some general guidelines for writing NixOS services which should limit the amount of options one needs to use and increase code reuse. |
@infinisil What pattern are you talking off exactly? Is it documented? I'm willing to put some time in to get this merged. |
I believe one of the issues is that burp's config looks like an INI file, but isn't. It must support multiple lines with the same key for some options like "keep". So this would need a special converter. |
I've since opened an RFC for this, see NixOS/rfcs#42. I'm currently in the process of rewriting it to address the discussions. The second part of it is that it encourages people to keep option counts low. I think it's always a good idea to start with options that make sense for most people and tell users to use a structural And while yes, the RFC isn't accepted yet (although it most likely will be eventually), and the general convenience functions aren't yet written, I'm still encouraging that approach, because it just makes so much sense. Every module I merge that doesn't adhere to that approach is a module that can't really be changed to that approach ever. So I'm not really feeling comfortable merging ones like this (which use |
I've removed some non-essential options. Didn't yet manage to implement @infinisil 's suggestion above. 2 checks are now failing but this seems to be unrelated, at least the previous commit fails locally as well. |
It's been some time, but with 20.03 split off, maybe this could be merged if it still works? |
I've been using it on my laptop without issues ever since I opened the PR. |
I marked this as stale due to inactivity. → More info |
I'm still using the original recipe and would like to get it merged at some point. |
nixos/modules/misc/ids.nix
Outdated
@@ -346,6 +346,7 @@ in | |||
zoneminder = 314; | |||
paperless = 315; | |||
#mailman = 316; # removed 2019-08-30 | |||
burp = 317; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we use dynamic users?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not familiar with this feature. Do you have a link I could read up on? Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IIRC dynamic users potentially requires a chown run on start of the service, which is not practical on a big data store with potentially millions of files, so I don't think using dynamic users feasable for burp.
http://0pointer.net/blog/dynamic-users-with-systemd.html
enable = mkEnableOption "BURP client"; | ||
|
||
frequency = mkOption { | ||
type = types.str; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be an enum?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This translates to systemd OnCalendar time specifications. A enum may restrict more than desired.
I marked this as stale due to inactivity. → More info |
Addressed the conflict, which is likely to reappear if new services are added. Working fine on 21.05. |
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
@@ -353,6 +353,7 @@ in | |||
distcc = 321; | |||
webdav = 322; | |||
pipewire = 323; | |||
burp = 324; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Static ids shouldn't be used anymore, see NixOS/rfcs#52. This was also previously discussed in #48762 (comment), but I don't think that's a problem, because no chown needs to be run in normal circumstances, since systemd reuses the same dynamic uids for users if possible.
@@ -281,6 +281,8 @@ | |||
./services/backup/btrbk.nix | |||
./services/backup/duplicati.nix | |||
./services/backup/duplicity.nix | |||
./services/backup/burp.nix | |||
./services/backup/crashplan.nix |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That looks wrong
burp_conf = pkgs.writeText "burp.conf" '' | ||
mode = client | ||
pidfile = /run/burp/burp.pid | ||
|
||
port = ${toString cfg.client.port} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Already mentioned this in #48762 (comment), but by now we should really be using the approach from NixOS/rfcs#42 for this, see also #144575. By now there are a lot of NixOS modules which make use of that approach which you can use for reference. Grep for freeformType
in nixpkgs to see them. You can also check out the documentation.
}; | ||
}; | ||
|
||
config = mkIf cfg.client.enable or cfg.server.enable { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
or
isn't a boolean operator in Nix, check out the list of operators. You meant to use ||
here instead. Also needs parenthesis.
Are you still planning to work on this. @unode ? I could really use it. :) |
I'm still using the original recipe and didn't get to implement the suggested approach. |
Motivation for this change
BURP is currently available in nixpkgs but provides no services
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)nix path-info -S
before and after)This is a reiteration of #30553 but basing on
unode/nixpkgs:burp
instead ofunode/nixpkgs:master
to avoid accidental mixing of work. Unfortunately GitHub doesn't allow editing the head branch.This setup is mostly functional but there is currently a problem with validity of the SSL certificates after pairing - see grke/burp#769.If anyone wants to give this a try feedback is welcome.