New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/nghttpx: add module for the nghttpx proxy server #31680
Conversation
nixos/modules/misc/ids.nix
Outdated
@@ -300,6 +300,7 @@ | |||
kanboard = 281; | |||
pykms = 282; | |||
kodi = 283; | |||
nghttpx = 284; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It does not look like this service needs to access persistent files. If so please remove static uid/gid numbers.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah! Okay, I didn't realize that was one of the purposes for our static uid and gid's. I'll fixup.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Mic92 actually, two persistent files that it would access are the TLS certificate and key. So I think we might want to keep the static uid/gid numbers...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For a small number of files it is better to chown at startup. Later we might use DynamicUser
for this service.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Mic92 sorry, not sure I understand your feedback.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The ssl context is created before privileges are dropped. So uid/gid numbers are not relevant for loading certificates: https://github.com/nghttp2/nghttp2/blob/master/src/shrpx_worker_process.cc#L538
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, I understand what you're saying now (also, TIL, thanks for pointing this out). I'll fix.
''; | ||
}; | ||
|
||
user = lib.mkOption { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there an important use case for making user/group configurable?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was following an example, can't remember which, I think it was the nginx
module. I personally don't think it's that important so if you're questioning its importance I'm happy to simplify and remove it.
53bd0ea
to
9315c4f
Compare
This change also adds a global `uid` and `gid` for a `nghttpx` user and group as well as an integration test.
9315c4f
to
adc2cd6
Compare
Okay, @Mic92 I believe I've addressed your feedback. Thank you :) |
Thanks! |
@@ -132,7 +132,7 @@ | |||
type = lib.types.int; | |||
default = 0; | |||
description = '' | |||
Set maximum number of open files (RLIMIT_NOFILE) to <N>. If 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Mic92 how did you check this so I can know to fix this sort of thing in the future?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I noticed it, when adding the service to my configuration.nix
because this triggers a manual rebuild.
I can be also build using: https://nixos.wiki/wiki/Contributing_to_Nix_documentation#How_to_build_the_NixOS_manual
Also, in the future, I'll follow how you wrote the PR title; I wasn't sure how to format it but what you've written makes a lot of sense. |
* master: (293 commits) go_1_9: skip flaky TestServerCancelsReadTimeoutWhenIdle qsyncthingtray: fix build qt56.qtwebengine: fix build stdman: d860212 -> 2017.04.02 jackett: use mono50 hg-git: disable with python3 hg-git: 0.8.5 -> 0.8.10 xfce4-settings: enable parallel building gcc-snapshot: mark as broken heaptrack: 2017-02-14 -> 2017-10-30 nixos-container: Modify existing test to cover show-ip command nixos-container: Make show-ip work together with ipv4 + netmask linux-copperhead: 4.13.12.a -> 4.13.13.a matterbridge: 1.1.0 -> 1.4.1 nixos/nghttpx: add module for the nghttpx proxy server (#31680) mattermost: 4.3.0 -> 4.4.0 breakpad: delete simp_le: 0.2.0 -> 0.6.1 certbot: 0.11.1 -> 0.19.0 afl: 2.51b -> 2.52b ...
In general we follow the following format for commits: https://github.com/NixOS/nixpkgs/blob/master/.github/CONTRIBUTING.md#submitting-changes |
Motivation for this change
The
nghttpx
proxy was recently included innixpkgs
with 825c08e in thebin
output of thenghttp2
package. This pull request is a follow-on to that change providing a NixOS module for thenghttpx
proxy. Thenghttpx
is useful because it handles reverse proxying bothhttp/1.1
andhttp2
requests.Things done
build-use-sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)This change also adds a global
uid
andgid
for anghttpx
user and group as well as an integration test.