Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/fcgiwrap: refactor to fix permissions #318599

Merged
merged 11 commits into from
Jul 2, 2024
Merged

nixos/fcgiwrap: refactor to fix permissions #318599

merged 11 commits into from
Jul 2, 2024

Commits on Jun 22, 2024

  1. nixos/fcgiwrap: refactor for multiple instances 

    This allows configuring and starting independent instances of the
fgciwrap service, each with their own settings and running user,
instead of having to share a global one.

I could not use `mkRenamedOptionModule` on the previous options
because the aliases conflict with `attrsOf submodule` now defined at
`services.fcgiwrap`. This makes this change not backward compatible.
    @pacien
    pacien committed Jun 22, 2024
    Configuration menu
    Copy the full SHA
    41419ca View commit details
    Browse the repository at this point in the history

  2. nixos/fcgiwrap: adapt consumer modules and tests 

    This also fixes the gitolite-fcgiwrap test by running git through
fcgiwrap as the proper user.
    @pacien
    pacien committed Jun 22, 2024
    Configuration menu
    Copy the full SHA
    bf2ad6f View commit details
    Browse the repository at this point in the history

  3. nixos/fcgiwrap: group options logically, fix doc 

    Since we're already introducing some backward-incompatible change in
the previous commit, let's make the options more tidy, also preparing
for the introduction of more options.

This also fixes the documentation of the user and group options which
are applying to the service's running user, not the socket.
    @pacien
    pacien committed Jun 22, 2024
    Configuration menu
    Copy the full SHA
    022289f View commit details
    Browse the repository at this point in the history

  4. nixos/fcgiwrap: adapt consumer modules and tests

    @pacien
    pacien committed Jun 22, 2024
    Configuration menu
    Copy the full SHA
    8101ae4 View commit details
    Browse the repository at this point in the history

  5. nixos/fcgiwrap: improve readability of CLI args

    @pacien
    pacien committed Jun 22, 2024
    Configuration menu
    Copy the full SHA
    3955eaf View commit details
    Browse the repository at this point in the history

  6. nixos/fcgiwrap: limit prefork type to positives

    @pacien
    pacien committed Jun 22, 2024
    Configuration menu
    Copy the full SHA
    289c158 View commit details
    Browse the repository at this point in the history

  7. nixos/fcgiwrap: add unix socket owner, private by default 

    This adds a few options to properly set the ownership and permissions
on UNIX local sockets, set to private by default.

Previously, the created UNIX local sockets could be used by any local
user. This was especially problematic when fcgiwrap is running as root
(the default).
    @pacien
    pacien committed Jun 22, 2024
    Configuration menu
    Copy the full SHA
    81f7201 View commit details
    Browse the repository at this point in the history

  8. nixos/fcgiwrap: adapt consumer modules and tests

    @pacien
    pacien committed Jun 22, 2024
    Configuration menu
    Copy the full SHA
    c5dc3e2 View commit details
    Browse the repository at this point in the history

  9. nixos/fcgiwrap: do not run as root by default 

    Use a dynamic user instead unless one is specified.
    @pacien
    pacien committed Jun 22, 2024
    Configuration menu
    Copy the full SHA
    51b246a View commit details
    Browse the repository at this point in the history

  10. nixos/cgit: configurable user instead of root 

    This allows running cgit instances using dedicated users instead of
root. This is now set to "cgit" by default.
    @pacien
    pacien committed Jun 22, 2024
    Configuration menu
    Copy the full SHA
    2d8626b View commit details
    Browse the repository at this point in the history

  11. nixos/cgit: fix GIT_PROJECT_ROOT ownership 

    The GIT_PROJECT_ROOT directory is now created at runtime instead of
being assembled at build time.

This fixes ownership issues which prevented those repositories to be
read by users other than root. This also avoids creating symlinks in
the nix store pointing to the outside.
    @pacien
    pacien committed Jun 22, 2024
    Configuration menu
    Copy the full SHA
    3d10deb View commit details
    Browse the repository at this point in the history