Synit: user management?

2023-11-28 17:49:54 +02:00 · 2023-11-28 17:49:54 +02:00 · f86e024796
parent 1650358036
commit f86e024796
5 changed files with 34 additions and 20 deletions
--- a/nixproc/backends/synit/create-synit-daemon.nix
+++ b/nixproc/backends/synit/create-synit-daemon.nix
@ -1,6 +1,6 @@
-{ lib, busybox, runtimeShell, toPreserves, writeScript, writeTextFile }:
+{ lib, busybox, runtimeShell, toPreserves, util, writeScript, writeTextFile }:

-{ name, description, argv, environment, directory, path
+{ name, description, environment, directory, path, user, process, args
 # Shell instructions that specify how the state of the process should be initialized.
 , initialize ? ""
  # List of services that this configuration depends on.
@ -9,15 +9,24 @@
  # Example: [ "<service-state <milestone network> up>" ]
 , depends-on ? [ ]
  # Whether the daemon shall be declared as required.
-, require-service ? true }:
+, require-service ? true, forceDisableUserChange ? false }:

 let
  env = environment // {
    PATH = lib.strings.makeBinPath (path ++ [ busybox ]);
  };

+  user' = util.determineUser { inherit user forceDisableUserChange; };
+
  processSpec = {
-    inherit argv env;
+    argv = if user' == null then
+      [ process ] ++ args
+    else
+      util.invokeDaemon {
+        inherit process args;
+        su = "su";
+      };
+    inherit env;
  } // (lib.attrsets.optionalAttrs (directory != null) { dir = directory; });

  serviceName = "<daemon ${name}>";
--- a/nixproc/backends/synit/default.nix
+++ b/nixproc/backends/synit/default.nix
@ -1,13 +1,13 @@
 { lib, busybox, runtimeShell, writeScript, writeTextFile, undaemonize }:

 rec {
-  util = import ./util.nix { inherit lib; };
+  util = import ../util { inherit lib; };

-  toPreserves = util.toPreserves { };
+  inherit (import ./util.nix { inherit lib; }) toPreserves;

  createSynitDaemon = import ../../backends/synit/create-synit-daemon.nix {
    inherit lib busybox runtimeShell writeScript writeTextFile;
-    inherit toPreserves;
+    inherit toPreserves util;
  };

  generateSynitService =
--- a/nixproc/backends/synit/generate-synit-service.nix
+++ b/nixproc/backends/synit/generate-synit-service.nix
@ -6,12 +6,18 @@

 let
  generatedTargetSpecificArgs = {
-    inherit name description environment directory path dependencies initialize;
+    inherit name description environment directory path dependencies initialize
+      user;

-    argv = map toString (if foregroundProcess != null then
-      [ foregroundProcess ] ++ foregroundProcessArgs
+    process = if foregroundProcess != null then
+      foregroundProcess
    else
-      [ "${undaemonize}/bin/undaemonize" daemon ] ++ daemonArgs);
+      (lib.getExe undaemonize);
+
+    args = map toString (if foregroundProcess != null then
+      foregroundProcessArgs
+    else
+      [ daemon ] ++ daemonArgs);
  };

  targetSpecificArgs = if builtins.isFunction overrides then
--- a/nixproc/backends/synit/util.nix
+++ b/nixproc/backends/synit/util.nix
@ -12,11 +12,10 @@ rec {
       toPreserves { } [{ a = 0; b = 1; } "c" [ true false ] { record = "foo"; }]
       => "<foo { a: 0 b: 1 } \"c\" [ #t #f ]>"
  */
-  toPreserves = { }@args:
+  toPreserves =
    let
-      toPreserves' = toPreserves args;
      concatItems = toString;
-      mapToSeq = lib.strings.concatMapStringsSep " " toPreserves';
+      mapToSeq = lib.strings.concatMapStringsSep " " toPreserves;
      recordLabel = list:
        with builtins;
        let len = length list;
@ -37,7 +36,7 @@ rec {
    else if lib.isAttrs v then
      "{ ${
        concatItems
-        (lib.attrsets.mapAttrsToList (key: val: "${key}: ${toPreserves' val}")
+        (lib.attrsets.mapAttrsToList (key: val: "${key}: ${toPreserves val}")
          v)
      } }"
    else if lib.isList v then
--- a/tools/synit/nixproc-synit-deploy.in
+++ b/tools/synit/nixproc-synit-deploy.in
@ -132,10 +132,6 @@ fi

 nixproc-init-state $stateDirArg $runtimeDirArg $logDirArg $tmpDirArg $cacheDirArg $spoolDirArg $lockDirArg $libDirArg $forceDisableUserChangeArg

-# Create new groups and users
-createNewGroups
-createNewUsers
-
 dest_file=/run/etc/syndicate/services/processes.pr

 if [ -e "$dest_file"] && [ ! -L "$dest_file" ]
@ -144,7 +140,11 @@ then
  exit 1
 fi

-ln -sf $profilePath /etc/syndicate/services/processes.pr
+# Create new groups and users
+createNewGroups
+createNewUsers
+
+ln -sf $profilePath /run/etc/syndicate/services/processes.pr

 # Delete obsolete users and groups
 deleteObsoleteUsers