summary refs log tree commit diff
diff options
context:
space:
mode:
authorJörg Thalheim <Mic92@users.noreply.github.com>2021-12-03 17:50:27 +0000
committerGitHub <noreply@github.com>2021-12-03 17:50:27 +0000
commit99c916dd8eef8e63a54defe1eab0b821add4392f (patch)
treef854fa8a97f9aada14cd195deb69b9e386917bf4
parent2df15ba83d0510a56f2583fd3481723835acb5a1 (diff)
parentd87d5731d5bcd495d7a4087949b0fbec4841b972 (diff)
downloadnixpkgs-99c916dd8eef8e63a54defe1eab0b821add4392f.tar
nixpkgs-99c916dd8eef8e63a54defe1eab0b821add4392f.tar.gz
nixpkgs-99c916dd8eef8e63a54defe1eab0b821add4392f.tar.bz2
nixpkgs-99c916dd8eef8e63a54defe1eab0b821add4392f.tar.lz
nixpkgs-99c916dd8eef8e63a54defe1eab0b821add4392f.tar.xz
nixpkgs-99c916dd8eef8e63a54defe1eab0b821add4392f.tar.zst
nixpkgs-99c916dd8eef8e63a54defe1eab0b821add4392f.zip
Merge pull request #148201 from Artturin/nixservesecret
nix-serve: fix NIX_SECRET_KEY_FILE
Diffstat
-rw-r--r--nixos/modules/services/networking/nix-serve.nix14
-rw-r--r--nixos/tests/all-tests.nix4
-rw-r--r--nixos/tests/nix-serve-ssh.nix (renamed from nixos/tests/nix-ssh-serve.nix)2
-rw-r--r--pkgs/tools/package-management/nix-serve/default.nix5
4 files changed, 16 insertions, 9 deletions
diff --git a/nixos/modules/services/networking/nix-serve.nix b/nixos/modules/services/networking/nix-serve.nix
index 7fc145f2303..390f0ddaee8 100644
--- a/nixos/modules/services/networking/nix-serve.nix
+++ b/nixos/modules/services/networking/nix-serve.nix
@@ -37,8 +37,6 @@ in
           nix-store --generate-binary-cache-key key-name secret-key-file public-key-file
           ```
 
-          Make sure user `nix-serve` has read access to the private key file.
-
           For more details see <citerefentry><refentrytitle>nix-store</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
         '';
       };
@@ -61,16 +59,22 @@ in
 
       path = [ config.nix.package.out pkgs.bzip2.bin ];
       environment.NIX_REMOTE = "daemon";
-      environment.NIX_SECRET_KEY_FILE = cfg.secretKeyFile;
+
+      script = ''
+        ${lib.optionalString (cfg.secretKeyFile != null) ''
+          export NIX_SECRET_KEY_FILE="$CREDENTIALS_DIRECTORY/NIX_SECRET_KEY_FILE"
+        ''}
+        exec ${pkgs.nix-serve}/bin/nix-serve --listen ${cfg.bindAddress}:${toString cfg.port} ${cfg.extraParams}
+      '';
 
       serviceConfig = {
         Restart = "always";
         RestartSec = "5s";
-        ExecStart = "${pkgs.nix-serve}/bin/nix-serve " +
-          "--listen ${cfg.bindAddress}:${toString cfg.port} ${cfg.extraParams}";
         User = "nix-serve";
         Group = "nix-serve";
         DynamicUser = true;
+        LoadCredential = lib.optionalString (cfg.secretKeyFile != null)
+          "NIX_SECRET_KEY_FILE:${cfg.secretKeyFile}";
       };
     };
   };
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index 6677e9d093b..1ff1b8d5864 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -315,8 +315,8 @@ in
   nginx-sso = handleTest ./nginx-sso.nix {};
   nginx-variants = handleTest ./nginx-variants.nix {};
   nitter = handleTest ./nitter.nix {};
-  nix-serve = handleTest ./nix-ssh-serve.nix {};
-  nix-ssh-serve = handleTest ./nix-ssh-serve.nix {};
+  nix-serve = handleTest ./nix-serve.nix {};
+  nix-serve-ssh = handleTest ./nix-serve-ssh.nix {};
   nixops = handleTest ./nixops/default.nix {};
   nixos-generate-config = handleTest ./nixos-generate-config.nix {};
   node-red = handleTest ./node-red.nix {};
diff --git a/nixos/tests/nix-ssh-serve.nix b/nixos/tests/nix-serve-ssh.nix
index 03f83542c7c..1eb8d5b395b 100644
--- a/nixos/tests/nix-ssh-serve.nix
+++ b/nixos/tests/nix-serve-ssh.nix
@@ -35,7 +35,7 @@ in
 
        client.fail("diff /root/other-store$(cat mach-id-path) /etc/machine-id")
        # Currently due to shared store this is a noop :(
-       client.succeed("nix copy --to ssh-ng://nix-ssh@server $(cat mach-id-path)")
+       client.succeed("nix copy --experimental-features 'nix-command' --to ssh-ng://nix-ssh@server $(cat mach-id-path)")
        client.succeed(
            "nix-store --realise $(cat mach-id-path) --store /root/other-store --substituters ssh-ng://nix-ssh@server"
        )
diff --git a/pkgs/tools/package-management/nix-serve/default.nix b/pkgs/tools/package-management/nix-serve/default.nix
index 93e240ad346..d9faea9cea4 100644
--- a/pkgs/tools/package-management/nix-serve/default.nix
+++ b/pkgs/tools/package-management/nix-serve/default.nix
@@ -37,7 +37,10 @@ stdenv.mkDerivation {
                 --add-flags $out/libexec/nix-serve/nix-serve.psgi
   '';
 
-  passthru.tests.nix-serve = nixosTests.nix-serve;
+  passthru.tests = {
+    nix-serve = nixosTests.nix-serve;
+    nix-serve-ssh = nixosTests.nix-serve-ssh;
+  };
 
   meta = {
     homepage = "https://github.com/edolstra/nix-serve";
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-06 23:51:58 +0000