Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fusion: init at 0.8.9 #353616

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

fusion: init at 0.8.9 #353616

wants to merge 3 commits into from

Conversation

pluiedev
Copy link
Contributor

@pluiedev pluiedev commented Nov 4, 2024

Fixes #353330

Would probably be nice to add a NixOS module too Done

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Nov 4, 2024
@ofborg ofborg bot added 8.has: package (new) This PR adds a new package 11.by: package-maintainer This PR was created by the maintainer of the package it changes 10.rebuild-darwin: 1-10 10.rebuild-darwin: 1 10.rebuild-linux: 1-10 labels Nov 5, 2024
@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-ready-for-review/3032/4802

@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-ready-for-review/3032/4819

@KiaraGrouwstra
Copy link
Contributor

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 353616


x86_64-linux

⏩ 2 packages blacklisted:
  • nixos-install-tools
  • tests.nixos-functions.nixos-test
✅ 1 package built:
  • fusion

@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-already-reviewed/2617/2109

@wegank wegank added the 12.approvals: 1 This PR was reviewed and approved by one reputable person label Nov 10, 2024
@h7x4 h7x4 added 8.has: module (new) This PR adds a module in `nixos/` 8.has: tests This PR has tests labels Nov 11, 2024
pkgs/by-name/fu/fusion/package.nix Show resolved Hide resolved
};

script = ''
export PASSWORD=$(cat $CREDENTIALS_DIRECTORY/fusion)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't this exposing the password in ps?

Copy link
Contributor Author

@pluiedev pluiedev Nov 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think so? This is run in a run script that's only run by the systemd user, and $CREDENTIALS_DIRECTORY isn't visible anywhere else (see systemd docs.

It's not optimal, but you can argue that a program that's designed to only source its password from an unencrypted environmental variable is already unsafe anyway if you have security concerns 🤷🏼‍♀️

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is used as an example in the upstream docs:

In order to reference the path a credential may be read from within a ExecStart= command line use "${CREDENTIALS_DIRECTORY}/mycred", e.g. "ExecStart=cat ${CREDENTIALS_DIRECTORY}/mycred"

But next they also give an example of

In order to reference the path a credential may be read from within a Environment= line use "%d/mycred", e.g. "Environment=MYCREDPATH=%d/mycred".

That may be better to apply here rather than doing it in the script -- assuming it works

Copy link
Contributor Author

@pluiedev pluiedev Dec 9, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The thing is that fusion doesn't expect a path to the credential, but the whole plain password itself. This is why I mentioned that honestly wanting any amount of actual security on this thing is somewhat futile since it only works with plain passwords 100% visible and readable as an environment variable

See 0x2E/fusion#32

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is why I mentioned that honestly wanting any amount of actual security on this thing is somewhat futile since it only works with plain passwords 100% visible and readable as an environment variable

I wouldn't say it's that bad, as this environment variable is at least scoped to the service script (compared to ps info being available globally on many machines)

I don't think this would actually make the secrets contents appear in ps though, only the directory -- which doesn't matter as it should have restricted perms. If we really want to avoid cat though, we could use this instead

PASSWORD="$(< "$CREDENTIALS_DIRECTORY"/fusion)"
export PASSWORD

Comment on lines +38 to +61
tls = lib.mkOption {
type = lib.types.nullOr (
lib.types.submodule {
options = {
cert = lib.mkOption {
type = lib.types.path;
description = "Path to TLS certificate";
};
key = lib.mkOption {
type = lib.types.path;
description = "Path to TLS key";
};
};
}
);
default = null;
description = ''
The paths to the TLS certificate and key files for Fusion.

