Vula #240
Vula #240
Conversation
sarcasticadmin
force-pushed
the
mob/vula-test
branch
from
6d9673a to
351ec25
Compare
|
And to be clear we would like the authors review before merging. |
|
If you request me as a reviewer, I will make time this week to review it. |
There was a problem hiding this comment.
I would be happy to further discuss this review and other aspects on Wednesday. Thank you for packaging this software and while there are additional changes to be made, the most important is using the vula altfiles fork as it does what is required and nothing more. The second most important is using the highctidh remote on codeberg. The rest of my comments are minor or otherwise cosmetic issues.
|
What's the justification for adding so many users to the system (looks like one user per service)? Why not use one user for all of them, like before?
|
projects/Vula/test.nix
Outdated
| }; | ||
| in { | ||
| a = recursiveUpdate common { | ||
| services.vula.userPrefix = "fula"; |
There was a problem hiding this comment.
I suggest something that is more obviously a test value, since "fula" is confusing, as evidenced by discussions in this very PR.
| services.vula.userPrefix = "fula"; | |
| services.vula.userPrefix = "vula-testuserprefix"; |
There was a problem hiding this comment.
I agree. I was confused and others may also be confused. For example a name that is self-documenting might be a good choice.
There was a problem hiding this comment.
@lorenzleutgeb I don't like resolving others' concerns.
projects/Vula/test.nix
Outdated
| in { | ||
| a = recursiveUpdate common { | ||
| services.vula.userPrefix = "fula"; | ||
| services.vula.systemGroup = "zula"; |
There was a problem hiding this comment.
| services.vula.systemGroup = "zula"; | |
| services.vula.systemGroup = "vula-testgroup"; |
projects/Vula/service.nix
Outdated
| commonServiceAttrs = { | ||
| serviceConfig.DevicePolicy = "closed"; | ||
| serviceConfig.Group = cfg.systemGroup; | ||
| serviceConfig.LockPersonality = "yes"; | ||
| serviceConfig.MemoryDenyWriteExecute = "yes"; | ||
| serviceConfig.NoNewPrivileges = "yes"; | ||
| serviceConfig.PrivateDevices = "yes"; | ||
| serviceConfig.PrivateTmp = "yes"; | ||
| serviceConfig.ProtectControlGroups = "yes"; | ||
| serviceConfig.ProtectHome = "read-only"; | ||
| serviceConfig.ProtectKernelLogs = "yes"; | ||
| serviceConfig.ProtectKernelModules = "yes"; | ||
| serviceConfig.ProtectKernelTunables = "yes"; | ||
| serviceConfig.Restart = "always"; | ||
| serviceConfig.RestartSec = "5s"; | ||
| serviceConfig.RestrictNamespaces = "yes"; | ||
| serviceConfig.RestrictRealtime = "yes"; | ||
| serviceConfig.RestrictSUIDSGID = "yes"; | ||
| serviceConfig.Slice = "vula.slice"; | ||
| serviceConfig.StandardError = "journal"; | ||
| serviceConfig.StandardOutput = "journal"; | ||
| serviceConfig.Type = "dbus"; | ||
| wantedBy = ["multi-user.target"]; | ||
| }; |
There was a problem hiding this comment.
| commonServiceAttrs = { | |
| serviceConfig.DevicePolicy = "closed"; | |
| serviceConfig.Group = cfg.systemGroup; | |
| serviceConfig.LockPersonality = "yes"; | |
| serviceConfig.MemoryDenyWriteExecute = "yes"; | |
| serviceConfig.NoNewPrivileges = "yes"; | |
| serviceConfig.PrivateDevices = "yes"; | |
| serviceConfig.PrivateTmp = "yes"; | |
| serviceConfig.ProtectControlGroups = "yes"; | |
| serviceConfig.ProtectHome = "read-only"; | |
| serviceConfig.ProtectKernelLogs = "yes"; | |
| serviceConfig.ProtectKernelModules = "yes"; | |
| serviceConfig.ProtectKernelTunables = "yes"; | |
| serviceConfig.Restart = "always"; | |
| serviceConfig.RestartSec = "5s"; | |
| serviceConfig.RestrictNamespaces = "yes"; | |
| serviceConfig.RestrictRealtime = "yes"; | |
| serviceConfig.RestrictSUIDSGID = "yes"; | |
| serviceConfig.Slice = "vula.slice"; | |
| serviceConfig.StandardError = "journal"; | |
| serviceConfig.StandardOutput = "journal"; | |
| serviceConfig.Type = "dbus"; | |
| wantedBy = ["multi-user.target"]; | |
| }; | |
| commonServiceAttrs = { | |
| serviceConfig = { | |
| DevicePolicy = "closed"; | |
| Group = cfg.systemGroup; | |
| LockPersonality = "yes"; | |
| MemoryDenyWriteExecute = "yes"; | |
| NoNewPrivileges = "yes"; | |
| PrivateDevices = "yes"; | |
| PrivateTmp = "yes"; | |
| ProtectControlGroups = "yes"; | |
| ProtectHome = "read-only"; | |
| ProtectKernelLogs = "yes"; | |
| ProtectKernelModules = "yes"; | |
| ProtectKernelTunables = "yes"; | |
| Restart = "always"; | |
| RestartSec = "5s"; | |
| RestrictNamespaces = "yes"; | |
| RestrictRealtime = "yes"; | |
| RestrictSUIDSGID = "yes"; | |
| Slice = "vula.slice"; | |
| StandardError = "journal"; | |
| StandardOutput = "journal"; | |
| Type = "dbus"; | |
| }; | |
| wantedBy = ["multi-user.target"]; | |
| }; |
The design of vula depends on a separation of concerns. For example: |
|
We would like to add documentation to vula's README to show users how to use and install this nix ngipkgs pkg. We would also be happy to do that with highctidh. Could someone provide us with specific instructions? We can then tag new versions that include that documentation and then the final packages can be based on that tag. |
|
We would also be willing to add a CI test to test building a nix package against git tip for every commit, is there a template or a specific way that is supported for this kind of CI-centric testing? |
Could the same be achieved with dynamic users? Can a subset of these users be dynamic? |
It could be but we would prefer not to use that systemd feature without testing and consideration. Using fixed users and groups has already been analyzed. |
sarcasticadmin
force-pushed
the
mob/vula-test
branch
from
677c86e to
07fa826
Compare
mightyiam
force-pushed
the
mob/vula-test
branch
3 times, most recently
from
8eb683a to
691f29d
Compare
Co-authored-by: Adrien Faure <adrien.faure@protonmail.com> Co-authored-by: Ali Jamadi <jamadi1377@gmail.com> Co-authored-by: GetPsyched <priyanshu@getpsyched.dev> Co-authored-by: Robert James Hernandez <rob@sarcasticadmin.com> Co-authored-by: Shahar "Dawn" Or <mightyiampresence@gmail.com> Co-authored-by: Yifei Sun <ysun@hey.com> Co-authored-by: yakampe <yanis.kampe.cv@gmail.com>
|
@ngi-nix/cake @ngi-nix/magic great job everyone! @ioerror given the heavy lifting is done, upstreaming only needs a bit of scaffolding on your end. There's a tutorial series for all the moving parts on https://nix.dev if you want to try alone, but we can also make a pull request, such that all you'd have to do in CI is get Nix into the execution environment and run |
We would prefer a pull request - ideally one for highctidh and one for vula, and then we will run those tests for all work performed in either repo in the future. Also, thank you - this is a lot of work. Ideally the pull request should add a small section about Nix (how to use the packages, and some credit to those who did this work). We'd be happy to have text in our main |
Closes #96