meguca: init at 2018-05-17 #39482
meguca: init at 2018-05-17 #39482
Conversation
|
That said, putting together this package I'm pretty sure there are things in it that can be done better. If there's a way to include cmake in the buildinputs without it autofiring cmake, I'd like to know so that I can add an option to compile the WASM (optional) client, that uses emscripten. I also can't do the |
pkgs/servers/meguca/default.nix
Outdated
| export HOME=$PWD/.home | ||
| export GOPATH=$HOME/go | ||
| export GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt | ||
| export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt |
There was a problem hiding this comment.
I'd like especially if someone could tell me a better way to do this.
I'm not familiar with buildGoPackage and couldn't find a way to make it work with the way meguca's build flow goes.
pkgs/servers/meguca/default.nix
Outdated
| url = "https://github.com/bakape/meguca.git"; | ||
| rev = "4961e76743fc22c002fcf8f1bc8f77bbe73b2623"; | ||
| sha256 = "055m323s5vki6dg77mm8sfj88ymh46bjckx8w474gyx5q59jprgp"; | ||
| fetchSubmodules = false; |
There was a problem hiding this comment.
If you are not using fetchSubmodules, you can use fetchFromGitHub as well.
|
dontUseCmakeConfigure can be set to avoid the cmake hook: https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/tools/build-managers/cmake/setup-hook.sh#L92 |
|
@GrahamcOfBorg build meguca |
|
Failure on x86_64-linux (full log) Attempted: meguca Partial log (click to expand)
|
|
Failure on aarch64-linux (full log) Attempted: meguca Partial log (click to expand)
|
|
Failure on x86_64-darwin (full log) Attempted: meguca Partial log (click to expand)
|
Chiiruno
changed the title
|
Pending a review and a hydra build, I believe this is ready to be pulled. |
Chiiruno
force-pushed
the
init/meguca
branch
3 times, most recently
from
87bd352
to
1316d44
Compare
Chiiruno
changed the title
GrahamcOfBorg
added
2.status: merge conflict
and removed
2.status: merge conflict
labels
Chiiruno
force-pushed
the
init/meguca
branch
2 times, most recently
from
9c9a232
to
64a7f95
Compare
|
This (may) not build until #39955 is fixed. |
Chiiruno
changed the title
|
I just realized that I've been using the sandboxing wrong, I'll commit a fix and squash the merge soon. |
Chiiruno
changed the title
|
@Mic92 Hopefully this is the last time I ping you on this pull request. |
| WorkingDirectory = "${cfg.baseDir}"; | ||
| ExecStart = ''${pkgs.meguca}/bin/meguca${if cfg.reverseProxy != null then " -R ${cfg.reverseProxy}" else ""}${if cfg.sslCertificate != null then " -S ${cfg.sslCertificate}" else ""}${if cfg.listenAddress != null then " -a ${cfg.listenAddress}" else ""}${if cfg.cacheSize != null then " -c ${cfg.cacheSize}" else ""}${if cfg.postgresArgs != null then " -d ${cfg.postgresArgs}" else ""}${if cfg.compressTraffic then " -g" else ""}${if cfg.assumeReverseProxy then " -r" else ""}${if cfg.httpsOnly then " -s" else ""} start''; | ||
| ExecStop = "${pkgs.meguca}/bin/meguca stop"; | ||
| ExecRestart = "${pkgs.meguca}/bin/meguca restart"; |
There was a problem hiding this comment.
There is no explicit restart in systemd.
| User = "meguca"; | ||
| Group = "meguca"; | ||
| WorkingDirectory = "${cfg.baseDir}"; | ||
| ExecStart = ''${pkgs.meguca}/bin/meguca${if cfg.reverseProxy != null then " -R ${cfg.reverseProxy}" else ""}${if cfg.sslCertificate != null then " -S ${cfg.sslCertificate}" else ""}${if cfg.listenAddress != null then " -a ${cfg.listenAddress}" else ""}${if cfg.cacheSize != null then " -c ${cfg.cacheSize}" else ""}${if cfg.postgresArgs != null then " -d ${cfg.postgresArgs}" else ""}${if cfg.compressTraffic then " -g" else ""}${if cfg.assumeReverseProxy then " -r" else ""}${if cfg.httpsOnly then " -s" else ""} start''; |
There was a problem hiding this comment.
