1
1
Fork 0

Refactor to fix user permissions when using cli as another user

This commit is contained in:
Jaculabilis 2020-12-31 15:04:51 -08:00
parent 379e0664e8
commit 6f1b841669
1 changed files with 39 additions and 18 deletions

View File

@ -13,6 +13,15 @@ let
# Define the inquisitor data directory # Define the inquisitor data directory
inquisiDir = "/var/lib/inquisitor"; inquisiDir = "/var/lib/inquisitor";
# Define the inquisitor service user
inquisitorUser = {
name = "inquisitor";
description = "Inquisitor service user";
isSystemUser = true;
shell = pkgs.bashInteractive;
packages = [ inquisitor pkgs.cron ];
};
# Create the inquisitor config file in the nix store, pointing to /var/lib/ # Create the inquisitor config file in the nix store, pointing to /var/lib/
inquisitorConfig = pkgs.writeTextFile { inquisitorConfig = pkgs.writeTextFile {
name = "inquisitor.conf"; name = "inquisitor.conf";
@ -25,9 +34,9 @@ let
''; '';
}; };
# Create a run script for the server that sets up all necessary state # Create a setup script to ensure the service directory state
inquisitorRun = pkgs.writeShellScriptBin "run.sh" '' inquisitorSetup = pkgs.writeShellScriptBin "inquisitor-setup.sh" ''
# Ensure inquisitor directories and inquisitor source folder # Ensure the service directory and the default source directory
${pkgs.coreutils}/bin/mkdir -p ${inquisiDir}/data/inquisitor/ ${pkgs.coreutils}/bin/mkdir -p ${inquisiDir}/data/inquisitor/
${pkgs.coreutils}/bin/mkdir -p ${inquisiDir}/sources/ ${pkgs.coreutils}/bin/mkdir -p ${inquisiDir}/sources/
${pkgs.coreutils}/bin/mkdir -p ${inquisiDir}/cache/ ${pkgs.coreutils}/bin/mkdir -p ${inquisiDir}/cache/
@ -35,42 +44,54 @@ let
${pkgs.coreutils}/bin/echo "{}" > ${inquisiDir}/data/inquisitor/state ${pkgs.coreutils}/bin/echo "{}" > ${inquisiDir}/data/inquisitor/state
fi fi
# Run inquisitor # Ensure the service owns the folders
chown -R ${inquisitorUser.name} ${inquisiDir}
'';
# Create a run script for the server
inquisitorRun = pkgs.writeShellScriptBin "inquisitor-run.sh" ''
cd ${inquisiDir} cd ${inquisiDir}
${inquisitor}/bin/gunicorn \ ${inquisitor}/bin/gunicorn \
--bind=localhost:24133 \ --bind=localhost:24133 \
--workers=4 \ --workers=4 \
--env INQUISITOR_CONFIG=${inquisitorConfig} \
--log-level debug \ --log-level debug \
"inquisitor.app:wsgi()" "inquisitor.app:wsgi()"
''; '';
# Create a wrapper script to let users call into inquisitor safely # Create a wrapper to execute the cli as the service user
inquisitorWrapper = pkgs.writeShellScriptBin "inq" '' inquisitorWrapper = pkgs.writeShellScriptBin "inq" ''
INQUISITOR_CONFIG=${inquisitorConfig} ${inquisitor}/bin/inquisitor "$@" sudo --user=inquisitor ${inquisitor}/bin/inquisitor "$@"
''; '';
in in
{ {
# Create a user for the service users.users.inquisitor = inquisitorUser;
users.users.inquisitor = {
description = "Inquisitor service user"; # Link the config in /etc to avoid envvar shenanigans
isSystemUser = true; environment.etc."inquisitor.conf".source = "${inquisitorConfig}";
home = "${inquisiDir}";
createHome = true;
shell = pkgs.bashInteractive;
packages = [ inquisitor pkgs.cron ];
};
# Give all users the inq wrapper # Give all users the inq wrapper
environment.systemPackages = [ inquisitorWrapper ]; environment.systemPackages = [ inquisitorWrapper ];
# Allow the sudo in the cli wrapper without password
security.sudo.extraRules = [{
commands = [{
command = "${inquisitor}/bin/inquisitor";
options = [ "NOPASSWD" ];
}];
runAs = "${inquisitorUser.name}";
groups = [ "users" ];
}];
# Run the setup script on activation
system.activationScripts.inquisitorSetup = "${inquisitorSetup}/bin/inquisitor-setup.sh";
# Set up the inquisitor service # Set up the inquisitor service
systemd.services.inquisitor = systemd.services.inquisitor =
{ {
description = "Inquisitor server"; description = "Inquisitor server";
script = "${inquisitorRun}/bin/run.sh"; script = "${inquisitorRun}/bin/inquisitor-run.sh";
serviceConfig = { serviceConfig = {
User = "inquisitor"; User = "${inquisitorUser.name}";
Type = "simple"; Type = "simple";
}; };
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];