Assign stable UIDs and GIDs, expose targetEPR property
This commit is contained in:
parent
382c6a6d29
commit
0d917271ec
|
@ -0,0 +1,8 @@
|
|||
rec {
|
||||
uids = {
|
||||
min = 2000;
|
||||
max = 3000;
|
||||
};
|
||||
|
||||
gids = uids;
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
{
|
||||
"ids" = {
|
||||
"gids" = {
|
||||
"apache" = 2000;
|
||||
"dbus-daemon" = 2001;
|
||||
"disnix-service" = 2002;
|
||||
"mysql" = 2003;
|
||||
"sshd" = 2004;
|
||||
};
|
||||
"uids" = {
|
||||
"apache" = 2000;
|
||||
"dbus-daemon" = 2001;
|
||||
"mysql" = 2002;
|
||||
"sshd" = 2003;
|
||||
};
|
||||
};
|
||||
"lastAssignments" = {
|
||||
"gids" = 2004;
|
||||
"uids" = 2003;
|
||||
};
|
||||
}
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"ids" = {
|
||||
"gids" = {
|
||||
"dbus-daemon" = 2000;
|
||||
"disnix-service" = 2001;
|
||||
"sshd" = 2002;
|
||||
};
|
||||
"uids" = {
|
||||
"dbus-daemon" = 2000;
|
||||
"sshd" = 2001;
|
||||
};
|
||||
};
|
||||
"lastAssignments" = {
|
||||
"gids" = 2002;
|
||||
"uids" = 2001;
|
||||
};
|
||||
}
|
|
@ -0,0 +1,25 @@
|
|||
{
|
||||
"ids" = {
|
||||
"gids" = {
|
||||
"dbus-daemon" = 2000;
|
||||
"disnix-service" = 2001;
|
||||
"mysql-primary" = 2002;
|
||||
"mysql-secondary" = 2003;
|
||||
"sshd" = 2004;
|
||||
"tomcat-primary" = 2005;
|
||||
"tomcat-secondary" = 2006;
|
||||
};
|
||||
"uids" = {
|
||||
"dbus-daemon" = 2000;
|
||||
"mysql-primary" = 2001;
|
||||
"mysql-secondary" = 2002;
|
||||
"sshd" = 2003;
|
||||
"tomcat-primary" = 2004;
|
||||
"tomcat-secondary" = 2005;
|
||||
};
|
||||
};
|
||||
"lastAssignments" = {
|
||||
"gids" = 2006;
|
||||
"uids" = 2005;
|
||||
};
|
||||
}
|
|
@ -0,0 +1,23 @@
|
|||
{
|
||||
"ids" = {
|
||||
"gids" = {
|
||||
"apache" = 2000;
|
||||
"dbus-daemon" = 2001;
|
||||
"disnix-service" = 2002;
|
||||
"mysql" = 2003;
|
||||
"sshd" = 2004;
|
||||
"tomcat" = 2005;
|
||||
};
|
||||
"uids" = {
|
||||
"apache" = 2000;
|
||||
"dbus-daemon" = 2001;
|
||||
"mysql" = 2002;
|
||||
"sshd" = 2003;
|
||||
"tomcat" = 2004;
|
||||
};
|
||||
};
|
||||
"lastAssignments" = {
|
||||
"gids" = 2005;
|
||||
"uids" = 2004;
|
||||
};
|
||||
}
|
|
@ -11,8 +11,10 @@
|
|||
}:
|
||||
|
||||
let
|
||||
ids = if builtins.pathExists ./ids-bare.nix then (import ./ids-bare.nix).ids else {};
|
||||
|
||||
constructors = import ../../services-agnostic/constructors.nix {
|
||||
inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager;
|
||||
inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager ids;
|
||||
};
|
||||
in
|
||||
rec {
|
||||
|
@ -22,17 +24,23 @@ rec {
|
|||
UsePAM yes
|
||||
'';
|
||||
};
|
||||
|
||||
requiresUniqueIdsFor = [ "uids" "gids" ];
|
||||
};
|
||||
|
||||
dbus-daemon = {
|
||||
pkg = constructors.dbus-daemon {
|
||||
services = [ disnix-service ];
|
||||
};
|
||||
|
||||
requiresUniqueIdsFor = [ "uids" "gids" ];
|
||||
};
|
||||
|
||||
disnix-service = {
|
||||
pkg = constructors.disnix-service {
|
||||
inherit dbus-daemon;
|
||||
};
|
||||
|
||||
requiresUniqueIdsFor = [ "gids" ];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -11,12 +11,14 @@
|
|||
}:
|
||||
|
||||
let
|
||||
ids = if builtins.pathExists ./ids-apache-mysql.nix then (import ./ids-apache-mysql.nix).ids else {};
|
||||
|
||||
constructors = import ../../services-agnostic/constructors.nix {
|
||||
inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager;
|
||||
inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager ids;
|
||||
};
|
||||
|
||||
containerProviderConstructors = import ../../service-containers-agnostic/constructors.nix {
|
||||
inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager;
|
||||
inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager ids;
|
||||
};
|
||||
in
|
||||
rec {
|
||||
|
@ -26,26 +28,35 @@ rec {
