From patchwork Sun Nov 19 19:58:30 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Thompson, David" X-Patchwork-Id: 56647 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 9ECCF27BBEA; Sun, 19 Nov 2023 19:59:23 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 52E6C27BBE2 for ; Sun, 19 Nov 2023 19:59:19 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1r4nwc-0007Hb-Tk; Sun, 19 Nov 2023 14:59:02 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1r4nwa-0007H5-TV for guix-patches@gnu.org; Sun, 19 Nov 2023 14:59:00 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1r4nwa-00017M-KC for guix-patches@gnu.org; Sun, 19 Nov 2023 14:59:00 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1r4nwb-0002SA-Uf for guix-patches@gnu.org; Sun, 19 Nov 2023 14:59:01 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#67288] [PATCH] services: laminar: Add configuration option for supplementary groups Resent-From: "Thompson, David" Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 19 Nov 2023 19:59:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 67288 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 67288@debbugs.gnu.org X-Debbugs-Original-To: Ryan Prior via Guix-patches Received: via spool by submit@debbugs.gnu.org id=B.17004239379418 (code B ref -1); Sun, 19 Nov 2023 19:59:01 +0000 Received: (at submit) by debbugs.gnu.org; 19 Nov 2023 19:58:57 +0000 Received: from localhost ([127.0.0.1]:52140 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1r4nwW-0002Rl-TB for submit@debbugs.gnu.org; Sun, 19 Nov 2023 14:58:57 -0500 Received: from lists.gnu.org ([2001:470:142::17]:33948) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1r4nwT-0002RO-0N for submit@debbugs.gnu.org; Sun, 19 Nov 2023 14:58:55 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1r4nwL-0007GU-C8 for guix-patches@gnu.org; Sun, 19 Nov 2023 14:58:45 -0500 Received: from mail-qt1-x831.google.com ([2607:f8b0:4864:20::831]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1r4nwJ-00014W-E3 for guix-patches@gnu.org; Sun, 19 Nov 2023 14:58:45 -0500 Received: by mail-qt1-x831.google.com with SMTP id d75a77b69052e-41cc75c55f0so41550341cf.1 for ; Sun, 19 Nov 2023 11:58:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=worcester-edu.20230601.gappssmtp.com; s=20230601; t=1700423921; x=1701028721; darn=gnu.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=R6bz4ZAiI1p6YPshkQUbh6uUWzRp4avcqgFVeubp3zk=; b=mm10gtEksytP5/fJVKMKVw1CNa/QpABYSXVqmcPyFmWn4Xd9qjs6TeK0IDC5t6iKqF Vhjp/O9h1+akkbw1CqFDtDiNim27FzbkwsOWr+nwUtjeZ0q29XtwJgAxXxgmWIJtWZ+9 GF1AwnVLm9GWDu3P3bKTB6sTFYfuX30EiWn/MlHX8PFFIVSdrck/ll6LJACyGsWw1LBN fy1Bz6y2L8h/ITRaFxbzaXf0T7j6WT888fvt4oM/bohPgsKRrX8yLohE5kIJ4Z/egfiN blddeP4DzKmE2xy2dwi1NT6ugjUJ9rjAzPMFFdygRdv467WkbQfzyZ+oBVsFDdqyQJJD 53bA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700423921; x=1701028721; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=R6bz4ZAiI1p6YPshkQUbh6uUWzRp4avcqgFVeubp3zk=; b=aDpus48ubwwc6UtdUFxhxsgfbDq/E1o+3p+QpHjRwKGl8EbnQKu5ZxYN2HkQvZ3nzN aYalokeEr6iY6VJ7dOVJJXmZ25olmj6YMpk8HCHb/GMPiftV5+1kPaygT2PYs7ADJZkp R90BtzQ/WpArZ1dGQxO1UckfSIALbj5Lpq3SYtPpm2SRnKHQRb81PjCpruTRLuKkJ2JB haitmKAzqWUzdmBQMchOigf6Mv9TFM2gOIO/gi+L4kvGX+bpqtVp6P894ArxDOyXypPU YlAbIJVePkapuCcAZ7f2ZmXxVoj/x8S5C5iK+QYceOP8iy65KsI1hEt+PBq31OgR5II7 hj1w== X-Gm-Message-State: AOJu0YzyQiAo9bE+VpyawcR2tv02my5VFP5WDzn1Hoor4hmau5JVHpzu LL1T3BE8JYP6xfTqXsbSYpIzSQrFDIWACJgZxhFz251U5vVCle5n X-Google-Smtp-Source: AGHT+IGKqwttLD4ONSad3Ty1Yw4hRHDsccx8MsHGI8YMVQhfGFJq0V7ZbxoEfE1a042s1T1t8zlta8ZOvSeUcciHoKM= X-Received: by 2002:a05:622a:5d3:b0:418:1437:303b with SMTP id d19-20020a05622a05d300b004181437303bmr15441702qtb.27.1700423921105; Sun, 19 Nov 2023 11:58:41 -0800 (PST) MIME-Version: 1.0 From: "Thompson, David" Date: Sun, 19 Nov 2023 14:58:30 -0500 Message-ID: Received-SPF: pass client-ip=2607:f8b0:4864:20::831; envelope-from=dthompson2@worcester.edu; helo=mail-qt1-x831.google.