From 530d3ffbccac33565fb2b0a664a16801a3f4d700 Mon Sep 17 00:00:00 2001 From: tv Date: Sat, 23 Jan 2021 21:36:14 +0100 Subject: [PATCH 1/8] nixos/users: use proper name for per-user packages Fixes #107353 --- nixos/modules/config/users-groups.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index e90a7d567d4..f1503f9b392 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -568,7 +568,7 @@ in { # Install all the user shells environment.systemPackages = systemShells; - environment.etc = (mapAttrs' (name: { packages, ... }: { + environment.etc = (mapAttrs' (_: { packages, name, ... }: { name = "profiles/per-user/${name}"; value.source = pkgs.buildEnv { name = "user-environment"; From c3f0be60d21bfb98e3e5bbd456ca965aeedc09bb Mon Sep 17 00:00:00 2001 From: "R. RyanTM" Date: Sun, 14 Feb 2021 18:22:10 +0000 Subject: [PATCH 2/8] i3: 4.19 -> 4.19.1 --- pkgs/applications/window-managers/i3/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/window-managers/i3/default.nix b/pkgs/applications/window-managers/i3/default.nix index d05b187ca78..c918a3b5d8c 100644 --- a/pkgs/applications/window-managers/i3/default.nix +++ b/pkgs/applications/window-managers/i3/default.nix @@ -5,11 +5,11 @@ stdenv.mkDerivation rec { pname = "i3"; - version = "4.19"; + version = "4.19.1"; src = fetchurl { url = "https://i3wm.org/downloads/${pname}-${version}.tar.xz"; - sha256 = "0wjq6lkidg0g474xsln1fhbxci7zclq3748sda10f1n7q01qp95c"; + sha256 = "sha256-IoTIEvxongM42P6b4LjRVS5Uj8Fo0WX3lbJr9JfCK0c="; }; nativeBuildInputs = [ pkg-config makeWrapper meson ninja installShellFiles ]; From 9a858b63055bfa0c5431ccf383b43cc28f7c9e36 Mon Sep 17 00:00:00 2001 From: Ivan Babrou Date: Sun, 14 Feb 2021 11:44:43 -0800 Subject: [PATCH 3/8] cargo-whatfeatures: init at 0.9.6 --- .../tools/rust/cargo-whatfeatures/default.nix | 27 +++++++++++++++++++ pkgs/top-level/all-packages.nix | 4 +++ 2 files changed, 31 insertions(+) create mode 100644 pkgs/development/tools/rust/cargo-whatfeatures/default.nix diff --git a/pkgs/development/tools/rust/cargo-whatfeatures/default.nix b/pkgs/development/tools/rust/cargo-whatfeatures/default.nix new file mode 100644 index 00000000000..34440ce9305 --- /dev/null +++ b/pkgs/development/tools/rust/cargo-whatfeatures/default.nix @@ -0,0 +1,27 @@ +{ lib, stdenv, fetchFromGitHub, rustPlatform, pkg-config, openssl, Security }: + +rustPlatform.buildRustPackage rec { + pname = "cargo-whatfeatures"; + version = "0.9.6"; + + src = fetchFromGitHub { + owner = "museun"; + repo = pname; + rev = "v${version}"; + sha256 = "0vki37pxngg15za9c1z61dc6sqk0j59s0qhcf9hplnym4ib5kqx1"; + }; + + cargoSha256 = "sha256-nNV7UXjKZNFmTqW4H0qsNuBW9XOP2V9nfotewtI9mYE"; + + nativeBuildInputs = [ pkg-config ]; + + buildInputs = [ openssl ] + ++ lib.optionals stdenv.isDarwin [ Security ]; + + meta = with lib; { + description = "A simple cargo plugin to get a list of features for a specific crate"; + homepage = "https://github.com/museun/cargo-whatfeatures"; + license = with licenses; [ mit asl20 ]; + maintainers = with maintainers; [ ivan-babrou ]; + }; +} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 7b29d1508b0..ef4c26d1443 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -10856,6 +10856,10 @@ in inherit (darwin.apple_sdk.frameworks) Security; }; + cargo-whatfeatures = callPackage ../development/tools/rust/cargo-whatfeatures { + inherit (darwin.apple_sdk.frameworks) Security; + }; + crate2nix = callPackage ../development/tools/rust/crate2nix { }; convco = callPackage ../development/tools/convco { From 797b60f0d760fc2cfcad0c15cb22a5b75ed81818 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20de=20Kok?