From 8b7845fee9097594ac84745a959528cae5dd0187 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix=20Baylac-Jacqu=C3=A9?= Date: Wed, 16 Mar 2022 10:22:25 +0100 Subject: [PATCH 1/4] pleroma: Potentially wrap binaries with RELEASE_COOKIE Pleroma_ctl and pleroma depend on mix_release to run which itself depends on a RELEASE_COOKIE. It'll fail to run without such a cookie. Allowing the user to wrap this binary with a RELEASE_COOKIE. We don't set any by default, meaning this diff is no-op for the existing deployments relying on the pleroma package but not on the NixOS module. --- pkgs/servers/pleroma/default.nix | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/pkgs/servers/pleroma/default.nix b/pkgs/servers/pleroma/default.nix index ec7de2ac57c..dd4025a76c0 100644 --- a/pkgs/servers/pleroma/default.nix +++ b/pkgs/servers/pleroma/default.nix @@ -1,7 +1,8 @@ { lib, beamPackages , fetchFromGitHub, fetchFromGitLab -, file, cmake +, file, cmake, bash , nixosTests, writeText +, cookieFile ? null , ... }: @@ -17,6 +18,34 @@ beamPackages.mixRelease rec { sha256 = "sha256-RcqqNNNCR4cxETUCyjChkpq+cQ1QzNOHHzdqBLtOc6g="; }; + preFixup = if (cookieFile != null) then '' + # There's no way to use a subprocess to cat the content of the + # file cookie using wrapProgram: it gets escaped (by design) with + # a pair of backticks :( + # We have to come up with our own custom wrapper to do this. + function wrapWithCookie () { + local hidden + hidden="$(dirname "$1")/.$(basename "$1")"-wrapped + while [ -e "$hidden" ]; do + hidden="''${hidden}_" + done + mv "$1" "''${hidden}" + + cat > "$1" << EOF + #!${bash}/bin/bash + export RELEASE_COOKIE="\$(cat "${cookieFile}")" + exec -a "\$0" "''${hidden}" "\$@" + EOF + chmod +x "$1" + } + + for f in "$out"/bin/*; do + if [[ -x "$f" ]]; then + wrapWithCookie "$f" + fi + done + '' else ""; + mixNixDeps = import ./mix.nix { inherit beamPackages lib; overrides = (final: prev: { From 71d9048f72e4ec7afffbcd562f14d53714110522 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix=20Baylac-Jacqu=C3=A9?= Date: Wed, 16 Mar 2022 10:25:41 +0100 Subject: [PATCH 2/4] nixos/pleroma: inject release cookie path to the pleroma package We inject the release cookie path to the pleroma derivation in order to wrap pleroma_ctl with it. Doing this allows us to remove the systemd-injected RELEASE_COOKIE path, which was sadly buggy (RELEASE_COOKIE should point to the *content* of the cookie, not the file containing it). We take advantage of this to factor out the cookie path. --- nixos/modules/services/networking/pleroma.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/nixos/modules/services/networking/pleroma.nix b/nixos/modules/services/networking/pleroma.nix index 9b8382392c0..d94cfb17999 100644 --- a/nixos/modules/services/networking/pleroma.nix +++ b/nixos/modules/services/networking/pleroma.nix @@ -1,6 +1,7 @@ { config, options, lib, pkgs, stdenv, ... }: let cfg = config.services.pleroma; + cookieFile = "/var/lib/pleroma/.cookie"; in { options = { services.pleroma = with lib; { @@ -8,7 +9,7 @@ in { package = mkOption { type = types.package; - default = pkgs.pleroma; + default = pkgs.pleroma.override { inherit cookieFile; }; defaultText = literalExpression "pkgs.pleroma"; description = "Pleroma package to use."; }; @@ -100,7 +101,6 @@ in { after = [ "network-online.target" "postgresql.service" ]; wantedBy = [ "multi-user.target" ]; restartTriggers = [ config.environment.etc."/pleroma/config.exs".source ]; - environment.RELEASE_COOKIE = "/var/lib/pleroma/.cookie"; serviceConfig = { User = cfg.user; Group = cfg.group; @@ -118,10 +118,10 @@ in { # Better be safe than sorry migration-wise. ExecStartPre = let preScript = pkgs.writers.writeBashBin "pleromaStartPre" '' - if [ ! -f /var/lib/pleroma/.cookie ] + if [ ! -f "${cookieFile}" ] then echo "Creating cookie file" - dd if=/dev/urandom bs=1 count=16 | hexdump -e '16/1 "%02x"' > /var/lib/pleroma/.cookie + dd if=/dev/urandom bs=1 count=16 | ${pkgs.hexdump}/bin/hexdump -e '16/1 "%02x"' > "${cookieFile}" fi ${cfg.package}/bin/pleroma_ctl migrate ''; From e7f6370701a3e65082e67cd0f9696bcd32c2e9ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix=20Baylac-Jacqu=C3=A9?