Refactor to fix user permissions when using cli as another user
This commit is contained in:
parent
379e0664e8
commit
6f1b841669
|
@ -13,6 +13,15 @@ let
|
|||
# Define the inquisitor data directory
|
||||
inquisiDir = "/var/lib/inquisitor";
|
||||
|
||||
# Define the inquisitor service user
|
||||
inquisitorUser = {
|
||||
name = "inquisitor";
|
||||
description = "Inquisitor service user";
|
||||
isSystemUser = true;
|
||||
shell = pkgs.bashInteractive;
|
||||
packages = [ inquisitor pkgs.cron ];
|
||||
};
|
||||
|
||||
# Create the inquisitor config file in the nix store, pointing to /var/lib/
|
||||
inquisitorConfig = pkgs.writeTextFile {
|
||||
name = "inquisitor.conf";
|
||||
|
@ -25,9 +34,9 @@ let
|
|||
'';
|
||||
};
|
||||
|
||||
# Create a run script for the server that sets up all necessary state
|
||||
inquisitorRun = pkgs.writeShellScriptBin "run.sh" ''
|
||||
# Ensure inquisitor directories and inquisitor source folder
|
||||
# Create a setup script to ensure the service directory state
|
||||
inquisitorSetup = pkgs.writeShellScriptBin "inquisitor-setup.sh" ''
|
||||
# Ensure the service directory and the default source directory
|
||||
${pkgs.coreutils}/bin/mkdir -p ${inquisiDir}/data/inquisitor/
|
||||
${pkgs.coreutils}/bin/mkdir -p ${inquisiDir}/sources/
|
||||
${pkgs.coreutils}/bin/mkdir -p ${inquisiDir}/cache/
|
||||
|
@ -35,42 +44,54 @@ let
|
|||
${pkgs.coreutils}/bin/echo "{}" > ${inquisiDir}/data/inquisitor/state
|
||||
fi
|
||||
|
||||
# Run inquisitor
|
||||
# Ensure the service owns the folders
|
||||
chown -R ${inquisitorUser.name} ${inquisiDir}
|
||||
'';
|
||||
|
||||
# Create a run script for the server
|
||||
inquisitorRun = pkgs.writeShellScriptBin "inquisitor-run.sh" ''
|
||||
cd ${inquisiDir}
|
||||
${inquisitor}/bin/gunicorn \
|
||||
--bind=localhost:24133 \
|
||||
--workers=4 \
|
||||
--env INQUISITOR_CONFIG=${inquisitorConfig} \
|
||||
--log-level debug \
|
||||
"inquisitor.app:wsgi()"
|
||||
'';
|
||||
|
||||
# Create a wrapper script to let users call into inquisitor safely
|
||||
# Create a wrapper to execute the cli as the service user
|
||||
inquisitorWrapper = pkgs.writeShellScriptBin "inq" ''
|
||||
INQUISITOR_CONFIG=${inquisitorConfig} ${inquisitor}/bin/inquisitor "$@"
|
||||
sudo --user=inquisitor ${inquisitor}/bin/inquisitor "$@"
|
||||
'';
|
||||
in
|
||||
{
|
||||
# Create a user for the service
|
||||
users.users.inquisitor = {
|
||||
description = "Inquisitor service user";
|
||||
isSystemUser = true;
|
||||
home = "${inquisiDir}";
|
||||
createHome = true;
|
||||
shell = pkgs.bashInteractive;
|
||||
packages = [ inquisitor pkgs.cron ];
|
||||
};
|
||||
users.users.inquisitor = inquisitorUser;
|
||||
|
||||
# Link the config in /etc to avoid envvar shenanigans
|
||||
environment.etc."inquisitor.conf".source = "${inquisitorConfig}";
|
||||
|
||||
# Give all users the inq wrapper
|
||||
environment.systemPackages = [ inquisitorWrapper ];
|
||||
|
||||
# Allow the sudo in the cli wrapper without password
|
||||
security.sudo.extraRules = [{
|
||||
commands = [{
|
||||
command = "${inquisitor}/bin/inquisitor";
|
||||
options = [ "NOPASSWD" ];
|
||||
}];
|
||||
runAs = "${inquisitorUser.name}";
|
||||
groups = [ "users" ];
|
||||
}];
|
||||
|
||||
# Run the setup script on activation
|
||||
system.activationScripts.inquisitorSetup = "${inquisitorSetup}/bin/inquisitor-setup.sh";
|
||||
|
||||
# Set up the inquisitor service
|
||||
systemd.services.inquisitor =
|
||||
{
|
||||
description = "Inquisitor server";
|
||||
script = "${inquisitorRun}/bin/run.sh";
|
||||
script = "${inquisitorRun}/bin/inquisitor-run.sh";
|
||||
serviceConfig = {
|
||||
User = "inquisitor";
|
||||
User = "${inquisitorUser.name}";
|
||||
Type = "simple";
|
||||
};
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
|
Loading…
Reference in New Issue