Merge pull request #164398 from NinjaTrappeur/nin/pleroma-wrappers

2022-03-19 21:28:40 +01:00 · 2022-03-19 21:28:40 +01:00 · 05417a66e7
parent 53e4f8d237 b205832efe
commit 05417a66e7
3 changed files with 36 additions and 23 deletions
--- a/nixos/modules/services/networking/pleroma.nix
+++ b/nixos/modules/services/networking/pleroma.nix
@ -1,6 +1,7 @@
 { config, options, lib, pkgs, stdenv, ... }:
 let
  cfg = config.services.pleroma;
+  cookieFile = "/var/lib/pleroma/.cookie";
 in {
  options = {
    services.pleroma = with lib; {
@ -8,7 +9,7 @@ in {

      package = mkOption {
        type = types.package;
-        default = pkgs.pleroma;
+        default = pkgs.pleroma.override { inherit cookieFile; };
        defaultText = literalExpression "pkgs.pleroma";
        description = "Pleroma package to use.";
      };
@ -100,7 +101,6 @@ in {
      after = [ "network-online.target" "postgresql.service" ];
      wantedBy = [ "multi-user.target" ];
      restartTriggers = [ config.environment.etc."/pleroma/config.exs".source ];
-      environment.RELEASE_COOKIE = "/var/lib/pleroma/.cookie";
      serviceConfig = {
        User = cfg.user;
        Group = cfg.group;
@ -118,10 +118,10 @@ in {
        # Better be safe than sorry migration-wise.
        ExecStartPre =
          let preScript = pkgs.writers.writeBashBin "pleromaStartPre" ''
-            if [ ! -f /var/lib/pleroma/.cookie ]
+            if [ ! -f "${cookieFile}" ] || [ ! -s "${cookieFile}" ]
            then
              echo "Creating cookie file"
-              dd if=/dev/urandom bs=1 count=16 | hexdump -e '16/1 "%02x"' > /var/lib/pleroma/.cookie
+              dd if=/dev/urandom bs=1 count=16 | ${pkgs.hexdump}/bin/hexdump -e '16/1 "%02x"' > "${cookieFile}"
            fi
            ${cfg.package}/bin/pleroma_ctl migrate
          '';
--- a/nixos/tests/pleroma.nix
+++ b/nixos/tests/pleroma.nix
@ -32,8 +32,7 @@ import ./make-test-python.nix ({ pkgs, ... }:
    # system one. Overriding this pretty bad default behaviour.
    export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

-    export TOOT_LOGIN_CLI_PASSWORD="jamy-password"
-    toot login_cli -i "pleroma.nixos.test" -e "jamy@nixos.test"
+    echo "jamy-password" | toot login_cli -i "pleroma.nixos.test" -e "jamy@nixos.test"
    echo "Login OK"

    # Send a toot then verify it's part of the public timeline
@ -168,21 +167,6 @@ import ./make-test-python.nix ({ pkgs, ... }:
    cp key.pem cert.pem $out
  '';

-  /* Toot is preventing users from feeding login_cli a password non
-     interactively. While it makes sense most of the times, it's
-     preventing us to login in this non-interactive test. This patch
-     introduce a TOOT_LOGIN_CLI_PASSWORD env variable allowing us to
-     provide a password to toot login_cli
-
-     If https://github.com/ihabunek/toot/pull/180 gets merged at some
-     point, feel free to remove this patch. */
-  custom-toot = pkgs.toot.overrideAttrs(old:{
-    patches = [ (pkgs.fetchpatch {
-      url = "https://github.com/NinjaTrappeur/toot/commit/b4a4c30f41c0cb7e336714c2c4af9bc9bfa0c9f2.patch";
-      sha256 = "sha256-0xxNwjR/fStLjjUUhwzCCfrghRVts+fc+fvVJqVcaFg=";
-    }) ];
-  });
-
  hosts = nodes: ''
    ${nodes.pleroma.config.networking.primaryIPAddress} pleroma.nixos.test
    ${nodes.client.config.networking.primaryIPAddress} client.nixos.test
@ -194,7 +178,7 @@ import ./make-test-python.nix ({ pkgs, ... }:
      security.pki.certificateFiles = [ "${tls-cert}/cert.pem" ];
      networking.extraHosts = hosts nodes;
      environment.systemPackages = with pkgs; [
-        custom-toot
+        toot
        send-toot
      ];
    };
--- a/pkgs/servers/pleroma/default.nix
+++ b/pkgs/servers/pleroma/default.nix
@ -1,7 +1,8 @@
 { lib, beamPackages
 , fetchFromGitHub, fetchFromGitLab
-, file, cmake
+, file, cmake, bash
 , nixosTests, writeText
+, cookieFile ? null
 , ...
 }:

@ -17,6 +18,34 @@ beamPackages.mixRelease rec {
    sha256 = "sha256-RcqqNNNCR4cxETUCyjChkpq+cQ1QzNOHHzdqBLtOc6g=";
  };

+  preFixup = if (cookieFile != null) then ''
+    # There's no way to use a subprocess to cat the content of the
+    # file cookie using wrapProgram: it gets escaped (by design) with
+    # a pair of backticks :(
+    # We have to come up with our own custom wrapper to do this.
+    function wrapWithCookie () {
+        local hidden
+        hidden="$(dirname "$1")/.$(basename "$1")"-wrapped
+        while [ -e "$hidden" ]; do
+            hidden="''${hidden}_"
+        done
+        mv "$1" "''${hidden}"
+
+        cat > "$1" << EOF
+    #!${bash}/bin/bash
+    export RELEASE_COOKIE="\$(cat "${cookieFile}")"
+    exec -a "\$0" "''${hidden}" "\$@"
+    EOF
+        chmod +x "$1"
+    }
+
+    for f in "$out"/bin/*; do
+        if [[ -x "$f" ]]; then
+            wrapWithCookie "$f"
+        fi
+    done
+  '' else "";
+
  mixNixDeps = import ./mix.nix {
    inherit beamPackages lib;
    overrides = (final: prev: {