New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/geoipupdate: Init the module #73767
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for writing this module! Appreciate the systemd sandboxing options.
description = "Maxmind GeoIP updater"; | ||
after = [ "networking.target" ]; | ||
wantedBy = [ "multi-user.target" ]; | ||
startAt = "weekly"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
RandomizedDelaySec
for the timer might be useful to avoid DDoSing the Maxmind servers. The original service uses 1 hour.
default = "0"; | ||
}; | ||
|
||
licenseKey = mkOption { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure whether to treat this as a password and use something like licenseKeyFile
which would be a path to the file containing license key so as not to end up in nix store.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, but their config file format doesn't allow for imports sadly
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can generate the final config file in preStart
(see e.g. nixos/modules/services/misc/gogs.nix
), though it's a bit ugly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Other possibility would be to add an option which accepts path to the complete configuration file, which the user can place outside of /nix/store if desired.
Type = "oneshot"; | ||
ExecStart = "${pkgs.geoipupdate}/bin/geoipupdate -d /var/lib/GeoIP -f ${configFile}"; | ||
|
||
ProtectHome = true; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would ProtectSystem = "strict"
break the service?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh yes I forgot that :( as well as PrivateTmp
enable = mkEnableOption "the automated GeoIP updater"; | ||
|
||
accountID = mkOption { | ||
description = "Account ID of your Maxmind account (or 0 for free GeoLite DBs)"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nitpick: they seem to capitalize the name as MaxMind.
fb4ef5f
to
1e4bd71
Compare
|
||
extraConfig = mkOption { | ||
description = "Extra configuration to append to the configuration file"; | ||
type = attrsOf str; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of an extraConfig
I suggest the approach in NixOS/rfcs#42: Have a settings
option (of the same type as this one) where all settings are defined, including AccountID
and such. These can then be defaulted in the config section below, e.g. services.geoipupdate.settings.AccountID = mkDefault cfg.accountID
StateDirectory = "GeoIP"; | ||
StateDirectoryMode = "0755"; | ||
|
||
User = "geoipupdate"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does DynamicUser
work? That would be preferable over creating a persistent user.
Hello, I'm a bot and I thank you in the name of the community for your contributions. Nixpkgs is a busy repository, and unfortunately sometimes PRs get left behind for too long. Nevertheless, we'd like to help committers reach the PRs that are still important. This PR has had no activity for 180 days, and so I marked it as stale, but you can rest assured it will never be closed by a non-human. If this is still important to you and you'd like to remove the stale label, we ask that you leave a comment. Your comment can be as simple as "still important to me". But there's a bit more you can do: If you received an approval by an unpriviledged maintainer and you are just waiting for a merge, you can @ mention someone with merge permissions and ask them to help. You might be able to find someone relevant by using Git blame on the relevant files, or via GitHub's web interface. You can see if someone's a member of the nixpkgs-committers team, by hovering with the mouse over their username on the web interface, or by searching them directly on the list. If your PR wasn't reviewed at all, it might help to find someone who's perhaps a user of the package or module you are changing, or alternatively, ask once more for a review by the maintainer of the package/module this is about. If you don't know any, you can use Git blame on the relevant files, or GitHub's web interface to find someone who touched the relevant files in the past. If your PR has had reviews and nevertheless got stale, make sure you've responded to all of the reviewer's requests / questions. Usually when PR authors show responsibility and dedication, reviewers (privileged or not) show dedication as well. If you've pushed a change, it's possible the reviewer wasn't notified about your push via email, so you can always officially request them for a review, or just @ mention them and say you've addressed their comments. Lastly, you can always ask for help at our Discourse Forum, or more specifically, at this thread or at #nixos' IRC channel. |
I think that @dasJ do you have any plans with this PR? |
Motivation for this change
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nix-review --run "nix-review wip"
./result/bin/
)nix path-info -S
before and after)Notify maintainers
cc @