If these options are set, then Fusion can only be accessed through a secure
TLS connection. If you are using a reverse proxy like Nginx to handle HTTPS,
please leave these unset.
'';
};
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if we just want to use nginx here all the time or wire this into acme directly.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're not using Nginx? I'm just saying that if you are using a reverse proxy, for example with Nginx, then you need to leave these unset following upstream instructions

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe this may have more been of a recommendation to use Nginx over this, as most modules will do that over exposing TLS cert options like this and accessing services directly

I think it could be a good addition here as well, but not a blocker by any means

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not exactly familiar with Nginx 🤦🏼‍♀️ Is there an example I can look at?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pixelfed uses this well. A minimal example would be

{
  options.myService = {
    # ...
    domain = lib.mkOption {
      type = lib.types.str;
      description = "FQDN for myService";
      example = "my-service.example.org";
    };

    nginx = lib.mkOption {
      type = lib.types.nullOr (
        lib.types.submodule (import ../web-servers/nginx/vhost-options.nix { inherit config lib; })
      );
      default = { };
      example = lib.literalExpression ''
        {
          enableACME = true;
          forceSSL = true;
        }
      '';
    };
  };

  config = lib.mkIf cfg.enable {
    # ...
    services.nginx = lib.mkIf (cfg.nginx != null) {
      enable = lib.mkDefault true;

      virtualHosts.${cfg.domain} = lib.mkMerge [
        {
          some = "nice";
          defaults = [
            "if"
            "any"
          ];
        }
        cfg.nginx
      ];
    };
  };
}

Copy link
Member

@getchoo getchoo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let me know if the Environment= alternative to the credential loading works. If not, everything else here looks good and I'd be willing to merge

};

script = ''
export PASSWORD=$(cat $CREDENTIALS_DIRECTORY/fusion)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is used as an example in the upstream docs:

In order to reference the path a credential may be read from within a ExecStart= command line use "${CREDENTIALS_DIRECTORY}/mycred", e.g. "ExecStart=cat ${CREDENTIALS_DIRECTORY}/mycred"

But next they also give an example of

In order to reference the path a credential may be read from within a Environment= line use "%d/mycred", e.g. "Environment=MYCREDPATH=%d/mycred".

That may be better to apply here rather than doing it in the script -- assuming it works

Comment on lines +38 to +61
tls = lib.mkOption {
type = lib.types.nullOr (
lib.types.submodule {
options = {
cert = lib.mkOption {
type = lib.types.path;
description = "Path to TLS certificate";
};
key = lib.mkOption {
type = lib.types.path;
description = "Path to TLS key";
};
};
}
);
default = null;
description = ''
The paths to the TLS certificate and key files for Fusion.

If these options are set, then Fusion can only be accessed through a secure
TLS connection. If you are using a reverse proxy like Nginx to handle HTTPS,
please leave these unset.
'';
};
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe this may have more been of a recommendation to use Nginx over this, as most modules will do that over exposing TLS cert options like this and accessing services directly

I think it could be a good addition here as well, but not a blocker by any means

Copy link
Member

@getchoo getchoo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Almost missed this :p

pkgs/by-name/fu/fusion/package.nix Outdated Show resolved Hide resolved
@wegank wegank removed the 12.approvals: 1 This PR was reviewed and approved by one reputable person label Dec 9, 2024
++ lib.optionals (cfg.tls != null) [
cfg.tls.cert
cfg.tls.key
];
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for packaging this, @pluiedev!

I tested this on my system, and the systemd hardening seems to prevent fusion from making outbound HTTP connections to RSS feeds.

I was able to fix it by adding this:

      BindReadOnlyPaths = [
        builtins.storeDir
        "/etc/ssl/certs"
        "/etc/resolv.conf"
        "/etc/nsswitch.conf"
        "/etc/hosts"
        "${pkgs.fusion}"
        "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
      ] ++ lib.optionals (cfg.tls != null) [
            cfg.tls.cert
            cfg.tls.key
          ];
      Environment = [
        "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
        "NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
      ];

nativeBuildInputs = prev.nativeBuildInputs ++ [ mockgen ];

preBuild = ''
go generate ./...
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As of 0.8.11, this is no longer needed (see 0x2E/fusion@d6194e3)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (new) This PR adds a module in `nixos/` 8.has: module (update) This PR changes an existing module in `nixos/` 8.has: package (new) This PR adds a new package 8.has: tests This PR has tests 10.rebuild-darwin: 1-10 10.rebuild-darwin: 1 10.rebuild-linux: 1-10 11.by: package-maintainer This PR was created by the maintainer of the package it changes
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Package request: fusion
8 participants