From 615f8b8982b26bbb1a3e202be020d27a9f205c62 Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Wed, 22 May 2019 21:00:24 -0400 Subject: nixos/gitea: utilize mysql|postgresql.ensureDatabases & ensureUsers to provision databases --- nixos/modules/services/misc/gitea.nix | 53 ++++++++++++++++++++--------------- 1 file changed, 31 insertions(+), 22 deletions(-) (limited to 'nixos/modules/services') diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index 6fd4183bd6b4..5f654230bf4c 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -159,7 +159,8 @@ in socket = mkOption { type = types.nullOr types.path; - default = null; + default = if (cfg.database.createDatabase && usePostgresql) then "/run/postgresql" else if (cfg.database.createDatabase && useMysql) then "/run/mysqld/mysqld.sock" else null; + defaultText = "null"; example = "/run/mysqld/mysqld.sock"; description = "Path to the unix socket file to use for authentication."; }; @@ -173,10 +174,7 @@ in createDatabase = mkOption { type = types.bool; default = true; - description = '' - Whether to create a local postgresql database automatically. - This only applies if database type "postgres" is selected. - ''; + description = "Whether to create a local database automatically."; }; }; @@ -277,7 +275,34 @@ in }; config = mkIf cfg.enable { - services.postgresql.enable = mkIf usePostgresql (mkDefault true); + assertions = [ + { assertion = cfg.database.createDatabase -> cfg.database.user == cfg.user; + message = "services.gitea.database.user must match services.gitea.user if the database is to be automatically provisioned"; + } + ]; + + services.postgresql = optionalAttrs (usePostgresql && cfg.database.createDatabase) { + enable = mkDefault true; + + ensureDatabases = [ cfg.database.name ]; + ensureUsers = [ + { name = cfg.database.user; + ensurePermissions = { "DATABASE ${cfg.database.name}" = "ALL PRIVILEGES"; }; + } + ]; + }; + + services.mysql = optionalAttrs (useMysql && cfg.database.createDatabase) { + enable = mkDefault true; + package = mkDefault pkgs.mariadb; + + ensureDatabases = [ cfg.database.name ]; + ensureUsers = [ + { name = cfg.database.user; + ensurePermissions = { "${cfg.database.name}.*" = "ALL PRIVILEGES"; }; + } + ]; + }; systemd.services.gitea = { description = "gitea"; @@ -331,22 +356,6 @@ in then sed -ri 's,/nix/store/[a-z0-9.-]+/bin/gitea,${gitea.bin}/bin/gitea,g' ${cfg.stateDir}/.ssh/authorized_keys fi - '' + optionalString (usePostgresql && cfg.database.createDatabase) '' - if ! test -e "${cfg.stateDir}/db-created"; then - echo "CREATE ROLE ${cfg.database.user} - WITH ENCRYPTED PASSWORD '$(head -n1 ${cfg.database.passwordFile})' - NOCREATEDB NOCREATEROLE LOGIN" | - ${pkgs.sudo}/bin/sudo -u ${pg.superUser} ${pg.package}/bin/psql - ${pkgs.sudo}/bin/sudo -u ${pg.superUser} \ - ${pg.package}/bin/createdb \ - --owner=${cfg.database.user} \ - --encoding=UTF8 \ - --lc-collate=C \ - --lc-ctype=C \ - --template=template0 \ - ${cfg.database.name} - touch "${cfg.stateDir}/db-created" - fi '' + '' chown ${cfg.user} -R ${cfg.stateDir} ''; -- cgit v1.2.3 From 9d251d8b21229c1bc307d87e3258e90bdf0968bb Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Wed, 22 May 2019 21:07:08 -0400 Subject: nixos/gitea: define a gitea group to avoid "nogroup" ownership --- nixos/modules/services/misc/gitea.nix | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'nixos/modules/services') diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index 5f654230bf4c..b3b7ec10e6ea 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -304,6 +304,10 @@ in ]; }; + systemd.tmpfiles.rules = [ + "Z '${cfg.stateDir}' - ${cfg.user} gitea - -" + ]; + systemd.services.gitea = { description = "gitea"; after = [ "network.target" ] ++ lib.optional usePostgresql "postgresql.service" ++ lib.optional useMysql "mysql.service"; @@ -363,6 +367,7 @@ in serviceConfig = { Type = "simple"; User = cfg.user; + Group = "gitea"; WorkingDirectory = cfg.stateDir; PermissionsStartOnly = true; ExecStart = "${gitea.bin}/bin/gitea web"; @@ -376,15 +381,18 @@ in }; }; - users = mkIf (cfg.user == "gitea") { - users.gitea = { + users.users = mkIf (cfg.user == "gitea") { + gitea = { description = "Gitea Service"; home = cfg.stateDir; createHome = true; useDefaultShell = true; + group = "gitea"; }; }; + users.groups.gitea = {}; + warnings = optional (cfg.database.password != "") ''config.services.gitea.database.password will be stored as plaintext in the Nix store. Use database.passwordFile instead.''; -- cgit v1.2.3 From 7145cf224c3eb45985d9bfc483c9e13c16fdaa91 Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Wed, 22 May 2019 21:17:59 -0400 Subject: nixos/gitea: replace deprecated usage of PermissionsStartOnly see #53852 --- nixos/modules/services/misc/gitea.nix | 25 +++++++++---------------- 1 file changed, 9 insertions(+), 16 deletions(-) (limited to 'nixos/modules/services') diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index b3b7ec10e6ea..7daa2dd0d4cc 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -305,7 +305,15 @@ in }; systemd.tmpfiles.rules = [ + "d '${cfg.stateDir}' - ${cfg.user} gitea - -" + "d '${cfg.stateDir}/conf' - ${cfg.user} gitea - -" + "d '${cfg.stateDir}/custom/conf' - ${cfg.user} gitea - -" + "d '${cfg.repositoryRoot}' - ${cfg.user} gitea - -" "Z '${cfg.stateDir}' - ${cfg.user} gitea - -" + + # If we have a folder or symlink with gitea locales, remove it + # And symlink the current gitea locales in place + "L+ '${cfg.stateDir}/conf/locale' - - - - ${gitea.out}/locale" ]; systemd.services.gitea = { @@ -318,12 +326,8 @@ in runConfig = "${cfg.stateDir}/custom/conf/app.ini"; secretKey = "${cfg.stateDir}/custom/conf/secret_key"; in '' - # Make sure that the stateDir exists, as well as the conf dir in there - mkdir -p ${cfg.stateDir}/conf - # copy custom configuration and generate a random secret key if needed ${optionalString (cfg.useWizard == false) '' - mkdir -p ${cfg.stateDir}/custom/conf cp -f ${configFile} ${runConfig} if [ ! -e ${secretKey} ]; then @@ -338,7 +342,6 @@ in chmod 640 ${runConfig} ${secretKey} ''} - mkdir -p ${cfg.repositoryRoot} # update all hooks' binary paths HOOKS=$(find ${cfg.repositoryRoot} -mindepth 4 -maxdepth 6 -type f -wholename "*git/hooks/*") if [ "$HOOKS" ] @@ -348,20 +351,12 @@ in sed -ri 's,/nix/store/[a-z0-9.-]+/bin/bash,${pkgs.bash}/bin/bash,g' $HOOKS sed -ri 's,/nix/store/[a-z0-9.-]+/bin/perl,${pkgs.perl}/bin/perl,g' $HOOKS fi - # If we have a folder or symlink with gitea locales, remove it - if [ -e ${cfg.stateDir}/conf/locale ] - then - rm -r ${cfg.stateDir}/conf/locale - fi - # And symlink the current gitea locales in place - ln -s ${gitea.out}/locale ${cfg.stateDir}/conf/locale + # update command option in authorized_keys if [ -r ${cfg.stateDir}/.ssh/authorized_keys ] then sed -ri 's,/nix/store/[a-z0-9.-]+/bin/gitea,${gitea.bin}/bin/gitea,g' ${cfg.stateDir}/.ssh/authorized_keys fi - '' + '' - chown ${cfg.user} -R ${cfg.stateDir} ''; serviceConfig = { @@ -369,7 +364,6 @@ in User = cfg.user; Group = "gitea"; WorkingDirectory = cfg.stateDir; - PermissionsStartOnly = true; ExecStart = "${gitea.bin}/bin/gitea web"; Restart = "always"; }; @@ -385,7 +379,6 @@ in gitea = { description = "Gitea Service"; home = cfg.stateDir; - createHome = true; useDefaultShell = true; group = "gitea"; }; -- cgit v1.2.3