= Date: Mon, 15 Feb 2021 08:18:29 +0100 Subject: [PATCH 4/8] ripgrep: link PCRE2 dynamically The pcre2 crate which is used by ripgrep uses pkg-config to find the path of the PCRE2 dynamic library. If the pkg-config or the library is not found, PCRE2 will be built/linked statically. This change adds pkg-config to the nativeBuildInputs of ripgrep, so that the PCRE2 library is detected and dynamically linked. --- pkgs/tools/text/ripgrep/default.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/pkgs/tools/text/ripgrep/default.nix b/pkgs/tools/text/ripgrep/default.nix index 61e534fa732..b012bdfe57e 100644 --- a/pkgs/tools/text/ripgrep/default.nix +++ b/pkgs/tools/text/ripgrep/default.nix @@ -4,6 +4,7 @@ , rustPlatform , asciidoctor , installShellFiles +, pkg-config , Security , withPCRE2 ? true , pcre2 ? null @@ -24,9 +25,10 @@ rustPlatform.buildRustPackage rec { cargoBuildFlags = lib.optional withPCRE2 "--features pcre2"; - nativeBuildInputs = [ asciidoctor installShellFiles ]; + nativeBuildInputs = [ asciidoctor installShellFiles ] + ++ lib.optional withPCRE2 pkg-config; buildInputs = (lib.optional withPCRE2 pcre2) - ++ (lib.optional stdenv.isDarwin Security); + ++ (lib.optional stdenv.isDarwin Security); preFixup = '' installManPage $releaseDir/build/ripgrep-*/out/rg.1 From f1adea1a94c90e230b9a69d23110bc5d4e3acdd5 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Sat, 13 Feb 2021 18:37:26 +0300 Subject: [PATCH 5/8] nixos/mastodon: add option trustedProxy --- nixos/modules/services/web-apps/mastodon.nix | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/nixos/modules/services/web-apps/mastodon.nix b/nixos/modules/services/web-apps/mastodon.nix index 92b1be963bf..decce25f0ad 100644 --- a/nixos/modules/services/web-apps/mastodon.nix +++ b/nixos/modules/services/web-apps/mastodon.nix @@ -25,6 +25,8 @@ let ES_ENABLED = if (cfg.elasticsearch.host != null) then "true" else "false"; ES_HOST = cfg.elasticsearch.host; ES_PORT = toString(cfg.elasticsearch.port); + + TRUSTED_PROXY_IP = cfg.trustedProxy; } // (if cfg.smtp.authenticate then { SMTP_LOGIN = cfg.smtp.user; } else {}) // cfg.extraConfig; @@ -179,6 +181,16 @@ in { type = lib.types.str; }; + trustedProxy = lib.mkOption { + description = '' + You need to set it to the IP from which your reverse proxy sends requests to Mastodon's web process, + otherwise Mastodon will record the reverse proxy's own IP as the IP of all requests, which would be + bad because IP addresses are used for important rate limits and security functions. + ''; + type = lib.types.str; + default = "127.0.0.1"; + }; + redis = { createLocally = lib.mkOption { description = "Configure local Redis server for Mastodon."; From 424e7b0f5df28988b2a9611b26bfd2ab9aa38ed0 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Sat, 13 Feb 2021 20:47:14 +0300 Subject: [PATCH 6/8] nixos/mastodon: use unix socket to default --- nixos/modules/services/web-apps/mastodon.nix | 35 +++++++++++++++----- 1 file changed, 27 insertions(+), 8 deletions(-) diff --git a/nixos/modules/services/web-apps/mastodon.nix b/nixos/modules/services/web-apps/mastodon.nix index decce25f0ad..71027fa0bb4 100644 --- a/nixos/modules/services/web-apps/mastodon.nix +++ b/nixos/modules/services/web-apps/mastodon.nix @@ -191,6 +191,16 @@ in { default = "127.0.0.1"; }; + enableUnixSocket = lib.mkOption { + description = '' + Instead of binding to an