Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nixos/bepasty: Kind of modernize the module #61883

Closed
wants to merge 1 commit into from
Closed

Conversation

@dasJ
Copy link
Member

@dasJ dasJ commented May 22, 2019

  • Switch to Python 3 which fixes bepasty not being found (and requires a
    patch to work which is already on bepasty master)
  • Remove the enable option
  • Hardcode directories and let systemd manage permissions
  • Sandbox the service using systemd
  • Switch to a dynamic user and run nothing as root (except for preStart)
  • Allow users to set permissions without adding them to the store
    (extraConfigFile)
  • Make assertion more clear
Motivation for this change
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@Lassulus
Copy link
Contributor

@Lassulus Lassulus commented May 22, 2019

@GrahamcOfBorg build bepasty

@Lassulus
Copy link
Contributor

@Lassulus Lassulus commented May 22, 2019

@GrahamcOfBorg build bepasty

- Switch to Python 3 which fixes bepasty not being found (and requires a
patch to work which is already on bepasty master)
- Remove the enable option
- Hardcode directories and let systemd manage permissions
- Sandbox the service using systemd
- Switch to a dynamic user and run nothing as root (except for preStart)
- Allow users to set permissions without adding them to the store
(extraConfigFile)
- Make assertion more clear
@aanderse
Copy link
Contributor

@aanderse aanderse commented May 23, 2019

@dasJ After a quick review it looks like this will make existing installs lose all data if custom directories were specified. Is this correct?

@@ -136,48 +128,50 @@ in
extraLibs = [ bepasty gevent ];
};
in {
BEPASTY_CONFIG = "${server.workDir}/bepasty-${name}.conf";
BEPASTY_CONFIG = "/tmp/bepasty.conf";

This comment has been minimized.

@memberbetty

memberbetty May 25, 2019
Contributor

You cannot assume that /tmp/bepasty.conf doesn't exist yet.

This comment has been minimized.

@memberbetty

memberbetty May 25, 2019
Contributor

You seem to have removed PrivateTmp= enabled. If you add that again, it might work as you intended.

This comment has been minimized.

@dasJ

dasJ May 29, 2019
Author Member

No worries, DynamicUser also enables PrivateTmp

@dasJ
Copy link
Member Author

@dasJ dasJ commented May 29, 2019

@aanderse Yes, it's a a little downside. On the upside, systemd will manage the permissions of the directory and make the path writable in the sandbox.

@aanderse
Copy link
Contributor

@aanderse aanderse commented May 29, 2019

@dasJ You might want to consider keeping the dataDir and workDir option around but adding a warning that the options are deprecated. This way existing installs could be automatically migrated. In a few NixOS releases the options could eventually be removed. If you do this then no one will lose any data, or have to do any migration work.

@dasJ
Copy link
Member Author

@dasJ dasJ commented May 29, 2019

@aanderse The problem is: How do I ensure the directories are owned by the proper user and have the proper permissions?

@aanderse
Copy link
Contributor

@aanderse aanderse commented Jun 2, 2019

I assume some scripts could be written to take the existing dataDir and workDir values which aren't null and move the data to the appropriate spot, but I haven't looked into it in depth.

@dasJ dasJ closed this Feb 5, 2020
@dasJ dasJ deleted the dasJ:modernize-bepasty branch Feb 5, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants
You can’t perform that action at this time.