hswaw/customs: disable DynamicUser for dhcpd / checkinator
Change-Id: I9c7feccf8eb908bf3808afb2ffc5adac50d7abd9
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1455
Reviewed-by: q3k <q3k@hackerspace.pl>
diff --git a/hswaw/machines/customs.hackerspace.pl/checkinator-tracker.nix b/hswaw/machines/customs.hackerspace.pl/checkinator-tracker.nix
index 77a46bd..47a5a71 100644
--- a/hswaw/machines/customs.hackerspace.pl/checkinator-tracker.nix
+++ b/hswaw/machines/customs.hackerspace.pl/checkinator-tracker.nix
@@ -24,7 +24,7 @@
'';
config = builtins.toFile "${name}-config.yaml" (pkgs.lib.generators.toYAML {} {
# path to dhcpd lease file
- LEASE_FILE = "/var/lib/dhcp/dhcpd.leases";
+ LEASE_FILE = "/var/lib/dhcpd4/dhcpd.leases";
# timeout for old leases
TIMEOUT = 1500;
@@ -51,7 +51,7 @@
serviceConfig.User = "${user}";
serviceConfig.Type = "simple";
-
+
serviceConfig.ExecStartPre = [
''!${prepare}/bin/${name}-prepare''
];
@@ -61,6 +61,7 @@
''!${pkgs.coreutils}/bin/rm -rf ${socket_dir}''
];
+ serviceConfig.DynamicUser = false;
};
environment.systemPackages = [ checkinator ];
}
diff --git a/hswaw/machines/customs.hackerspace.pl/checkinator-web.nix b/hswaw/machines/customs.hackerspace.pl/checkinator-web.nix
index b117c63..356064e 100644
--- a/hswaw/machines/customs.hackerspace.pl/checkinator-web.nix
+++ b/hswaw/machines/customs.hackerspace.pl/checkinator-web.nix
@@ -35,23 +35,23 @@
config = builtins.toFile "${name}-config.yaml" (pkgs.lib.generators.toYAML {} {
# local sqlite db for storing user and MAC
DB = "/var/checkinator-web/at.db";
-
+
# debug option interpreted by flask app
DEBUG = false;
-
+
# url to member wiki page
# "${login}" string is replaced by member login (uid)
WIKI_URL = "https://wiki.hackerspace.pl/people:\${login}:start";
-
+
CLAIMABLE_PREFIXES = [
"10.8.0."
"2a0d:eb00:4242:0:"
];
CLAIMABLE_EXCLUDE = [ ];
-
+
SPACEAUTH_CONSUMER_KEY = "checkinator";
SECRETS_FILE = "/mnt/secrets/checkinator-web/secrets.yaml";
-
+
SPECIAL_DEVICES = {
kektops = [ "90:e6:ba:84" ];
esps = [
@@ -64,9 +64,9 @@
"52:54:00" # craptrap VMs
];
};
-
+
PROXY_FIX = true;
-
+
GRPC_TLS_CERT_DIR = "/mnt/secrets/checkinator-web";
GRPC_TLS_CA_CERT = "/mnt/secrets/checkinator-web/ca.pem";
GRPC_TLS_ADDRESS = "[::1]:2847";
@@ -85,7 +85,7 @@
serviceConfig.User = "${user}";
serviceConfig.Type = "simple";
-
+
environment = {
CHECKINATOR_WEB_CONFIG=config;
};
@@ -99,12 +99,14 @@
fi
''}"
];
- serviceConfig.workingDirectory = checkinator;
+ serviceConfig.WorkingDirectory = checkinator;
serviceConfig.ExecStart = "${python}/bin/gunicorn -b unix:${socket_dir}/web.sock at.webapp:app";
serviceConfig.ExecStopPost = [
''!${pkgs.coreutils}/bin/rm -rf /mnt/secrets/${name}''
];
+ serviceConfig.DynamicUser = false;
+
};
services.nginx.virtualHosts."at.hackerspace.pl" = {
@@ -120,9 +122,9 @@
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Host $host:$server_port;
- proxy_set_header X-Forwarded-Server $host;
- proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header X-Forwarded-Host $host:$server_port;
+ proxy_set_header X-Forwarded-Server $host;
+ proxy_set_header X-Forwarded-Proto $scheme;
'';
};
};
diff --git a/hswaw/machines/customs.hackerspace.pl/configuration.nix b/hswaw/machines/customs.hackerspace.pl/configuration.nix
index ce13373..6f880d2 100644
--- a/hswaw/machines/customs.hackerspace.pl/configuration.nix
+++ b/hswaw/machines/customs.hackerspace.pl/configuration.nix
@@ -316,10 +316,20 @@
services.dhcpd4 = {
enable = true;
- configFile = ./dhcpd.conf;
+ configFile = "${./dhcpd.conf}";
interfaces = ["lan"];
};
+ # Checkinator needs access to leases file. When DynamicUser is enable this
+ # file is hidden in /var/lib/private
+ systemd.services.dhcpd4.serviceConfig.DynamicUser= pkgs.lib.mkForce false;
+ users.users.dhcpd = {
+ group = "dhcpd";
+ isSystemUser = true;
+ uid = 1005;
+ };
+ users.groups."dhcpd" = {};
+
hscloud.routing = {
enable = true;
# TODO(q3k): make this optional in upstream