trezord: init at 1.2.0 #22054
trezord: init at 1.2.0 #22054
Conversation
|
@canndrew, thanks for your PR! By analyzing the history of the files in this pull request, we identified @edolstra, @offlinehacker and @joachifm to be potential reviewers. |
|
I'm very much a NixOS noob and barely know what I'm doing. So be sure to review this carefully. |
| stdenv.mkDerivation rec { | ||
| name = "trezord-${version}"; | ||
|
|
||
| src = fetchgit { |
There was a problem hiding this comment.
Okay, I tried using fetchFromGitHub but for some reason it was grabbing a different version with a different hash which for some reason didn't build. So I've gone back to fetchgit.
There was a problem hiding this comment.
fetchgit should only be necessary if you need submodules. Can you elaborate on the build error?
There was a problem hiding this comment.
Ah yes, the repo does have submodules in it. That's what's causing it.
pkgs/servers/trezord/default.nix
Outdated
| description = "TREZOR Bridge daemon for TREZOR bitcoin hardware wallet"; | ||
| homepage = https://mytrezor.com; | ||
| license = licenses.gpl3; | ||
| maintainers = []; |
There was a problem hiding this comment.
if you don't want to maintain this, feel free to add jb55 since I use trezor on NixOS as well
There was a problem hiding this comment.
I'll add both of us.
|
I noticed darwin related things in that patch, but it's marked as linux only. |
nixos/modules/misc/ids.nix
Outdated
| @@ -284,6 +284,7 @@ | |||
| glance = 266; | |||
| couchpotato = 267; | |||
| gogs = 268; | |||
| trezord = 269; | |||
There was a problem hiding this comment.
What sort of data does trezord own?
There was a problem hiding this comment.
It controls access to the trezor.
There was a problem hiding this comment.
But the trezor is a hardware device, correct? Static uids are for ensuring consistent ownership across NixOS deployments.
There was a problem hiding this comment.
Or if you need to refer to a user before the name/uid mapping is available.
There was a problem hiding this comment.
@joachifm How do I use a non-static uid then? Do I just not give a uid/gid to extraUsers/extraGroups?
Edit: That's what I've done and it seems to work.
| ''; | ||
| }; | ||
|
|
||
| user = mkOption { |
There was a problem hiding this comment.
What is the use case for running as a user other than the default?
There was a problem hiding this comment.
None that I know of, but I thought I'd make it flexible.
There was a problem hiding this comment.
To my mind, adding options "just because" is not real flexibility, but rather expands the configuration state space to no benefit. Absent a plausible use case for running a daemon under a different user, please re-consider whether it needs to be possible to do so. This holds doubly true for daemons that can work with dynamic uids, as down the line we can rely on systemd to do that for us, obviating the need to declare daemon users up-front for those services.
There was a problem hiding this comment.
Alright, I've removed the ability to run the daemon as anything other than the trezord user.
The line is |
| }; | ||
| }; | ||
|
|
||
| users.extraUsers = singleton { |
There was a problem hiding this comment.
Can also be written
users.users.trezord = {
group = "trezord";
description = /* ... */;
};
When name is null, it is taken from the attrset key.
| description = "Trezor bridge daemon user"; | ||
| }; | ||
|
|
||
| users.extraGroups = singleton { |
There was a problem hiding this comment.
Can also be written
let # for syntax hl
users.groups.trezord = {};
| description = "TREZOR Bridge"; | ||
| after = [ "systemd-udev-settle.service" "network.target" ]; | ||
| wantedBy = [ "multi-user.target" ]; | ||
| path = [ pkgs.trezord ]; |
There was a problem hiding this comment.
Note that it is not necessary to add stuff to path, if it's just used in the ExecStart.
|
Is this waiting for me to make changes or is okay to merge? |
* Use fetchFromGitHub * Add maintainers
* Remove static uid/gid * Use fetchgit rather than fetchFromGitHub. It seems to be grapping a different version with fetchFromGGitHub for some reason. * Always create a user/group named trezord
|
I've updated with @joachifm's suggestions. Hopefully this can be merged now. |
Motivation for this change
I want to use my trezor with NixOS.
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandboxinnix.confon non-NixOS)
nix-shell -p nox --run "nox-review wip"./result/bin/)