nixos/nix-serve: don't run as nogroup
nogroup is insecure if shared
This commit is contained in:
parent
2489eb5e45
commit
ac7b8724b5
@ -229,7 +229,7 @@ in
|
|||||||
grafana = 196;
|
grafana = 196;
|
||||||
skydns = 197;
|
skydns = 197;
|
||||||
# ripple-rest = 198; # unused, removed 2017-08-12
|
# ripple-rest = 198; # unused, removed 2017-08-12
|
||||||
nix-serve = 199;
|
# nix-serve = 199; # unused, removed 2020-12-12
|
||||||
tvheadend = 200;
|
tvheadend = 200;
|
||||||
uwsgi = 201;
|
uwsgi = 201;
|
||||||
gitit = 202;
|
gitit = 202;
|
||||||
|
@ -69,13 +69,9 @@ in
|
|||||||
ExecStart = "${pkgs.nix-serve}/bin/nix-serve " +
|
ExecStart = "${pkgs.nix-serve}/bin/nix-serve " +
|
||||||
"--listen ${cfg.bindAddress}:${toString cfg.port} ${cfg.extraParams}";
|
"--listen ${cfg.bindAddress}:${toString cfg.port} ${cfg.extraParams}";
|
||||||
User = "nix-serve";
|
User = "nix-serve";
|
||||||
Group = "nogroup";
|
Group = "nix-serve";
|
||||||
|
DynamicUser = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
users.users.nix-serve = {
|
|
||||||
description = "Nix-serve user";
|
|
||||||
uid = config.ids.uids.nix-serve;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -295,6 +295,7 @@ in
|
|||||||
nginx-sandbox = handleTestOn ["x86_64-linux"] ./nginx-sandbox.nix {};
|
nginx-sandbox = handleTestOn ["x86_64-linux"] ./nginx-sandbox.nix {};
|
||||||
nginx-sso = handleTest ./nginx-sso.nix {};
|
nginx-sso = handleTest ./nginx-sso.nix {};
|
||||||
nginx-variants = handleTest ./nginx-variants.nix {};
|
nginx-variants = handleTest ./nginx-variants.nix {};
|
||||||
|
nix-serve = handleTest ./nix-ssh-serve.nix {};
|
||||||
nix-ssh-serve = handleTest ./nix-ssh-serve.nix {};
|
nix-ssh-serve = handleTest ./nix-ssh-serve.nix {};
|
||||||
nixos-generate-config = handleTest ./nixos-generate-config.nix {};
|
nixos-generate-config = handleTest ./nixos-generate-config.nix {};
|
||||||
nomad = handleTest ./nomad.nix {};
|
nomad = handleTest ./nomad.nix {};
|
||||||
|
22
nixos/tests/nix-serve.nix
Normal file
22
nixos/tests/nix-serve.nix
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
import ./make-test-python.nix ({ pkgs, ... }:
|
||||||
|
{
|
||||||
|
name = "nix-serve";
|
||||||
|
machine = { pkgs, ... }: {
|
||||||
|
services.nix-serve.enable = true;
|
||||||
|
environment.systemPackages = [
|
||||||
|
pkgs.hello
|
||||||
|
];
|
||||||
|
};
|
||||||
|
testScript = let
|
||||||
|
pkgHash = builtins.head (
|
||||||
|
builtins.match "${builtins.storeDir}/([^-]+).+" (toString pkgs.hello)
|
||||||
|
);
|
||||||
|
in ''
|
||||||
|
start_all()
|
||||||
|
machine.wait_for_unit("nix-serve.service")
|
||||||
|
machine.wait_for_open_port(5000)
|
||||||
|
machine.succeed(
|
||||||
|
"curl --fail -g http://0.0.0.0:5000/nar/${pkgHash}.nar -o /tmp/hello.nar"
|
||||||
|
)
|
||||||
|
'';
|
||||||
|
})
|
@ -1,5 +1,11 @@
|
|||||||
{ lib, stdenv, fetchFromGitHub,
|
{ lib
|
||||||
bzip2, nix, perl, makeWrapper,
|
, stdenv
|
||||||
|
, fetchFromGitHub
|
||||||
|
, bzip2
|
||||||
|
, nix
|
||||||
|
, perl
|
||||||
|
, makeWrapper
|
||||||
|
, nixosTests
|
||||||
}:
|
}:
|
||||||
|
|
||||||
with lib;
|
with lib;
|
||||||
@ -30,6 +36,8 @@ stdenv.mkDerivation {
|
|||||||
--add-flags $out/libexec/nix-serve/nix-serve.psgi
|
--add-flags $out/libexec/nix-serve/nix-serve.psgi
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
passthru.tests.nix-serve = nixosTests.nix-serve;
|
||||||
|
|
||||||
meta = {
|
meta = {
|
||||||
homepage = "https://github.com/edolstra/nix-serve";
|
homepage = "https://github.com/edolstra/nix-serve";
|
||||||
description = "A utility for sharing a Nix store as a binary cache";
|
description = "A utility for sharing a Nix store as a binary cache";
|
||||||
|
Loading…
Reference in New Issue
Block a user