New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
trezord: init at 1.2.0 #22054
trezord: init at 1.2.0 #22054
Conversation
@canndrew, thanks for your PR! By analyzing the history of the files in this pull request, we identified @edolstra, @offlinehacker and @joachifm to be potential reviewers. |
I'm very much a NixOS noob and barely know what I'm doing. So be sure to review this carefully. |
stdenv.mkDerivation rec { | ||
name = "trezord-${version}"; | ||
|
||
src = fetchgit { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
use fetchFromGitHub
here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, I tried using fetchFromGitHub
but for some reason it was grabbing a different version with a different hash which for some reason didn't build. So I've gone back to fetchgit
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fetchgit
should only be necessary if you need submodules. Can you elaborate on the build error?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah yes, the repo does have submodules in it. That's what's causing it.
pkgs/servers/trezord/default.nix
Outdated
description = "TREZOR Bridge daemon for TREZOR bitcoin hardware wallet"; | ||
homepage = https://mytrezor.com; | ||
license = licenses.gpl3; | ||
maintainers = []; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if you don't want to maintain this, feel free to add jb55
since I use trezor on NixOS as well
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll add both of us.
I noticed darwin related things in that patch, but it's marked as linux only. |
nixos/modules/misc/ids.nix
Outdated
@@ -284,6 +284,7 @@ | |||
glance = 266; | |||
couchpotato = 267; | |||
gogs = 268; | |||
trezord = 269; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What sort of data does trezord own?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It controls access to the trezor.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But the trezor is a hardware device, correct? Static uids are for ensuring consistent ownership across NixOS deployments.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Or if you need to refer to a user before the name/uid mapping is available.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@joachifm How do I use a non-static uid then? Do I just not give a uid/gid to extraUsers
/extraGroups
?
Edit: That's what I've done and it seems to work.
''; | ||
}; | ||
|
||
user = mkOption { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the use case for running as a user other than the default?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
None that I know of, but I thought I'd make it flexible.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To my mind, adding options "just because" is not real flexibility, but rather expands the configuration state space to no benefit. Absent a plausible use case for running a daemon under a different user, please re-consider whether it needs to be possible to do so. This holds doubly true for daemons that can work with dynamic uids, as down the line we can rely on systemd to do that for us, obviating the need to declare daemon users up-front for those services.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alright, I've removed the ability to run the daemon as anything other than the trezord
user.
The line is |
}; | ||
}; | ||
|
||
users.extraUsers = singleton { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can also be written
users.users.trezord = {
group = "trezord";
description = /* ... */;
};
When name is null
, it is taken from the attrset key.
description = "Trezor bridge daemon user"; | ||
}; | ||
|
||
users.extraGroups = singleton { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can also be written
let # for syntax hl
users.groups.trezord = {};
description = "TREZOR Bridge"; | ||
after = [ "systemd-udev-settle.service" "network.target" ]; | ||
wantedBy = [ "multi-user.target" ]; | ||
path = [ pkgs.trezord ]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note that it is not necessary to add stuff to path
, if it's just used in the ExecStart
.
Is this waiting for me to make changes or is okay to merge? |
* Use fetchFromGitHub * Add maintainers
* Remove static uid/gid * Use fetchgit rather than fetchFromGitHub. It seems to be grapping a different version with fetchFromGGitHub for some reason. * Always create a user/group named trezord
I've updated with @joachifm's suggestions. Hopefully this can be merged now. |
Motivation for this change
I want to use my trezor with NixOS.
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandbox
innix.conf
on non-NixOS)
nix-shell -p nox --run "nox-review wip"
./result/bin/
)