From a6a9e3188d395bec217ae4f2c51af1a415da0960 Mon Sep 17 00:00:00 2001 From: Scott Worley Date: Wed, 16 Sep 2020 08:23:15 -0700 Subject: nixos/tests/spacecookie: Use curl --fail --- nixos/tests/spacecookie.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'nixos/tests/spacecookie.nix') diff --git a/nixos/tests/spacecookie.nix b/nixos/tests/spacecookie.nix index 6eff32a2e75..5b5022a7427 100644 --- a/nixos/tests/spacecookie.nix +++ b/nixos/tests/spacecookie.nix @@ -32,7 +32,7 @@ in ${gopherHost}.wait_for_unit("spacecookie.service") client.wait_for_unit("network.target") - fileResponse = client.succeed("curl -s gopher://${gopherHost}//${fileName}") + fileResponse = client.succeed("curl -f -s gopher://${gopherHost}//${fileName}") # the file response should return our created file exactly if not (fileResponse == "${fileContent}\n"): @@ -41,7 +41,7 @@ in # sanity check on the directory listing: we serve a directory and a file # via gopher, so the directory listing should have exactly two entries, # one with gopher file type 0 (file) and one with file type 1 (directory). - dirResponse = client.succeed("curl -s gopher://${gopherHost}") + dirResponse = client.succeed("curl -f -s gopher://${gopherHost}") dirEntries = [l[0] for l in dirResponse.split("\n") if len(l) > 0] dirEntries.sort() -- cgit 1.4.1 From 8abd77c8118c10702d7226379649a2e63d922d5c Mon Sep 17 00:00:00 2001 From: sternenseemann <0rpkxez4ksa01gb3typccl0i@systemli.org> Date: Mon, 28 Dec 2020 00:16:26 +0100 Subject: nixos/tests/spacecookie: refactor * Use proper gopher urls * The client vms name is also controlled in a single place now * fileContent holds the precise file content now * wait for the spacecookie unit instead of the port * avoids sending an empty request * since spacecookie is a notify service it only is fully started when the socket has been set up. --- nixos/tests/spacecookie.nix | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) (limited to 'nixos/tests/spacecookie.nix') diff --git a/nixos/tests/spacecookie.nix b/nixos/tests/spacecookie.nix index 5b5022a7427..d3411da8e92 100644 --- a/nixos/tests/spacecookie.nix +++ b/nixos/tests/spacecookie.nix @@ -1,8 +1,9 @@ let - gopherRoot = "/tmp/gopher"; - gopherHost = "gopherd"; - fileContent = "Hello Gopher!"; - fileName = "file.txt"; + gopherRoot = "/tmp/gopher"; + gopherHost = "gopherd"; + gopherClient = "client"; + fileContent = "Hello Gopher!\n"; + fileName = "file.txt"; in import ./make-test-python.nix ({...}: { name = "spacecookie"; @@ -12,7 +13,7 @@ in systemd.services.spacecookie = { preStart = '' mkdir -p ${gopherRoot}/directory - echo "${fileContent}" > ${gopherRoot}/${fileName} + printf "%s" "${fileContent}" > ${gopherRoot}/${fileName} ''; }; @@ -23,25 +24,27 @@ in }; }; - client = {}; + ${gopherClient} = {}; }; testScript = '' start_all() - ${gopherHost}.wait_for_open_port(70) + + # with daemon type notify, the unit being started + # should also mean the port is open ${gopherHost}.wait_for_unit("spacecookie.service") - client.wait_for_unit("network.target") + ${gopherClient}.wait_for_unit("network.target") - fileResponse = client.succeed("curl -f -s gopher://${gopherHost}//${fileName}") + fileResponse = ${gopherClient}.succeed("curl -f -s gopher://${gopherHost}/0/${fileName}") # the file response should return our created file exactly - if not (fileResponse == "${fileContent}\n"): + if not (fileResponse == "${builtins.replaceStrings [ "\n" ] [ "\\n" ] fileContent}"): raise Exception("Unexpected file response") # sanity check on the directory listing: we serve a directory and a file # via gopher, so the directory listing should have exactly two entries, # one with gopher file type 0 (file) and one with file type 1 (directory). - dirResponse = client.succeed("curl -f -s gopher://${gopherHost}") + dirResponse = ${gopherClient}.succeed("curl -f -s gopher://${gopherHost}") dirEntries = [l[0] for l in dirResponse.split("\n") if len(l) > 0] dirEntries.sort() -- cgit 1.4.1 From d1f57cbaf02be1ea3434563446c417ef98748568 Mon Sep 17 00:00:00 2001 From: sternenseemann <0rpkxez4ksa01gb3typccl0i@systemli.org> Date: Wed, 10 Mar 2021 21:56:11 +0100 Subject: nixos/spacecookie: add openFirewall option Convenience shortcut which automatically configures the firewall to open the port which is also configured for the spacecookie service. --- nixos/modules/services/networking/spacecookie.nix | 15 +++++++++++++-- nixos/tests/spacecookie.nix | 2 +- 2 files changed, 14 insertions(+), 3 deletions(-) (limited to 'nixos/tests/spacecookie.nix') diff --git a/nixos/modules/services/networking/spacecookie.nix b/nixos/modules/services/networking/spacecookie.nix index 4ddb137876d..adba0fbfbf2 100644 --- a/nixos/modules/services/networking/spacecookie.nix +++ b/nixos/modules/services/networking/spacecookie.nix @@ -37,12 +37,19 @@ in { ''; }; + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Whether to open the necessary port in the firewall for spacecookie. + ''; + }; + port = mkOption { type = types.port; default = 70; description = '' - Port the gopher service should be exposed on. The - firewall is not opened automatically. + Port the gopher service should be exposed on. ''; }; @@ -100,5 +107,9 @@ in { RestrictAddressFamilies = "AF_UNIX AF_INET6"; }; }; + + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.port ]; + }; }; } diff --git