forked from hswaw/hscloud
hswaw/customs: disable DynamicUser for dhcpd / checkinator
Change-Id: I9c7feccf8eb908bf3808afb2ffc5adac50d7abd9 Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1455 Reviewed-by: q3k <q3k@hackerspace.pl>
This commit is contained in:
parent
779727b39e
commit
ee8f1d5e2c
3 changed files with 28 additions and 15 deletions
|
@ -24,7 +24,7 @@ let
|
|||
'';
|
||||
config = builtins.toFile "${name}-config.yaml" (pkgs.lib.generators.toYAML {} {
|
||||
# path to dhcpd lease file
|
||||
LEASE_FILE = "/var/lib/dhcp/dhcpd.leases";
|
||||
LEASE_FILE = "/var/lib/dhcpd4/dhcpd.leases";
|
||||
|
||||
# timeout for old leases
|
||||
TIMEOUT = 1500;
|
||||
|
@ -51,7 +51,7 @@ in {
|
|||
|
||||
serviceConfig.User = "${user}";
|
||||
serviceConfig.Type = "simple";
|
||||
|
||||
|
||||
serviceConfig.ExecStartPre = [
|
||||
''!${prepare}/bin/${name}-prepare''
|
||||
];
|
||||
|
@ -61,6 +61,7 @@ in {
|
|||
''!${pkgs.coreutils}/bin/rm -rf ${socket_dir}''
|
||||
];
|
||||
|
||||
serviceConfig.DynamicUser = false;
|
||||
};
|
||||
environment.systemPackages = [ checkinator ];
|
||||
}
|
||||
|
|
|
@ -35,23 +35,23 @@ let
|
|||
config = builtins.toFile "${name}-config.yaml" (pkgs.lib.generators.toYAML {} {
|
||||
# local sqlite db for storing user and MAC
|
||||
DB = "/var/checkinator-web/at.db";
|
||||
|
||||
|
||||
# debug option interpreted by flask app
|
||||
DEBUG = false;
|
||||
|
||||
|
||||
# url to member wiki page
|
||||
# "${login}" string is replaced by member login (uid)
|
||||
WIKI_URL = "https://wiki.hackerspace.pl/people:\${login}:start";
|
||||
|
||||
|
||||
CLAIMABLE_PREFIXES = [
|
||||
"10.8.0."
|
||||
"2a0d:eb00:4242:0:"
|
||||
];
|
||||
CLAIMABLE_EXCLUDE = [ ];
|
||||
|
||||
|
||||
SPACEAUTH_CONSUMER_KEY = "checkinator";
|
||||
SECRETS_FILE = "/mnt/secrets/checkinator-web/secrets.yaml";
|
||||
|
||||
|
||||
SPECIAL_DEVICES = {
|
||||
kektops = [ "90:e6:ba:84" ];
|
||||
esps = [
|
||||
|
@ -64,9 +64,9 @@ let
|
|||
"52:54:00" # craptrap VMs
|
||||
];
|
||||
};
|
||||
|
||||
|
||||
PROXY_FIX = true;
|
||||
|
||||
|
||||
GRPC_TLS_CERT_DIR = "/mnt/secrets/checkinator-web";
|
||||
GRPC_TLS_CA_CERT = "/mnt/secrets/checkinator-web/ca.pem";
|
||||
GRPC_TLS_ADDRESS = "[::1]:2847";
|
||||
|
@ -85,7 +85,7 @@ in {
|
|||
|
||||
serviceConfig.User = "${user}";
|
||||
serviceConfig.Type = "simple";
|
||||
|
||||
|
||||
environment = {
|
||||
CHECKINATOR_WEB_CONFIG=config;
|
||||
};
|
||||
|
@ -99,12 +99,14 @@ in {
|
|||
fi
|
||||
''}"
|
||||
];
|
||||
serviceConfig.workingDirectory = checkinator;
|
||||
serviceConfig.WorkingDirectory = checkinator;
|
||||
serviceConfig.ExecStart = "${python}/bin/gunicorn -b unix:${socket_dir}/web.sock at.webapp:app";
|
||||
serviceConfig.ExecStopPost = [
|
||||
''!${pkgs.coreutils}/bin/rm -rf /mnt/secrets/${name}''
|
||||
];
|
||||
|
||||
serviceConfig.DynamicUser = false;
|
||||
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."at.hackerspace.pl" = {
|
||||
|
@ -120,9 +122,9 @@ in {
|
|||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Host $host:$server_port;
|
||||
proxy_set_header X-Forwarded-Server $host;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Host $host:$server_port;
|
||||
proxy_set_header X-Forwarded-Server $host;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
|
|
@ -316,10 +316,20 @@ in {
|
|||
|
||||
services.dhcpd4 = {
|
||||
enable = true;
|
||||
configFile = ./dhcpd.conf;
|
||||
configFile = "${./dhcpd.conf}";
|
||||
interfaces = ["lan"];
|
||||
};
|
||||
|
||||
# Checkinator needs access to leases file. When DynamicUser is enable this
|
||||
# file is hidden in /var/lib/private
|
||||
systemd.services.dhcpd4.serviceConfig.DynamicUser= pkgs.lib.mkForce false;
|
||||
users.users.dhcpd = {
|
||||
group = "dhcpd";
|
||||
isSystemUser = true;
|
||||
uid = 1005;
|
||||
};
|
||||
users.groups."dhcpd" = {};
|
||||
|
||||
hscloud.routing = {
|
||||
enable = true;
|
||||
# TODO(q3k): make this optional in upstream
|
||||
|
|
Loading…
Reference in a new issue