nixos/forgejo: Small cleanups and service capability changes #306457
Conversation
|
Regarding #306457 (comment): See result of |
pyrox0
force-pushed
the
forgejo-module-ssh
branch
from
8feb221
to
b64884c
Compare
pyrox0
force-pushed
the
forgejo-module-ssh
branch
2 times, most recently
from
440b34c
to
357b7df
Compare
|
Had to rebase, CI should be green now. |
pyrox0
force-pushed
the
forgejo-module-ssh
branch
2 times, most recently
from
9b86a77
to
5998e34
Compare
There was a problem hiding this comment.
Retracting my change request, since I'm realizing that this is mainly about using the built-in ssh server. That's a use case that I simply don't have, but happen to know that @emilylange does. So I'll trust her expertise on this.
I'd still like to leave one self-quote from the resolved thread for posterity, because I feel like it meaningfully adds to the conversation.
Even when running a server without a reverse proxy, I prefer binding to high ports and then just redirecting the appropriate low ports via firewall.
This comment was marked as spam.
This comment was marked as spam.
Sorry, something went wrong.
pyrox0
changed the title
|
I'm slightly worried about unconditionally handing out capabilities, that are not strictly required. My deployment currently only binds to a UNIX socket, and I honestly don't want it to be able bind to privileged ports by default. |
|
It's a bit unfortunate the CAP discussion/suggestion has been marked as resolved in the meantime. From what I can tell the majority of Forgejo maintainers leaned towards something like I get that it was my suggestion to make it unconditional in the first place. We could even backport that variant to Or, slightly more controversial, we could continue to not provide an option for this at all. While we do not have concrete guidelines for this in nixpkgs, most folks I speak with expect users of unusual, edge-case-y and advanced configurations to be comfortable doing such override in question themselves via { lib, ... }: {
systemd.services.forgejo.serviceConfig = {
AmbientCapabilities = lib.mkForce [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = lib.mkForce [ "CAP_NET_BIND_SERVICE" ];
PrivateUsers = lib.mkForce false;
};
}What if we, as suggested somewhere in one of the many collapsed comments, split the CAP thingy from this PR as it currently stands. That way, this whole CAP discussion does not hinder the uncontroversial changes from getting merged. Specifically, the - services.openssh.settings.AcceptEnv = mkIf (!cfg.settings.START_SSH_SERVER or false) "GIT_PROTOCOL";
+ services.openssh.settings.AcceptEnv = mkIf (!cfg.settings.server.START_SSH_SERVER or false) "GIT_PROTOCOL";@pyrox0 getting added as maintainer and the PS: I genuinely haven't thought about port forwarding on the machine itself (what @bendlas suggested). I genuinely like that approach. Might copy that for my stuff. |
|
Are you still interested in working on this, @pyrox0? :) |
|
I am still interested in working on this. I'll rebase and remove the CAP override so that the rest of this can get merged. |
Since https://codeberg.org/forgejo/forgejo/issues/497 has been resolved, these can now be `FORGEJO_` prefixed instead of `GITEA_`.
Adds the necessary capabilities to bind to the port if SSH_PORT is lower than 1024, and also resolves issue NixOS#306205 by fixing the mentioned check as well as documenting the mentioned option.
pyrox0
force-pushed
the
forgejo-module-ssh
branch
from
5998e34
to
3069a99
Compare
|
This should be ready to merge. |
|
@ofborg test forgejo |
Also resolves #306205 and adds myself as a maintainer to the module.
Note: This won't eval cleanly until #306349, which fixes my maintainer attribute name, is merged. However, I've checked and it does work properly with that merged into the tree.
Description of changes
Things done
nix.conf? (See Nix manual)sandbox = relaxedsandbox = truenix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)Add a 👍 reaction to pull requests you find important.