mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-12-25 03:17:13 +00:00
929a00bd84
Fixes https://github.com/NixOS/nixpkgs/issues/223289. This doesn't reduce the security in any way since it was already possible for normal users to do what I do here and create such a fake repo for themselves and set their $IPFS_PATH variable to it. It was and still is also possible to just use the --api CLI option. This change just removes the manual setup that would otherwise be required. We wouldn't need this workaround if https://github.com/ipfs/kubo/pull/9366 was merged but the fix seems to have been ignored upstream. Patching it ourselves seems like a bad idea since the patch has security implications.
78 lines
2.4 KiB
Nix
78 lines
2.4 KiB
Nix
{ lib, ...} : {
|
|
name = "kubo";
|
|
meta = with lib.maintainers; {
|
|
maintainers = [ mguentner Luflosi ];
|
|
};
|
|
|
|
nodes.machine = { ... }: {
|
|
services.kubo = {
|
|
enable = true;
|
|
# Also will add a unix domain socket socket API address, see module.
|
|
startWhenNeeded = true;
|
|
settings.Addresses.API = "/ip4/127.0.0.1/tcp/2324";
|
|
dataDir = "/mnt/ipfs";
|
|
};
|
|
users.users.alice = {
|
|
isNormalUser = true;
|
|
};
|
|
};
|
|
|
|
nodes.fuse = { ... }: {
|
|
services.kubo = {
|
|
enable = true;
|
|
settings.Addresses.API = "/ip4/127.0.0.1/tcp/2324";
|
|
autoMount = true;
|
|
};
|
|
};
|
|
|
|
testScript = ''
|
|
start_all()
|
|
|
|
with subtest("Automatic socket activation"):
|
|
ipfs_hash = machine.succeed(
|
|
"echo fnord0 | su alice -l -c 'ipfs add --quieter'"
|
|
)
|
|
machine.succeed(f"ipfs cat /ipfs/{ipfs_hash.strip()} | grep fnord0")
|
|
|
|
machine.stop_job("ipfs")
|
|
|
|
with subtest("IPv4 socket activation"):
|
|
machine.succeed("ipfs --api /ip4/127.0.0.1/tcp/2324 id")
|
|
ipfs_hash = machine.succeed(
|
|
"echo fnord | ipfs --api /ip4/127.0.0.1/tcp/2324 add --quieter"
|
|
)
|
|
machine.succeed(f"ipfs cat /ipfs/{ipfs_hash.strip()} | grep fnord")
|
|
|
|
machine.stop_job("ipfs")
|
|
|
|
with subtest("Unix domain socket activation"):
|
|
ipfs_hash = machine.succeed(
|
|
"echo fnord2 | ipfs --api /unix/run/ipfs.sock add --quieter"
|
|
)
|
|
machine.succeed(
|
|
f"ipfs --api /unix/run/ipfs.sock cat /ipfs/{ipfs_hash.strip()} | grep fnord2"
|
|
)
|
|
|
|
with subtest("Setting dataDir works properly with the hardened systemd unit"):
|
|
machine.succeed("test -e /mnt/ipfs/config")
|
|
machine.succeed("test ! -e /var/lib/ipfs/")
|
|
|
|
with subtest("FUSE mountpoint"):
|
|
# The FUSE mount functionality is broken as of v0.13.0 and v0.17.0.
|
|
# See https://github.com/ipfs/kubo/issues/9044.
|
|
# Workaround: using CID Version 1 avoids that.
|
|
ipfs_hash = fuse.succeed(
|
|
"echo fnord3 | ipfs add --quieter --cid-version=1"
|
|
).strip()
|
|
|
|
fuse.succeed(f"cat /ipfs/{ipfs_hash} | grep fnord3")
|
|
|
|
with subtest("Unmounting of /ipns and /ipfs"):
|
|
# Force Kubo to crash and wait for it to restart
|
|
fuse.systemctl("kill --signal=SIGKILL ipfs.service")
|
|
fuse.wait_for_unit("ipfs.service", timeout = 30)
|
|
|
|
fuse.succeed(f"cat /ipfs/{ipfs_hash} | grep fnord3")
|
|
'';
|
|
}
|