|
|||
UsePAM yes
|
||||
'';
|
||||
};
|
||||
|
||||
requiresUniqueIdsFor = [ "uids" "gids" ];
|
||||
};
|
||||
|
||||
dbus-daemon = {
|
||||
pkg = constructors.dbus-daemon {
|
||||
services = [ disnix-service ];
|
||||
};
|
||||
|
||||
requiresUniqueIdsFor = [ "uids" "gids" ];
|
||||
};
|
||||
|
||||
apache = containerProviderConstructors.simpleWebappApache {
|
||||
serverAdmin = "root@localhost";
|
||||
documentRoot = "/var/www";
|
||||
enablePHP = true;
|
||||
properties.requiresUniqueIdsFor = [ "uids" "gids" ];
|
||||
};
|
||||
|
||||
mysql = containerProviderConstructors.mysql {};
|
||||
mysql = containerProviderConstructors.mysql {
|
||||
properties.requiresUniqueIdsFor = [ "uids" "gids" ];
|
||||
};
|
||||
|
||||
disnix-service = {
|
||||
pkg = constructors.disnix-service {
|
||||
inherit dbus-daemon;
|
||||
containerProviders = [ apache mysql ];
|
||||
};
|
||||
|
||||
requiresUniqueIdsFor = [ "gids" ];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -11,12 +11,14 @@
|
|||
}:
|
||||
|
||||
let
|
||||
ids = if builtins.pathExists ./ids-tomcat-mysql-multi-instance.nix then (import ./ids-tomcat-mysql-multi-instance.nix).ids else {};
|
||||
|
||||
constructors = import ../../services-agnostic/constructors.nix {
|
||||
inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager;
|
||||
inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager ids;
|
||||
};
|
||||
|
||||
containerProviderConstructors = import ../../service-containers-agnostic/constructors.nix {
|
||||
inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager;
|
||||
inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager ids;
|
||||
};
|
||||
in
|
||||
rec {
|
||||
|
@ -26,12 +28,16 @@ rec {
|
|||
UsePAM yes
|
||||
'';
|
||||
};
|
||||
|
||||
requiresUniqueIdsFor = [ "uids" "gids" ];
|
||||
};
|
||||
|
||||
dbus-daemon = {
|
||||
pkg = constructors.dbus-daemon {
|
||||
services = [ disnix-service ];
|
||||
};
|
||||
|
||||
requiresUniqueIdsFor = [ "uids" "gids" ];
|
||||
};
|
||||
|
||||
tomcat-primary = containerProviderConstructors.disnixAppservingTomcat {
|
||||
|
@ -44,6 +50,7 @@ rec {
|
|||
webapps = [
|
||||
pkgs.tomcat9.webapps # Include the Tomcat example and management applications
|
||||
];
|
||||
properties.requiresUniqueIdsFor = [ "uids" "gids" ];
|
||||
};
|
||||
|
||||
tomcat-secondary = containerProviderConstructors.disnixAppservingTomcat {
|
||||
|
@ -56,16 +63,19 @@ rec {
|
|||
webapps = [
|
||||
pkgs.tomcat9.webapps # Include the Tomcat example and management applications
|
||||
];
|
||||
properties.requiresUniqueIdsFor = [ "uids" "gids" ];
|
||||
};
|
||||
|
||||
mysql-primary = containerProviderConstructors.mysql {
|
||||
instanceSuffix = "-primary";
|
||||
port = 3306;
|
||||
properties.requiresUniqueIdsFor = [ "uids" "gids" ];
|
||||
};
|
||||
|
||||
mysql-secondary = containerProviderConstructors.mysql {
|
||||
instanceSuffix = "-secondary";
|
||||
port = 3307;
|
||||
properties.requiresUniqueIdsFor = [ "uids" "gids" ];
|
||||
};
|
||||
|
||||
disnix-service = {
|
||||
|
@ -74,5 +84,7 @@ rec {
|
|||
containerProviders = [ tomcat-primary tomcat-secondary mysql-primary mysql-secondary ];
|
||||
authorizedUsers = [ tomcat-primary.name tomcat-secondary.name ];
|
||||
};
|
||||
|
||||
requiresUniqueIdsFor = [ "gids" ];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -11,12 +11,14 @@
|
|||
}:
|
||||
|
||||
let
|
||||
ids = if builtins.pathExists ./ids-tomcat-mysql.nix then (import ./ids-tomcat-mysql.nix).ids else {};
|
||||
|
||||
constructors = import ../../services-agnostic/constructors.nix {
|
||||
inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager;
|
||||
inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager ids;
|
||||
};
|
||||
|
||||
