(hitch + nixos/services/hitch): (init at 1.4.8) #39358
Conversation
jflanglois
force-pushed
the
new-package-hitch
branch
2 times, most recently
from
b4a549a
to
a2eb953
Compare
jflanglois
force-pushed
the
new-package-hitch
branch
2 times, most recently
from
8a6c6c5
to
bcb81e3
Compare
jflanglois
force-pushed
the
new-package-hitch
branch
from
bcb81e3
to
1f7d0df
Compare
nixos/modules/misc/ids.nix
Outdated
| @@ -306,6 +306,7 @@ | |||
| monero = 287; | |||
| ceph = 288; | |||
| duplicati = 289; | |||
| hitch = 290; | |||
There was a problem hiding this comment.
it seems to me that hitch does not carry a lot of runtime state and all files are chowned on startup. In that case static uid/gid can be removed and nixos will use dynamic ones.
There was a problem hiding this comment.
Sure I don't have a strong opinion about that. I was following Varnish's set up a bit.
There was a problem hiding this comment.
I will update the PR when I'm home.
| ''; | ||
| postStop = '' | ||
| rm -rf ${cfg.ocspStaplingDir} | ||
| ''; |
There was a problem hiding this comment.
I simplified the module a bit by making use of systemd's RuntimeDirectory.
What do you think?
diff --git a/nixos/modules/services/web-servers/hitch/default.nix b/nixos/modules/services/web-servers/hitch/default.nix
index 54663082be1..87ee69aa7cd 100644
--- a/nixos/modules/services/web-servers/hitch/default.nix
+++ b/nixos/modules/services/web-servers/hitch/default.nix
@@ -6,7 +6,7 @@ let
("frontend = \"${cfg.frontend}\"")
(concatMapStrings (s: "pem-file = \"${s}\"\n") cfg.pem-files)
("ciphers = \"${cfg.ciphers}\"")
- ("ocsp-dir = \"${cfg.ocspStaplingDir}\"")
+ ("ocsp-dir = \"/run/hitch/ocsp-cache\"")
"user = \"${cfg.user}\""
"group = \"${cfg.group}\""
cfg.extraConfig
@@ -22,7 +22,7 @@ with lib;
type = types.str;
description = ''
The host and port Hitch connects to when receiving
- a connection
+ a connection in the form [HOST]:PORT
'';
};
@@ -36,8 +36,8 @@ with lib;
type = types.either types.str (types.listOf types.str);
default = "[127.0.0.1]:443";
description = ''
- This specifies the port and interface (the listen endpoint) that Hitch
- binds to when listening for connections. In the form [HOST]:PORT[+CERT]
+ This specifies the port and interface of the listen endpoint in the
+ form [HOST]:PORT[+CERT].
'';
};
@@ -47,12 +47,6 @@ with lib;
description = "PEM files to use";
};
- ocspStaplingDir = mkOption {
- type = types.path;
- default = "/var/run/hitch/ocsp-cache";
- description = "The location of the OCSP Stapling cache";
- };
-
user = mkOption {
type = types.str;
default = "hitch";
@@ -80,16 +74,10 @@ with lib;
description = "Hitch";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
- preStart = ''
- ${pkgs.hitch}/sbin/hitch -t --config ${hitchConfig}
- mkdir -p ${cfg.ocspStaplingDir}
- chown -R hitch:hitch ${cfg.ocspStaplingDir}
- '';
- postStop = ''
- rm -rf ${cfg.ocspStaplingDir}
- '';
serviceConfig = {
+ RuntimeDirectory = [ "hitch/ocsp-cache" ];
Type = "forking";
+ ExecStartPre = "${pkgs.hitch}/sbin/hitch -t --config ${hitchConfig}";
ExecStart = "${pkgs.hitch}/sbin/hitch --daemon --config ${hitchConfig}";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
Restart = "always";
@@ -100,10 +88,7 @@ with lib;
environment.systemPackages = [ pkgs.hitch ];
- users.extraUsers.hitch = {
- group = "hitch";
- };
-
+ users.extraUsers.hitch.group = "hitch";
users.extraGroups.hitch = {};
};
}Why do you delete ocsp directory on service stop? This is different from what upstream does.
There was a problem hiding this comment.
Hmm. We can do that, but then the runtime directory will be owned by root in this case, no?
There was a problem hiding this comment.
If we go that route, then we'd want to specify systemd's User and Group. I'm not sure how hitch handles being run as non-root. I'll try it out.
There was a problem hiding this comment.
RuntimeDirectory = [ "hitch" "hitch/ocsp-cache" ]; maybe then?
There was a problem hiding this comment.
Ah. you are right, usually the service is also started as non-root in this case.
There was a problem hiding this comment.
In theory this could be circumvented by starting the service as the right user and give it ambient capability to bind privileged ports: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/web-servers/traefik.nix#L104
There was a problem hiding this comment.
This might have a security impact because before hitch would not be able to bind new ports after root privileges are dropped. At least you could remove the rm command and update the two option description I modified.
There was a problem hiding this comment.
Done. I actually like the RuntimeDirectory/CacheDirectory route but I suppose we can start with this.
|
cc @Dridi @daghf if hitch would drop ambient capabilities like |
Add the Hitch TLS reverse proxy as an option for TLS termination.
jflanglois
force-pushed
the
new-package-hitch
branch
from
177c75a
to
c1c17aa
Compare
| description = "PEM files to use"; | ||
| }; | ||
|
|
||
| ocspStaplingDir = mkOption { |
There was a problem hiding this comment.
Maybe we can use RuntimeDir in future, but having this option will make taking this route impossible.
Since I think it is not particular useful, I would drop it.
There was a problem hiding this comment.
Okay. Will update later.
| }; | ||
|
|
||
| frontend = mkOption { | ||
| type = types.either types.str (types.listOf types.str); |
There was a problem hiding this comment.
Before this gets merged I forgot to deal with the either type. I will update later today.
There was a problem hiding this comment.
It was a couple lines down, the apply.
| description = "PEM files to use"; | ||
| }; | ||
|
|
||
| ocspStaplingDir = mkOption { |
There was a problem hiding this comment.
Okay. Will update later.
jflanglois
force-pushed
the
new-package-hitch
branch
from
b435d02
to
ae8679f
Compare
|
Whoops, sorry about the churn. I was doing some housekeeping. |
pkgs/servers/hitch/default.nix
Outdated
| nativeBuildInputs = [ pkgconfig ]; | ||
| buildInputs = [ docutils libev openssl ]; | ||
|
|
||
| outputs = [ "bin" "out" "doc" "man" ]; |
There was a problem hiding this comment.
out is empty. You can drop bin, so hitch stays in out.
|
Removed |
Add the Hitch TLS reverse proxy as an option for TLS termination.
Motivation for this change
Add the Hitch TLS reverse proxy as an option for TLS termination.
Things done
build-use-sandboxinnix.confon non-NixOS)nix-shell -p nox --run "nox-review wip"./result/bin/)