🎉 Initial Rev. #2
Conversation
Signed-off-by: Muhammed Hussain Karimi <info@karimi.dev>
|
For managing sources.json file we should determine if we do it manually or automatically |
There was a problem hiding this comment.
Pull request overview
This pull request introduces the initial release of a Nix flake for RustFS, providing infrastructure for deploying RustFS as a prebuilt binary package with NixOS integration. The implementation includes cross-platform binary distribution, a systemd service module, and comprehensive documentation.
Key changes:
- Added Nix flake infrastructure with prebuilt binary packages for Linux and macOS on x86_64 and aarch64 architectures
- Introduced a NixOS module with systemd service definition and configurable options for RustFS deployment
- Provided documentation with usage examples and configuration reference
Reviewed changes
Copilot reviewed 4 out of 6 changed files in this pull request and generated 12 comments.
Show a summary per file
| File | Description |
|---|---|
| sources.json | Defines version and platform-specific download URLs/hashes for RustFS prebuilt binaries |
| nixos/rustfs.nix | Implements NixOS module with service configuration, options, and systemd unit definition |
| flake.nix | Defines Nix flake structure with package derivations and module exports |
| flake.lock | Lock file for nixpkgs dependency |
| README.md | User documentation with installation instructions and configuration options reference |
| .gitignore | Ignores Nix build artifacts and direnv cache |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| User = "root"; | ||
| Group = "root"; |
There was a problem hiding this comment.
Running the service as root (User = "root", Group = "root") violates the principle of least privilege and creates unnecessary security risk. If the service is compromised, an attacker would have full system access. Consider creating a dedicated rustfs user and group with minimal permissions needed to access only the volumes and log directories.
nixos/rustfs.nix
Outdated
| . /etc/default/rustfs | ||
| exec ${cfg.package}/bin/rustfs $RUSTFS_VOLUMES |
There was a problem hiding this comment.
The startScript sources the environment file from /etc/default/rustfs but doesn't verify it exists or handle potential errors. If the file is missing or malformed, the script will fail silently or with unclear errors. Consider adding error handling or verification that the environment file is properly created.
| . /etc/default/rustfs | |
| exec ${cfg.package}/bin/rustfs $RUSTFS_VOLUMES | |
| set -euo pipefail | |
| if [ ! -r /etc/default/rustfs ]; then | |
| echo "rustfs: environment file /etc/default/rustfs is missing or not readable" >&2 | |
| exit 1 | |
| fi | |
| . /etc/default/rustfs | |
| if [ -z "${RUSTFS_VOLUMES:-}" ]; then | |
| echo "rustfs: RUSTFS_VOLUMES is not set in /etc/default/rustfs" >&2 | |
| exit 1 | |
| fi | |
| exec ${cfg.package}/bin/rustfs "$RUSTFS_VOLUMES" |
There was a problem hiding this comment.
This problem is not possible since we are already getting them from parameters
nixos/rustfs.nix
Outdated
| systemd.tmpfiles.rules = | ||
| [ | ||
| "d ${cfg.logDirectory} 0750 root root -" | ||
| "d ${cfg.tlsDirectory} 0750 root root -" | ||
| ]; |
There was a problem hiding this comment.
The tmpfiles.rules create directories with root:root ownership, but these directories should be owned by the service user. If the service ever runs as a non-root user (as it should for security), it won't have permission to write to these directories. The ownership should match the service's User and Group settings.
nixos/rustfs.nix
Outdated
| envFile = pkgs.writeText "rustfs.env" '' | ||
| RUSTFS_ACCESS_KEY=${cfg.accessKey} | ||
| RUSTFS_SECRET_KEY=${cfg.secretKey} |
There was a problem hiding this comment.
The envFile definition writes RUSTFS_ACCESS_KEY and RUSTFS_SECRET_KEY into a Nix store file via pkgs.writeText, which is typically world-readable and then symlinked into /etc/default/rustfs. This exposes RustFS admin credentials in cleartext to any local user on the system, allowing them to exfiltrate or abuse object storage data without needing root. Treat these values as secrets and load them from a restricted-permissions secret source (e.g., systemd credentials or a NixOS secret management module) rather than embedding them in the store and /etc.
There was a problem hiding this comment.
Same as what we have for normal installations
There was a problem hiding this comment.
Same as what we have for normal installations
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Muhammed Hussain Karimi <info@karimi.dev>
Signed-off-by: Muhammed Hussain Karimi <info@karimi.dev>
|
I have also added support for extra env vars |
|
Hello @mhkarimi1383 , Thank you very much. Merged. |
2 participants
This pull request introduces a new Nix flake for RustFS, providing a prebuilt binary package and a NixOS module for easy integration and configuration. It adds support for multiple platforms, detailed documentation, and a robust NixOS service definition for managing RustFS as a systemd service.
The most important changes are:
Nix Flake and Packaging:
flake.nixto define the RustFS flake, providing prebuilt binaries for Linux and macOS on both x86_64 and aarch64 architectures, and exposing both a package and a NixOS module.sources.jsonto track RustFS release versions and platform-specific download URLs and hashes for the prebuilt binaries.NixOS Module:
nixos/rustfs.nixas a NixOS module to manage RustFS as a service, with configurable options such as access keys, volumes, logging, and TLS directories, and a secure systemd service definition.Documentation:
README.mdwith usage instructions, configuration options, and examples for integrating RustFS into NixOS systems using the new flake and module.