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches Hey everyone, I started using Laminar CI for my personal server, but I had trouble with the current system service. My server is configured to only allow members of the "git" group access to the Git repositories, so the CI job running as the "laminar" user couldn't do anything useful. This patch adds a new configuration field for a list of supplementary groups to be used for the "laminar" user and the service process. - Dave From ed62d885a5493f64779bc9c2a9b9978af8f61824 Mon Sep 17 00:00:00 2001 Message-ID: From: David Thompson Date: Sun, 19 Nov 2023 14:46:52 -0500 Subject: [PATCH] services: laminar: Add configuration option for supplementary groups. * gnu/services/ci ()[supplemental-groups]: New field. (laminar-shepherd-service): Exec laminard with supplementary groups. (laminar-account): Add supplementary groups to laminar user. * doc/guix.texi (Laminar): Document new configuration field. Change-Id: Iebfdbb58ea8c6dfa22bb8f64f6463e3ad133d2f9 --- doc/guix.texi | 3 +++ gnu/services/ci.scm | 42 ++++++++++++++++++++++++------------------ 2 files changed, 27 insertions(+), 18 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 94903fb5e2..854486c3ea 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -33955,6 +33955,9 @@ Continuous Integration @item @code{home-directory} (default: @code{"/var/lib/laminar"}) The directory for job configurations and run directories. +@item @code{supplementary-groups} (default: @code{()}) +Supplementary groups for the Laminar user account. + @item @code{bind-http} (default: @code{"*:8080"}) The interface/port or unix socket on which laminard should listen for incoming connections to the web frontend. diff --git a/gnu/services/ci.scm b/gnu/services/ci.scm index 172f85fe8e..01cc7c7d86 100644 --- a/gnu/services/ci.scm +++ b/gnu/services/ci.scm @@ -31,6 +31,7 @@ (define-module (gnu services ci) #:export (laminar-configuration laminar-configuration? laminar-configuration-home-directory + laminar-configuration-supplementary-groups laminar-configuration-bind-http laminar-configuration-bind-rpc laminar-configuration-title @@ -50,26 +51,28 @@ (define-module (gnu services ci) (define-record-type* laminar-configuration make-laminar-configuration laminar-configuration? - (laminar laminars-configuration-laminar - (default laminar)) - (home-directory laminar-configuration-home-directory - (default "/var/lib/laminar")) - (bind-http laminar-configuration-bind-http - (default "*:8080")) - (bind-rpc laminar-configuration-bind-rpc - (default "unix-abstract:laminar")) - (title laminar-configuration-title - (default "Laminar")) - (keep-rundirs laminar-keep-rundirs - (default 0)) - (archive-url laminar-archive-url - (default #f)) - (base-url laminar-base-url - (default #f))) + (laminar laminars-configuration-laminar + (default laminar)) + (home-directory laminar-configuration-home-directory + (default "/var/lib/laminar")) + (supplementary-groups laminar-configuration-supplementary-groups + (default '())) + (bind-http laminar-configuration-bind-http + (default "*:8080")) + (bind-rpc laminar-configuration-bind-rpc + (default "unix-abstract:laminar")) + (title laminar-configuration-title + (default "Laminar")) + (keep-rundirs laminar-keep-rundirs + (default 0)) + (archive-url laminar-archive-url + (default #f)) + (base-url laminar-base-url + (default #f))) (define laminar-shepherd-service (match-lambda - (($ laminar home-directory + (($ laminar home-directory supplementary-groups bind-http bind-rpc title keep-rundirs archive-url base-url) @@ -102,7 +105,8 @@ (define laminar-shepherd-service #$base-url)) '())) #:user "laminar" - #:group "laminar")) + #:group "laminar" + #:supplementary-groups '#$supplementary-groups)) (stop #~(make-kill-destructor))))))) (define (laminar-account config) @@ -113,6 +117,8 @@ (define (laminar-account config) (user-account (name "laminar") (group "laminar") + (supplementary-groups + (laminar-configuration-supplementary-groups config)) (system? #t) (comment "Laminar privilege separation user") (home-directory (laminar-configuration-home-directory config)) base-commit: 2ab5e449246f98b049888dde3c310f5b4a0a64a2 prerequisite-patch-id: 20e0bd5d1f3c88351c4991ef9c652dbded53bf9a -- 2.41.0