ehmry
/
nix-processmgmt-services
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Assign stable UIDs and GIDs, expose targetEPR property

This commit is contained in:
Sander van der Burg 2021-03-07 17:19:27 +01:00 committed by Sander van der Burg
parent 382c6a6d29
commit 0d917271ec
12 changed files with 163 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
example-deployments/disnix/idresources.nix Normal file
View File

@ -0,0 +1,8 @@
rec {
uids = {
min = 2000;
max = 3000;
};
gids = uids;
}

21
example-deployments/disnix/ids-apache-mysql.nix Normal file
View File

@ -0,0 +1,21 @@
{
"ids" = {
"gids" = {
"apache" = 2000;
"dbus-daemon" = 2001;
"disnix-service" = 2002;
"mysql" = 2003;
"sshd" = 2004;
};
"uids" = {
"apache" = 2000;
"dbus-daemon" = 2001;
"mysql" = 2002;
"sshd" = 2003;
};
};
"lastAssignments" = {
"gids" = 2004;
"uids" = 2003;
};
}

17
example-deployments/disnix/ids-bare.nix Normal file
View File

@ -0,0 +1,17 @@
{
"ids" = {
"gids" = {
"dbus-daemon" = 2000;
"disnix-service" = 2001;
"sshd" = 2002;
};
"uids" = {
"dbus-daemon" = 2000;
"sshd" = 2001;
};
};
"lastAssignments" = {
"gids" = 2002;
"uids" = 2001;
};
}

25
example-deployments/disnix/ids-tomcat-mysql-multi-instance.nix Normal file
View File

@ -0,0 +1,25 @@
{
"ids" = {
"gids" = {
"dbus-daemon" = 2000;
"disnix-service" = 2001;
"mysql-primary" = 2002;
"mysql-secondary" = 2003;
"sshd" = 2004;
"tomcat-primary" = 2005;
"tomcat-secondary" = 2006;
};
"uids" = {
"dbus-daemon" = 2000;
"mysql-primary" = 2001;
"mysql-secondary" = 2002;
"sshd" = 2003;
"tomcat-primary" = 2004;
"tomcat-secondary" = 2005;
};
};
"lastAssignments" = {
"gids" = 2006;
"uids" = 2005;
};
}

23
example-deployments/disnix/ids-tomcat-mysql.nix Normal file
View File

@ -0,0 +1,23 @@
{
"ids" = {
"gids" = {
"apache" = 2000;
"dbus-daemon" = 2001;
"disnix-service" = 2002;
"mysql" = 2003;
"sshd" = 2004;
"tomcat" = 2005;
};
"uids" = {
"apache" = 2000;
"dbus-daemon" = 2001;
"mysql" = 2002;
"sshd" = 2003;
"tomcat" = 2004;
};
};
"lastAssignments" = {
"gids" = 2005;
"uids" = 2004;
};
}

10
example-deployments/disnix/processes-bare.nix
View File

@ -11,8 +11,10 @@
}:
let
ids = if builtins.pathExists ./ids-bare.nix then (import ./ids-bare.nix).ids else {};
constructors = import ../../services-agnostic/constructors.nix {
inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager;
inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager ids;
};
in
rec {
@ -22,17 +24,23 @@ rec {
UsePAM yes
'';
};
requiresUniqueIdsFor = [ "uids" "gids" ];
};
dbus-daemon = {
pkg = constructors.dbus-daemon {
services = [ disnix-service ];
};
requiresUniqueIdsFor = [ "uids" "gids" ];
};
disnix-service = {
pkg = constructors.disnix-service {
inherit dbus-daemon;
};
requiresUniqueIdsFor = [ "gids" ];
};
}

17
example-deployments/disnix/processes-with-apache-mysql.nix
View File

@ -11,12 +11,14 @@
}:
let
ids = if builtins.pathExists ./ids-apache-mysql.nix then (import ./ids-apache-mysql.nix).ids else {};
constructors = import ../../services-agnostic/constructors.nix {
inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager;
inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager ids;
};
containerProviderConstructors = import ../../service-containers-agnostic/constructors.nix {
inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager;
inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager ids;
};
in
rec {
@ -26,26 +28,35 @@ rec {
UsePAM yes
'';
};
requiresUniqueIdsFor = [ "uids" "gids" ];
};
dbus-daemon = {
pkg = constructors.dbus-daemon {
services = [ disnix-service ];
};
requiresUniqueIdsFor = [ "uids" "gids" ];
};
apache = containerProviderConstructors.simpleWebappApache {
serverAdmin = "root@localhost";
documentRoot = "/var/www";
enablePHP = true;
properties.requiresUniqueIdsFor = [ "uids" "gids" ];
};
mysql = containerProviderConstructors.mysql {};
mysql = containerProviderConstructors.mysql {
properties.requiresUniqueIdsFor = [ "uids" "gids" ];
};
disnix-service = {
pkg = constructors.disnix-service {
inherit dbus-daemon;
containerProviders = [ apache mysql ];
};
requiresUniqueIdsFor = [ "gids" ];
};
}

16
example-deployments/disnix/processes-with-tomcat-mysql-multi-instance.nix
View File