= Date: Wed, 16 Mar 2022 10:40:25 +0100 Subject: [PATCH 3/4] nixosTests.pleroma: fix test, remove toot patch It was originally impossible to login in toot without having an interactive shell. I opened https://github.com/ihabunek/toot/pull/180 upstream to fix that and fetch this patch for this test. The author decided to fix the issue using a slightly different approach at https://github.com/ihabunek/toot/commit/a3eb5dca24e3efa8f16ebcdc4b7d635dc9af03b7 Because of this upstream fix, our custom patch does not apply anymore. Using that stdin-based login upstream feature. --- nixos/tests/pleroma.nix | 20 ++------------------ 1 file changed, 2 insertions(+), 18 deletions(-) diff --git a/nixos/tests/pleroma.nix b/nixos/tests/pleroma.nix index bf3623fce38..90a9a251104 100644 --- a/nixos/tests/pleroma.nix +++ b/nixos/tests/pleroma.nix @@ -32,8 +32,7 @@ import ./make-test-python.nix ({ pkgs, ... }: # system one. Overriding this pretty bad default behaviour. export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt - export TOOT_LOGIN_CLI_PASSWORD="jamy-password" - toot login_cli -i "pleroma.nixos.test" -e "jamy@nixos.test" + echo "jamy-password" | toot login_cli -i "pleroma.nixos.test" -e "jamy@nixos.test" echo "Login OK" # Send a toot then verify it's part of the public timeline @@ -168,21 +167,6 @@ import ./make-test-python.nix ({ pkgs, ... }: cp key.pem cert.pem $out ''; - /* Toot is preventing users from feeding login_cli a password non - interactively. While it makes sense most of the times, it's - preventing us to login in this non-interactive test. This patch - introduce a TOOT_LOGIN_CLI_PASSWORD env variable allowing us to - provide a password to toot login_cli - - If https://github.com/ihabunek/toot/pull/180 gets merged at some - point, feel free to remove this patch. */ - custom-toot = pkgs.toot.overrideAttrs(old:{ - patches = [ (pkgs.fetchpatch { - url = "https://github.com/NinjaTrappeur/toot/commit/b4a4c30f41c0cb7e336714c2c4af9bc9bfa0c9f2.patch"; - sha256 = "sha256-0xxNwjR/fStLjjUUhwzCCfrghRVts+fc+fvVJqVcaFg="; - }) ]; - }); - hosts = nodes: '' ${nodes.pleroma.config.networking.primaryIPAddress} pleroma.nixos.test ${nodes.client.config.networking.primaryIPAddress} client.nixos.test @@ -194,7 +178,7 @@ import ./make-test-python.nix ({ pkgs, ... }: security.pki.certificateFiles = [ "${tls-cert}/cert.pem" ]; networking.extraHosts = hosts nodes; environment.systemPackages = with pkgs; [ - custom-toot + toot send-toot ]; }; From b205832efe0c92c58576ffe47851c90cd405ee4b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix=20Baylac-Jacqu=C3=A9?= Date: Thu, 17 Mar 2022 13:21:56 +0100 Subject: [PATCH 4/4] nixos/pleroma: regenerate empty release cookie files Since b9cfbcafdf0ca9573de1cdc06137c020e70e44a8, the lack of hexdump in the closure lead to the generation of empty cookie files. This empty cookie file is making pleroma to crash at startup now we correctly read it. We introduce a migration forcing these empty cookies to be re-generated to something not empty. --- nixos/modules/services/networking/pleroma.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/services/networking/pleroma.nix b/nixos/modules/services/networking/pleroma.nix index d94cfb17999..c6d4c14dcb7 100644 --- a/nixos/modules/services/networking/pleroma.nix +++ b/nixos/modules/services/networking/pleroma.nix @@ -118,7 +118,7 @@ in { # Better be safe than sorry migration-wise. ExecStartPre = let preScript = pkgs.writers.writeBashBin "pleromaStartPre" '' - if [ ! -f "${cookieFile}" ] + if [ ! -f "${cookieFile}" ] || [ ! -s "${cookieFile}" ] then echo "Creating cookie file" dd if=/dev/urandom bs=1 count=16 | ${pkgs.hexdump}/bin/hexdump -e '16/1 "%02x"' > "${cookieFile}"