Refactor to fix user permissions when using cli as another user

2020-12-31 15:04:51 -08:00 · 2020-12-31 15:04:51 -08:00 · 6f1b841669
parent 379e0664e8
commit 6f1b841669
1 changed files with 39 additions and 18 deletions
--- a/inquisitor.nix
+++ b/inquisitor.nix
@ -13,6 +13,15 @@ let
  # Define the inquisitor data directory
  inquisiDir = "/var/lib/inquisitor";

+  # Define the inquisitor service user
+  inquisitorUser = {
+    name = "inquisitor";
+    description = "Inquisitor service user";
+    isSystemUser = true;
+    shell = pkgs.bashInteractive;
+    packages = [ inquisitor pkgs.cron ];
+  };
+
  # Create the inquisitor config file in the nix store, pointing to /var/lib/
  inquisitorConfig = pkgs.writeTextFile {
    name = "inquisitor.conf";
@ -25,9 +34,9 @@ let
    '';
  };

-  # Create a run script for the server that sets up all necessary state
-  inquisitorRun = pkgs.writeShellScriptBin "run.sh" ''
-    # Ensure inquisitor directories and inquisitor source folder
+  # Create a setup script to ensure the service directory state
+  inquisitorSetup = pkgs.writeShellScriptBin "inquisitor-setup.sh" ''
+    # Ensure the service directory and the default source directory
    ${pkgs.coreutils}/bin/mkdir -p ${inquisiDir}/data/inquisitor/
    ${pkgs.coreutils}/bin/mkdir -p ${inquisiDir}/sources/
    ${pkgs.coreutils}/bin/mkdir -p ${inquisiDir}/cache/
@ -35,42 +44,54 @@ let
      ${pkgs.coreutils}/bin/echo "{}" > ${inquisiDir}/data/inquisitor/state
    fi

-    # Run inquisitor
+    # Ensure the service owns the folders
+    chown -R ${inquisitorUser.name} ${inquisiDir}
+  '';
+
+  # Create a run script for the server
+  inquisitorRun = pkgs.writeShellScriptBin "inquisitor-run.sh" ''
    cd ${inquisiDir}
    ${inquisitor}/bin/gunicorn \
      --bind=localhost:24133 \
      --workers=4 \
-      --env INQUISITOR_CONFIG=${inquisitorConfig} \
      --log-level debug \
      "inquisitor.app:wsgi()"
  '';

-  # Create a wrapper script to let users call into inquisitor safely
+  # Create a wrapper to execute the cli as the service user
  inquisitorWrapper = pkgs.writeShellScriptBin "inq" ''
-    INQUISITOR_CONFIG=${inquisitorConfig} ${inquisitor}/bin/inquisitor "$@"
+    sudo --user=inquisitor ${inquisitor}/bin/inquisitor "$@"
  '';
 in
 {
-  # Create a user for the service
-  users.users.inquisitor = {
-    description = "Inquisitor service user";
-    isSystemUser = true;
-    home = "${inquisiDir}";
-    createHome = true;
-    shell = pkgs.bashInteractive;
-    packages = [ inquisitor pkgs.cron ];
-  };
+  users.users.inquisitor = inquisitorUser;
+
+  # Link the config in /etc to avoid envvar shenanigans
+  environment.etc."inquisitor.conf".source = "${inquisitorConfig}";

  # Give all users the inq wrapper
  environment.systemPackages = [ inquisitorWrapper ];

+  # Allow the sudo in the cli wrapper without password
+  security.sudo.extraRules = [{
+    commands = [{
+      command = "${inquisitor}/bin/inquisitor";
+      options = [ "NOPASSWD" ];
+    }];
+    runAs = "${inquisitorUser.name}";
+    groups = [ "users" ];
+  }];
+
+  # Run the setup script on activation
+  system.activationScripts.inquisitorSetup = "${inquisitorSetup}/bin/inquisitor-setup.sh";
+
  # Set up the inquisitor service
  systemd.services.inquisitor =
  {
    description = "Inquisitor server";
-    script = "${inquisitorRun}/bin/run.sh";
+    script = "${inquisitorRun}/bin/inquisitor-run.sh";
    serviceConfig = {
-      User = "inquisitor";
+      User = "${inquisitorUser.name}";
      Type = "simple";
    };
    wantedBy = [ "multi-user.target" ];