@ -11,12 +11,14 @@
}:
let
ids = if builtins.pathExists ./ids-tomcat-mysql-multi-instance.nix then (import ./ids-tomcat-mysql-multi-instance.nix).ids else {};
constructors = import ../../services-agnostic/constructors.nix {
inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager;
inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager ids;
};
containerProviderConstructors = import ../../service-containers-agnostic/constructors.nix {
inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager;
inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager ids;
};
in
rec {
@ -26,12 +28,16 @@ rec {
UsePAM yes
'';
};
requiresUniqueIdsFor = [ "uids" "gids" ];
};
dbus-daemon = {
pkg = constructors.dbus-daemon {
services = [ disnix-service ];
};
requiresUniqueIdsFor = [ "uids" "gids" ];
};
tomcat-primary = containerProviderConstructors.disnixAppservingTomcat {
@ -44,6 +50,7 @@ rec {
webapps = [
pkgs.tomcat9.webapps # Include the Tomcat example and management applications
];
properties.requiresUniqueIdsFor = [ "uids" "gids" ];
};
tomcat-secondary = containerProviderConstructors.disnixAppservingTomcat {
@ -56,16 +63,19 @@ rec {
webapps = [
pkgs.tomcat9.webapps # Include the Tomcat example and management applications
];
properties.requiresUniqueIdsFor = [ "uids" "gids" ];
};
mysql-primary = containerProviderConstructors.mysql {
instanceSuffix = "-primary";
port = 3306;
properties.requiresUniqueIdsFor = [ "uids" "gids" ];
};
mysql-secondary = containerProviderConstructors.mysql {
instanceSuffix = "-secondary";
port = 3307;
properties.requiresUniqueIdsFor = [ "uids" "gids" ];
};
disnix-service = {
@ -74,5 +84,7 @@ rec {
containerProviders = [ tomcat-primary tomcat-secondary mysql-primary mysql-secondary ];
authorizedUsers = [ tomcat-primary.name tomcat-secondary.name ];
};
requiresUniqueIdsFor = [ "gids" ];
};
}

23
example-deployments/disnix/processes-with-tomcat-mysql.nix
View File

@ -11,12 +11,14 @@
}:
let
ids = if builtins.pathExists ./ids-tomcat-mysql.nix then (import ./ids-tomcat-mysql.nix).ids else {};
constructors = import ../../services-agnostic/constructors.nix {
inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager;
inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager ids;
};
containerProviderConstructors = import ../../service-containers-agnostic/constructors.nix {
inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager;
inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager ids;
};
in
rec {
@ -26,12 +28,16 @@ rec {
UsePAM yes
'';
};
requiresUniqueIdsFor = [ "uids" "gids" ];
};
dbus-daemon = {
pkg = constructors.dbus-daemon {
services = [ disnix-service ];
};
requiresUniqueIdsFor = [ "uids" "gids" ];
};
tomcat = containerProviderConstructors.disnixAppservingTomcat {
@ -40,6 +46,8 @@ rec {
pkgs.tomcat9.webapps # Include the Tomcat example and management applications
];
enableAJP = true;
properties.requiresUniqueIdsFor = [ "uids" "gids" ];
};
apache = {
@ -60,15 +68,24 @@ rec {
};
requireUser = "admin";
};
requiresUniqueIdsFor = [ "uids" "gids" ];
};
mysql = containerProviderConstructors.mysql {};
mysql = containerProviderConstructors.mysql {
properties.requiresUniqueIdsFor = [ "uids" "gids" ];
};
disnix-service = {
pkg = constructors.disnix-service {
inherit dbus-daemon;
containerProviders = [ tomcat mysql ];
authorizedUsers = [ tomcat.name ];
dysnomiaProperties = {
targetEPR = "http://$(hostname)/DisnixWebService/services/DisnixWebService";
};
};
requiresUniqueIdsFor = [ "gids" ];
};
}

4
services-agnostic/constructors.nix
View File

@ -52,12 +52,12 @@ in
};
dbus-daemon = import ./dbus-daemon {
inherit createManagedProcess stateDir runtimeDir;
inherit createManagedProcess stateDir runtimeDir ids;
inherit (pkgs) lib dbus writeTextFile;
};
disnix-service = import ./disnix-service {
inherit createManagedProcess processManager nix-processmgmt;
inherit createManagedProcess processManager nix-processmgmt ids;
inherit (pkgs) stdenv lib writeTextFile nix disnix dysnomia inetutils findutils;
};

8
services-agnostic/dbus-daemon/default.nix
View File

@ -1,4 +1,4 @@
{createManagedProcess, lib, writeTextFile, dbus, stateDir, runtimeDir}:
{createManagedProcess, lib, writeTextFile, dbus, stateDir, runtimeDir, ids ? {}}:
{extraConfig ? "", busType ? "system", services ? []}:
let
@ -112,13 +112,17 @@ createManagedProcess {
credentials = {
groups = {
"${group}" = {};
"${group}" = lib.optionalAttrs (ids ? gids && ids.gids ? dbus-daemon) {
gid = ids.gids.dbus-daemon;
};
};
users = {
"${user}" = {
inherit group;
homeDir = dbusRuntimeDir;
description = "D-Bus system message bus daemon user";
} // lib.optionalAttrs (ids ? uids && ids.uids ? dbus-daemon) {
uid = ids.uids.dbus-daemon;
};
};
};

6
services-agnostic/disnix-service/default.nix
View File

@ -1,4 +1,4 @@
{createManagedProcess, stdenv, lib, writeTextFile, nix, disnix, dysnomia, inetutils, findutils, processManager, nix-processmgmt}:
{createManagedProcess, stdenv, lib, writeTextFile, nix, disnix, dysnomia, inetutils, findutils, processManager, nix-processmgmt, ids ? {}}:
{ dbus-daemon ? null
, dysnomiaProperties ? {}
@ -32,7 +32,9 @@ createManagedProcess {
credentials = {
groups = {
"${group}" = {};
"${group}" = lib.optionalAttrs (ids ? gids && ids.gids ? disnix-service) {
gid = ids.gids.disnix-service;
};
};
};