IP address like 127.0.0.1, you may bind to a Unix socket. This variable + is process-specific, e.g. you need different values for every process, and it works for both web (Puma) + processes and streaming API (Node.js) processes. + ''; + type = lib.types.bool; + default = true; + }; + redis = { createLocally = lib.mkOption { description = "Configure local Redis server for Mastodon."; @@ -427,9 +437,10 @@ in { ++ (if cfg.automaticMigrations then [ "mastodon-init-db.service" ] else [ "mastodon-init-dirs.service" ]); description = "Mastodon streaming"; wantedBy = [ "multi-user.target" ]; - environment = env // { - PORT = toString(cfg.streamingPort); - }; + environment = env // (if cfg.enableUnixSocket + then { SOCKET = "/run/mastodon-streaming/streaming.socket"; } + else { PORT = toString(cfg.streamingPort); } + ); serviceConfig = { ExecStart = "${pkgs.nodejs-slim}/bin/node streaming"; Restart = "always"; @@ -441,6 +452,9 @@ in { PrivateTmp = true; LogsDirectory = "mastodon"; StateDirectory = "mastodon"; + # Runtime directory and mode + RuntimeDirectory = "mastodon-streaming"; + RuntimeDirectoryMode = "0750"; }; }; @@ -450,9 +464,10 @@ in { ++ (if cfg.automaticMigrations then [ "mastodon-init-db.service" ] else [ "mastodon-init-dirs.service" ]); description = "Mastodon web"; wantedBy = [ "multi-user.target" ]; - environment = env // { - PORT = toString(cfg.webPort); - }; + environment = env // (if cfg.enableUnixSocket + then { SOCKET = "/run/mastodon-web/web.socket"; } + else { PORT = toString(cfg.webPort); } + ); serviceConfig = { ExecStart = "${cfg.package}/bin/puma -C config/puma.rb"; Restart = "always"; @@ -464,6 +479,9 @@ in { PrivateTmp = true; LogsDirectory = "mastodon"; StateDirectory = "mastodon"; + # Runtime directory and mode + RuntimeDirectory = "mastodon-web"; + RuntimeDirectoryMode = "0750"; }; path = with pkgs; [ file imagemagick ffmpeg ]; }; @@ -507,12 +525,12 @@ in { }; locations."@proxy" = { - proxyPass = "http://127.0.0.1:${toString(cfg.webPort)}"; + proxyPass = (if cfg.enableUnixSocket then "http://unix:/run/mastodon-web/web.socket" else "http://127.0.0.1:${toString(cfg.webPort)}"); proxyWebsockets = true; }; locations."/api/v1/streaming/" = { - proxyPass = "http://127.0.0.1:${toString(cfg.streamingPort)}/"; + proxyPass = (if cfg.enableUnixSocket then "http://unix:/run/mastodon-streaming/streaming.socket" else "http://127.0.0.1:${toString(cfg.streamingPort)}/"); proxyWebsockets = true; }; }; @@ -544,6 +562,7 @@ in { }; }) (lib.attrsets.setAttrByPath [ cfg.user "packages" ] [ cfg.package mastodonEnv ]) + (lib.mkIf cfg.configureNginx {${config.services.nginx.user}.extraGroups = [ cfg.user ];}) ]; users.groups.mastodon = lib.mkIf (cfg.group == "mastodon") { }; From 4255954d972a67d2e50104cb4c72a0f22e1234dd Mon Sep 17 00:00:00 2001 From: Izorkin Date: Sat, 13 Feb 2021 21:47:41 +0300 Subject: [PATCH 7/8] nixos/mastodon: optimize permissions --- nixos/modules/services/web-apps/mastodon.nix | 57 +++++++++----------- 1 file changed, 25 insertions(+), 32 deletions(-) diff --git a/nixos/modules/services/web-apps/mastodon.nix b/nixos/modules/services/web-apps/mastodon.nix index 71027fa0bb4..4986dd2be53 100644 --- a/nixos/modules/services/web-apps/mastodon.nix +++ b/nixos/modules/services/web-apps/mastodon.nix @@ -31,6 +31,22 @@ let // (if cfg.smtp.authenticate then { SMTP_LOGIN = cfg.smtp.user; } else {}) // cfg.extraConfig; + cfgService = { + # User and group + User = cfg.user; + Group = cfg.group; + # State directory and mode + StateDirectory = "mastodon"; + StateDirectoryMode = "0750"; + # Logs directory and mode + LogsDirectory = "mastodon"; + LogsDirectoryMode = "0750"; + # Access write directories + UMask = "0027"; + # Sandboxing + PrivateTmp = true; + }; + envFile = pkgs.writeText "mastodon.env" (lib.concatMapStrings (s: s + "\n") ( (lib.concatLists (lib.mapAttrsToList (name: value: if value != null then [ @@ -392,12 +408,9 @@ in { environment = env; serviceConfig = { Type = "oneshot"; - User = cfg.user; - Group = cfg.group; WorkingDirectory = cfg.package; - LogsDirectory = "mastodon"; - StateDirectory = "mastodon"; - }; + } // cfgService; + after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; }; @@ -419,14 +432,9 @@ in { environment = env; serviceConfig = { Type = "oneshot"; - User = cfg.user; - Group = cfg.group; EnvironmentFile = "/var/lib/mastodon/.secrets_env"; - PrivateTmp = true; - LogsDirectory = "mastodon"; - StateDirectory = "mastodon"; WorkingDirectory = cfg.package; - }; + } // cfgService; after = [ "mastodon-init-dirs.service" "network.target" ] ++ (if databaseActuallyCreateLocally then [ "postgresql.service" ] else []); wantedBy = [ "multi-user.target" ]; }; @@ -445,17 +453,12 @@ in { ExecStart = "${pkgs.nodejs-slim}/bin/node streaming"; Restart = "always"; RestartSec = 20; - User = cfg.user; - Group = cfg.group; - WorkingDirectory = cfg.package; EnvironmentFile = "/var/lib/mastodon/.secrets_env"; - PrivateTmp = true; - LogsDirectory = "mastodon"; - StateDirectory = "mastodon"; + WorkingDirectory = cfg.package; # Runtime directory and mode RuntimeDirectory = "mastodon-streaming"; RuntimeDirectoryMode = "0750"; - }; + } // cfgService; }; systemd.services.mastodon-web = { @@ -472,17 +475,12 @@ in { ExecStart = "${cfg.package}/bin/puma -C config/puma.rb"; Restart = "always"; RestartSec = 20; - User = cfg.user; - Group = cfg.group; - WorkingDirectory = cfg.package; EnvironmentFile = "/var/lib/mastodon/.secrets_env"; - PrivateTmp = true; - LogsDirectory = "mastodon"; - StateDirectory = "mastodon"; + WorkingDirectory = cfg.package; # Runtime directory and mode RuntimeDirectory = "mastodon-web"; RuntimeDirectoryMode = "0750"; - }; + } // cfgService; path = with pkgs; [ file imagemagick ffmpeg ]; }; @@ -499,14 +497,9 @@ in { ExecStart = "${cfg.package}/bin/sidekiq -c 25 -r ${cfg.package}"; Restart = "always"; RestartSec = 20; - User = cfg.user; - Group = cfg.group; - WorkingDirectory = cfg.package; EnvironmentFile = "/var/lib/mastodon/.secrets_env"; - PrivateTmp = true; - LogsDirectory = "mastodon"; - StateDirectory = "mastodon"; - }; + WorkingDirectory = cfg.package; + } // cfgService; path = with pkgs; [ file imagemagick ffmpeg ]; }; From e3a7270e3dd01891cefc37ae3a77351053660349 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Sun, 14 Feb 2021 21:10:54 +0300 Subject: [PATCH 8/8] nixos/mastodon: fix mastodon-init-db script --- nixos/modules/services/web-apps/mastodon.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/services/web-apps/mastodon.nix b/nixos/modules/services/web-apps/mastodon.nix index 4986dd2be53..37e5f7719b7 100644 --- a/nixos/modules/services/web-apps/mastodon.nix +++ b/nixos/modules/services/web-apps/mastodon.nix @@ -417,7 +417,7 @@ in { systemd.services.mastodon-init-db = lib.mkIf cfg.automaticMigrations { script = '' - if [ `psql mastodon -c \ + if [ `psql ${cfg.database.name} -c \ "select count(*) from pg_class c \ join pg_namespace s on s.oid = c.relnamespace \ where s.nspname not in ('pg_catalog', 'pg_toast', 'information_schema') \