nixos/conduwuit: init #353651
nixos/conduwuit: init #353651
Conversation
github-actions
bot
added
6.topic: nixos
niklaskorz
force-pushed
the
nixos-module-conduwuit
branch
from
d6ec162
to
01d2f08
Compare
h7x4
added
8.has: module (new)
| }; | ||
| global.address = lib.mkOption { | ||
| type = lib.types.str; | ||
| default = "::1"; |
There was a problem hiding this comment.
Is it possible to have no default in the NixOS module? One of the issues that break UNIX sockets with conduwuit using the Conduit module is because the module forcefully listens on [::1]:6167 if you don't specify address, but we can't listen on both TCP and UNIX at the same time when listening on a UNIX socket requires address to not be filled out / populated.
Basically, a working UNIX socket example in conduwuit would be:
#address = "127.0.0.1"
#port = 6167
unix_socket_path = "/run/conduwuit/conduwuit.sock"
The Conduit module forces this config which does not work:
address = "::1"
port = 6167
unix_socket_path = "/run/conduwuit/conduwuit.sock"
| PrivateUsers = true; | ||
| RestrictAddressFamilies = [ | ||
| "AF_INET" | ||
| "AF_INET6" |
| "@system-service" | ||
| "~@privileged" | ||
| ]; | ||
| StateDirectory = "conduwuit"; |
There was a problem hiding this comment.
Could we also add RuntimeDirectory=conduwuit and RuntimeDirectoryMode=0750 to allow users to place the UNIX socket in /run/conduwuit/conduwuit.sock and give any systemd units or users permission to read/write the socket with the conduwuit group? This is how I use UNIX sockets with conduwuit for slightly increased host security.
Obviously nothing is stopping a user from putting the socket in /tmp or something.
| SystemCallArchitectures = "native"; | ||
| SystemCallFilter = [ | ||
| "@system-service" | ||
| "~@privileged" |
There was a problem hiding this comment.
I recommend this syscall filter which is more secure, and I've identified @resources to be required as well. (from https://github.com/girlbossceo/conduwuit/blob/main/debian/conduwuit.service#L45-L47)
SystemCallArchitectures=native
SystemCallFilter=@system-service @resources
SystemCallFilter=~@clock @debug @module @mount @reboot @swap @cpu-emulation @obsolete @timer @chown @setuid @privileged @keyring @ipc
| and is set to be read only. | ||
| ''; | ||
| }; | ||
| global.database_backend = lib.mkOption { |
There was a problem hiding this comment.
I might actually prefer if this is just removed all together. Because we only support RocksDB, and have no intentions or plans to support any other databases for quite a long time, this config option is a no-op and does not do anything in conduwuit, so it's just unnecessary.
ofborg
bot
added
10.rebuild-darwin: 0
As conduwuit deviates more and more from its conduit origins, it makes sense to give conduwuit its own module.
A custom module has been wished by upstream maintainers (@girlbossceo) as well as fellow nixpkgs maintainers (@nyabinary).
This allows us to cover breaking changes such as:
Also includes the conduwuit-specific(?) fix from #353634.
Things done
nix.conf? (See Nix manual)sandbox = relaxedsandbox = truenix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)Add a 👍 reaction to pull requests you find important.