New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
meguca: init at 2018-05-17 #39482
meguca: init at 2018-05-17 #39482
Conversation
That said, putting together this package I'm pretty sure there are things in it that can be done better. If there's a way to include cmake in the buildinputs without it autofiring cmake, I'd like to know so that I can add an option to compile the WASM (optional) client, that uses emscripten. I also can't do the |
pkgs/servers/meguca/default.nix
Outdated
export HOME=$PWD/.home | ||
export GOPATH=$HOME/go | ||
export GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt | ||
export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd like especially if someone could tell me a better way to do this.
I'm not familiar with buildGoPackage
and couldn't find a way to make it work with the way meguca's build flow goes.
pkgs/servers/meguca/default.nix
Outdated
url = "https://github.com/bakape/meguca.git"; | ||
rev = "4961e76743fc22c002fcf8f1bc8f77bbe73b2623"; | ||
sha256 = "055m323s5vki6dg77mm8sfj88ymh46bjckx8w474gyx5q59jprgp"; | ||
fetchSubmodules = false; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you are not using fetchSubmodules, you can use fetchFromGitHub
as well.
dontUseCmakeConfigure can be set to avoid the cmake hook: https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/tools/build-managers/cmake/setup-hook.sh#L92 |
@GrahamcOfBorg build meguca |
Failure on x86_64-linux (full log) Attempted: meguca Partial log (click to expand)
|
Failure on aarch64-linux (full log) Attempted: meguca Partial log (click to expand)
|
Failure on x86_64-darwin (full log) Attempted: meguca Partial log (click to expand)
|
Pending a review and a hydra build, I believe this is ready to be pulled. |
87bd352
to
1316d44
Compare
9c9a232
to
64a7f95
Compare
This (may) not build until #39955 is fixed. |
I just realized that I've been using the sandboxing wrong, I'll commit a fix and squash the merge soon. |
@Mic92 Hopefully this is the last time I ping you on this pull request. |
WorkingDirectory = "${cfg.baseDir}"; | ||
ExecStart = ''${pkgs.meguca}/bin/meguca${if cfg.reverseProxy != null then " -R ${cfg.reverseProxy}" else ""}${if cfg.sslCertificate != null then " -S ${cfg.sslCertificate}" else ""}${if cfg.listenAddress != null then " -a ${cfg.listenAddress}" else ""}${if cfg.cacheSize != null then " -c ${cfg.cacheSize}" else ""}${if cfg.postgresArgs != null then " -d ${cfg.postgresArgs}" else ""}${if cfg.compressTraffic then " -g" else ""}${if cfg.assumeReverseProxy then " -r" else ""}${if cfg.httpsOnly then " -s" else ""} start''; | ||
ExecStop = "${pkgs.meguca}/bin/meguca stop"; | ||
ExecRestart = "${pkgs.meguca}/bin/meguca restart"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is no explicit restart in systemd.
User = "meguca"; | ||
Group = "meguca"; | ||
WorkingDirectory = "${cfg.baseDir}"; | ||
ExecStart = ''${pkgs.meguca}/bin/meguca${if cfg.reverseProxy != null then " -R ${cfg.reverseProxy}" else ""}${if cfg.sslCertificate != null then " -S ${cfg.sslCertificate}" else ""}${if cfg.listenAddress != null then " -a ${cfg.listenAddress}" else ""}${if cfg.cacheSize != null then " -c ${cfg.cacheSize}" else ""}${if cfg.postgresArgs != null then " -d ${cfg.postgresArgs}" else ""}${if cfg.compressTraffic then " -g" else ""}${if cfg.assumeReverseProxy then " -r" else ""}${if cfg.httpsOnly then " -s" else ""} start''; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you break this into multiple lines for readability? You could make it a list that is joined by a spaces.
Also use lib.optionalString
to add optional parameter.
password = mkOption { | ||
type = types.str; | ||
default = "meguca"; | ||
description = "Password for the meguca database."; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The password is stored in clear text in nix readable for all users. We usually have at least an alternative option that stored the password in a file outside the nix store: #24288
Btw where is this password used in the service?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If meguca also accepts unix sockets for database connections, authentication could be also done via user without any password.
I would not hardcode meguca
as default password and rather let the user choose.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
meguca
is hard coded into upstream itself as the default, however with postgresArgs
you can define the password to access the database with, in which is set each service start with password
field.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The packaging side seems fine. I was not able to the test the service fully yet since the database password is not set in meguca.
@Mic92 How is this? |
${optionalString (cfg.assumeReverseProxy) " -r"}\ | ||
${optionalString (cfg.httpsOnly) " -s"} start | ||
rm -f /run/meguca/start | ||
EOF |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you accidentally dropped ExecStart
from the service.
You can also use the script
property instead of writing your own shell script.
script = ''
exec ${pkgs.meguca}/bin/meguca -d "$(cat ${cfg.postgresArgsFile})"\
${optionalString (cfg.reverseProxy != null) " -R ${cfg.reverseProxy}"}\
${optionalString (cfg.sslCertificate != null) " -S ${cfg.sslCertificate}"}\
${optionalString (cfg.listenAddress != null) " -a ${cfg.listenAddress}"}\
${optionalString (cfg.cacheSize != null) " -c ${toString cfg.cacheSize}"}\
${optionalString (cfg.compressTraffic) " -g"}\
${optionalString (cfg.assumeReverseProxy) " -r"}\
${optionalString (cfg.httpsOnly) " -s"} start
'';
It works the same way preStart
works.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update just saw the script
reference above. This can be just inlined, no need to create a separate script.
Type = "forking"; | ||
User = "meguca"; | ||
Group = "meguca"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why did you removed the meguca
user here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The meguca user is no longer necessary, since it's running in /run/.
Actually, it was never really necessary, I don't know why I added it to begin with.
If it's part of some standard, I'll re-add.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually never mind, I'll re-add it, since being able to configure the directory in which meguca starts in would be useful.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But then the server would run as root, right? If it can be avoided network-facing services should not run as root.
436678d
to
2d0e613
Compare
script = '' | ||
cd ${cfg.baseDir} | ||
|
||
${pkgs.meguca}/bin/meguca -d "$(cat ${cfg.postgresArgsFile})"\ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Too bad the password is not cleared in meguca and visible to any other process such as top:
/nix/store/7l3naj8wdpg9akp8bjps4nwl863nb216-meguca-unstable-2018-05-26-bin/bin/meguca -d user=meguca password=meguca dbname=meguca sslmode=disable start
This is an upstream issue however and should not be fixed in this pull request.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tracked here: bakape/shamichan#729
Motivation for this change
meguca is a great piece of software, and I thought I'd make a package for it.
Things done
build-use-sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)