Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

services.xray: pass the settings file with systemd loadCredential #368763

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

services.xray: pass the settings file with systemd loadCredential #368763

wants to merge 1 commit into from

Conversation

shofel
Copy link

@shofel shofel commented Dec 28, 2024

Pass the settings file with systemd loadCredential
It enables passing a sops-nix secret as a settingsFile. For more context of the problem see Mic92/sops-nix#198.

Problem:
By default sops-nix secrets are accessible by only root. We can change owner to another user, but the xray service is defined with dynamicUser=true, which means, there is no user at compile time.

Solution:
Systemd loadCredential passes the secret file to the service, which is exactly what we need here.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 labels Dec 28, 2024
@NixOSInfra NixOSInfra added the 12. first-time contribution This PR is the author's first one; please be gentle! label Dec 28, 2024
@shofel shofel force-pushed the xray-loadCredentials branch from 837315c to da6f17d Compare January 13, 2025 10:00
ck3d
ck3d requested changes Jan 13, 2025
View reviewed changes
nixos/modules/services/networking/xray.nix Outdated Show resolved Hide resolved
@shofel
services.xray: pass the settings file with systemd loadCredential
167d663 
It enables passing a sops-nix secret as a `settingsFile`
@see Mic92/sops-nix#198.

By default sops-nix secrets are accessible by only root. We can change owner to another user, but the xray service is defined with `dynamicUser=true`, which means, there is no user in the compile time.

Systemd `loadCredential` passes the secret file to the service, which is exactly what we need here.
@shofel shofel force-pushed the xray-loadCredentials branch from a0e3132 to 167d663 Compare January 20, 2025 11:00
@ck3d ck3d self-requested a review January 20, 2025 20:03
ck3d
ck3d approved these changes Jan 20, 2025
View reviewed changes
Copy link
Contributor

@ck3d ck3d left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@wegank wegank added the 12.approvals: 1 This PR was reviewed and approved by one reputable person label Jan 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ck3d ck3d ck3d approved these changes

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 12.approvals: 1 This PR was reviewed and approved by one reputable person 12. first-time contribution This PR is the author's first one; please be gentle!
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@shofel @ck3d @wegank @NixOSInfra