nixos: Apply changes from nixpkgs module #186
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Also cc'ing @adamcstephens |
cole-h
reviewed
Oct 14, 2024
zhaofengli
force-pushed
the
nixos-hardening
branch
from
58671a5 to
80ba673
Compare
cole-h
approved these changes
Oct 14, 2024
| systemd.services.atticd = { | ||
| wantedBy = [ "multi-user.target" ]; | ||
| after = [ "network-online.target" ] ++ lib.optionals hasLocalPostgresDB [ "postgresql.service" ]; | ||
| requires = lib.optionals hasLocalPostgresDB [ "postgresql.service" ]; |
There was a problem hiding this comment.
It was pointed out to me that the after generates an eval warning. You'll want this too NixOS/nixpkgs#349083
Co-authored-by: Adam Stephens <adam@valkor.net>
Co-authored-by: Adam Stephens <adam@valkor.net>
Co-authored-by: Adam Stephens <adam@valkor.net>
Co-authored-by: Adam Stephens <adam@valkor.net>
Co-authored-by: Adam Stephens <adam@valkor.net>
fixes: trace: evaluation warning: atticd.service is ordered after 'network-online.target' but doesn't depend on it
zhaofengli
force-pushed
the
nixos-hardening
branch
from
80ba673 to
ba5ba2d
Compare
ajs124
reviewed
Nov 3, 2024
| ''; | ||
| export ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64="dGVzdCBzZWNyZXQ=" | ||
| export ATTIC_SERVER_DATABASE_URL="sqlite://:memory:" | ||
| ${lib.getExe cfg.package} --mode check-config -f $configFile |
There was a problem hiding this comment.
I don't think using getExe makes sense here or in serviceConfig.
This breaks using the attic (or attic-nixpkgs) package for the service, because that package has attic set as mainProgram, which is the wrong binary to use here. So setting services.attic.package = pkgs.attic was working fine before this change, but is broken with it.
Since this package includes both server and client, it should be usable here IMO.
I've been using that package to avoid having to build attic twice, for server and client binaries.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR updates the NixOS module to follow the one added in NixOS/nixpkgs#347749.
In particular,
services.atticd.credentialsFilewas renamed toservices.atticd.environmentFileand new hardening options were added to the systemd service.