a/nixos/tests/spacecookie.nix b/nixos/tests/spacecookie.nix index d3411da8e92..19db520984b 100644 --- a/nixos/tests/spacecookie.nix +++ b/nixos/tests/spacecookie.nix @@ -9,7 +9,6 @@ in name = "spacecookie"; nodes = { ${gopherHost} = { - networking.firewall.allowedTCPPorts = [ 70 ]; systemd.services.spacecookie = { preStart = '' mkdir -p ${gopherRoot}/directory @@ -21,6 +20,7 @@ in enable = true; root = gopherRoot; hostname = gopherHost; + openFirewall = true; }; }; -- cgit 1.4.1 From 76583ee81a1a2d1c8f467fd0c509bc7b4b79f17c Mon Sep 17 00:00:00 2001 From: sternenseemann <0rpkxez4ksa01gb3typccl0i@systemli.org> Date: Wed, 10 Mar 2021 22:12:36 +0100 Subject: nixos/spacecookie: convert into settings-style freeform configuration MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Move `hostname` and `root` into a settings submodule with a freeform type, allowing users to also use options not known to the NixOS service. Compatibility with a warning for the renamed options is also trivial to achieve. * `port` stays where it is as we don't actually use the `port` option of spacecookie to set up the socket, but only to inform spacecookie about the port we have set in the `systemd.socket` file, this makes more sense. Additionally the configuration of the listening port and address change in the next spacecookie release — we can dodge this issue altogether by doing our own thing, but I'm interested to hear opinions on this. To ensure that this is not misconfigured, we add an assertion for the port option. * Add an assertion for `user` in settings which has no effect the way we are starting spacecookie as it wouldn't be able to call setuid. The message also explains how a specific user can be used with spacecookie if desired. --- nixos/modules/services/networking/spacecookie.nix | 92 +++++++++++++++++------ nixos/tests/spacecookie.nix | 6 +- 2 files changed, 75 insertions(+), 23 deletions(-) (limited to 'nixos/tests/spacecookie.nix') diff --git a/nixos/modules/services/networking/spacecookie.nix b/nixos/modules/services/networking/spacecookie.nix index 4b908eee054..ecac401b728 100644 --- a/nixos/modules/services/networking/spacecookie.nix +++ b/nixos/modules/services/networking/spacecookie.nix @@ -4,10 +4,20 @@ with lib; let cfg = config.services.spacecookie; - configFile = pkgs.writeText "spacecookie.json" (lib.generators.toJSON {} { - inherit (cfg) hostname port root; - }); + + spacecookieConfig = { + inherit (cfg) port; + } // cfg.settings; + + format = pkgs.formats.json {}; + + configFile = format.generate "spacecookie.json" spacecookieConfig; + in { + imports = [ + (mkRenamedOptionModule [ "services" "spacecookie" "root" ] [ "services" "spacecookie" "settings" "root" ]) + (mkRenamedOptionModule [ "services" "spacecookie" "hostname" ] [ "services" "spacecookie" "settings" "hostname" ]) + ]; options = { @@ -27,16 +37,6 @@ in { ''; }; - hostname = mkOption { - type = types.str; - default = "localhost"; - description = '' - The hostname the service is reachable via. Clients - will use this hostname for further requests after - loading the initial gopher menu. - ''; - }; - openFirewall = mkOption { type = types.bool; default = false; @@ -53,14 +53,6 @@ in { ''; }; - root = mkOption { - type = types.path; - default = "/srv/gopher"; - description = '' - The root directory spacecookie serves via gopher. - ''; - }; - address = mkOption { type = types.str; default = "[::]"; @@ -70,10 +62,68 @@ in { systemd.socket(5). ''; }; + + settings = mkOption { + type = types.submodule { + freeformType = format.type; + + options.hostname = mkOption { + type = types.str; + default = "localhost"; + description = '' + The hostname the service is reachable via. Clients + will use this hostname for further requests after + loading the initial gopher menu. + ''; + }; + + options.root = mkOption { + type = types.path; + default = "/srv/gopher"; + description = '' + The directory spacecookie should serve via gopher. + Files in there need to be world-readable since + the spacecookie service file sets + DynamicUser=true. + ''; + }; + }; + + description = '' + Settings for spacecookie. The settings set here are + directly translated to the spacecookie JSON config + file. See the + spacecookie documentation + for explanations of all options. + ''; + }; }; }; config = mkIf cfg.enable { + assertions = [ + { + assertion = !(cfg.settings ? user); + message = '' + spacecookie is started as a normal user, so the setuid + feature doesn't work. If you want to run spacecookie as + a specific user, set: + systemd.services.spacecookie.serviceConfig = { + DynamicUser = false; + User = "youruser"; + Group = "yourgroup"; + } + ''; + } + { + assertion = !(cfg.settings ? port); + message = '' + The NixOS spacecookie module uses socket activation, + so the port option has no effect. Use the port option + in services.spacecookie instead. + ''; + } + ]; systemd.sockets.spacecookie = { description = "Socket for the Spacecookie Gopher Server"; diff --git a/nixos/tests/spacecookie.nix b/nixos/tests/spacecookie.nix index 19db520984b..a640657d8a6 100644 --- a/nixos/tests/spacecookie.nix +++ b/nixos/tests/spacecookie.nix @@ -18,9 +18,11 @@ in services.spacecookie = { enable = true; - root = gopherRoot; - hostname = gopherHost; openFirewall = true; + settings = { + root = gopherRoot; + hostname = gopherHost; + }; }; }; -- cgit 1.4.1