containerProviderConstructors = import ../../service-containers-agnostic/constructors.nix {
|
||||
inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager;
|
||||
inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager ids;
|
||||
};
|
||||
in
|
||||
rec {
|
||||
|
@ -26,12 +28,16 @@ rec {
|
|||
UsePAM yes
|
||||
'';
|
||||
};
|
||||
|
||||
requiresUniqueIdsFor = [ "uids" "gids" ];
|
||||
};
|
||||
|
||||
dbus-daemon = {
|
||||
pkg = constructors.dbus-daemon {
|
||||
services = [ disnix-service ];
|
||||
};
|
||||
|
||||
requiresUniqueIdsFor = [ "uids" "gids" ];
|
||||
};
|
||||
|
||||
tomcat = containerProviderConstructors.disnixAppservingTomcat {
|
||||
|
@ -40,6 +46,8 @@ rec {
|
|||
pkgs.tomcat9.webapps # Include the Tomcat example and management applications
|
||||
];
|
||||
enableAJP = true;
|
||||
|
||||
properties.requiresUniqueIdsFor = [ "uids" "gids" ];
|
||||
};
|
||||
|
||||
apache = {
|
||||
|
@ -60,15 +68,24 @@ rec {
|
|||
};
|
||||
requireUser = "admin";
|
||||
};
|
||||
|
||||
requiresUniqueIdsFor = [ "uids" "gids" ];
|
||||
};
|
||||
|
||||
mysql = containerProviderConstructors.mysql {};
|
||||
mysql = containerProviderConstructors.mysql {
|
||||
properties.requiresUniqueIdsFor = [ "uids" "gids" ];
|
||||
};
|
||||
|
||||
disnix-service = {
|
||||
pkg = constructors.disnix-service {
|
||||
inherit dbus-daemon;
|
||||
containerProviders = [ tomcat mysql ];
|
||||
authorizedUsers = [ tomcat.name ];
|
||||
dysnomiaProperties = {
|
||||
targetEPR = "http://$(hostname)/DisnixWebService/services/DisnixWebService";
|
||||
};
|
||||
};
|
||||
|
||||
requiresUniqueIdsFor = [ "gids" ];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -52,12 +52,12 @@ in
|
|||
};
|
||||
|
||||
dbus-daemon = import ./dbus-daemon {
|
||||
inherit createManagedProcess stateDir runtimeDir;
|
||||
inherit createManagedProcess stateDir runtimeDir ids;
|
||||
inherit (pkgs) lib dbus writeTextFile;
|
||||
};
|
||||
|
||||
disnix-service = import ./disnix-service {
|
||||
inherit createManagedProcess processManager nix-processmgmt;
|
||||
inherit createManagedProcess processManager nix-processmgmt ids;
|
||||
inherit (pkgs) stdenv lib writeTextFile nix disnix dysnomia inetutils findutils;
|
||||
};
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{createManagedProcess, lib, writeTextFile, dbus, stateDir, runtimeDir}:
|
||||
{createManagedProcess, lib, writeTextFile, dbus, stateDir, runtimeDir, ids ? {}}:
|
||||
{extraConfig ? "", busType ? "system", services ? []}:
|
||||
|
||||
let
|
||||
|
@ -112,13 +112,17 @@ createManagedProcess {
|
|||
|
||||
credentials = {
|
||||
groups = {
|
||||
"${group}" = {};
|
||||
"${group}" = lib.optionalAttrs (ids ? gids && ids.gids ? dbus-daemon) {
|
||||
gid = ids.gids.dbus-daemon;
|
||||
};
|
||||
};
|
||||
users = {
|
||||
"${user}" = {
|
||||
inherit group;
|
||||
homeDir = dbusRuntimeDir;
|
||||
description = "D-Bus system message bus daemon user";
|
||||
} // lib.optionalAttrs (ids ? uids && ids.uids ? dbus-daemon) {
|
||||
uid = ids.uids.dbus-daemon;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{createManagedProcess, stdenv, lib, writeTextFile, nix, disnix, dysnomia, inetutils, findutils, processManager, nix-processmgmt}:
|
||||
{createManagedProcess, stdenv, lib, writeTextFile, nix, disnix, dysnomia, inetutils, findutils, processManager, nix-processmgmt, ids ? {}}:
|
||||
|
||||
{ dbus-daemon ? null
|
||||
, dysnomiaProperties ? {}
|
||||
|
@ -32,7 +32,9 @@ createManagedProcess {
|
|||
|
||||
credentials = {
|
||||
groups = {
|
||||
"${group}" = {};
|
||||
"${group}" = lib.optionalAttrs (ids ? gids && ids.gids ? disnix-service) {
|
||||
gid = ids.gids.disnix-service;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
|
Loading…
Reference in New Issue