Can you break this into multiple lines for readability? You could make it a list that is joined by a spaces.
Also use lib.optionalString to add optional parameter.
| password = mkOption { | ||
| type = types.str; | ||
| default = "meguca"; | ||
| description = "Password for the meguca database."; |
There was a problem hiding this comment.
The password is stored in clear text in nix readable for all users. We usually have at least an alternative option that stored the password in a file outside the nix store: #24288
Btw where is this password used in the service?
There was a problem hiding this comment.
If meguca also accepts unix sockets for database connections, authentication could be also done via user without any password.
I would not hardcode meguca as default password and rather let the user choose.
There was a problem hiding this comment.
meguca is hard coded into upstream itself as the default, however with postgresArgs you can define the password to access the database with, in which is set each service start with password field.
|
@Mic92 How is this? |
| ${optionalString (cfg.assumeReverseProxy) " -r"}\ | ||
| ${optionalString (cfg.httpsOnly) " -s"} start | ||
| rm -f /run/meguca/start | ||
| EOF |
There was a problem hiding this comment.
I think you accidentally dropped ExecStart from the service.
You can also use the script property instead of writing your own shell script.
script = ''
exec ${pkgs.meguca}/bin/meguca -d "$(cat ${cfg.postgresArgsFile})"\
${optionalString (cfg.reverseProxy != null) " -R ${cfg.reverseProxy}"}\
${optionalString (cfg.sslCertificate != null) " -S ${cfg.sslCertificate}"}\
${optionalString (cfg.listenAddress != null) " -a ${cfg.listenAddress}"}\
${optionalString (cfg.cacheSize != null) " -c ${toString cfg.cacheSize}"}\
${optionalString (cfg.compressTraffic) " -g"}\
${optionalString (cfg.assumeReverseProxy) " -r"}\
${optionalString (cfg.httpsOnly) " -s"} start
'';
It works the same way preStart works.
There was a problem hiding this comment.
Update just saw the script reference above. This can be just inlined, no need to create a separate script.
| Type = "forking"; | ||
| User = "meguca"; | ||
| Group = "meguca"; |
There was a problem hiding this comment.
Why did you removed the meguca user here?
There was a problem hiding this comment.
The meguca user is no longer necessary, since it's running in /run/.
Actually, it was never really necessary, I don't know why I added it to begin with.
If it's part of some standard, I'll re-add.
There was a problem hiding this comment.
Actually never mind, I'll re-add it, since being able to configure the directory in which meguca starts in would be useful.
There was a problem hiding this comment.
But then the server would run as root, right? If it can be avoided network-facing services should not run as root.
Chiiruno
force-pushed
the
init/meguca
branch
2 times, most recently
from
436678d
to
2d0e613
Compare
| script = '' | ||
| cd ${cfg.baseDir} | ||
|
|
||
| ${pkgs.meguca}/bin/meguca -d "$(cat ${cfg.postgresArgsFile})"\ |
There was a problem hiding this comment.
Too bad the password is not cleared in meguca and visible to any other process such as top:
/nix/store/7l3naj8wdpg9akp8bjps4nwl863nb216-meguca-unstable-2018-05-26-bin/bin/meguca -d user=meguca password=meguca dbname=meguca sslmode=disable start
This is an upstream issue however and should not be fixed in this pull request.
There was a problem hiding this comment.
tracked here: bakape/shamichan#729
Motivation for this change
meguca is a great piece of software, and I thought I'd make a package for it.
Things done
build-use-sandboxinnix.confon non-NixOS)nix-shell -p nox --run "nox-review wip"./result/bin/)