unofficial mirror of guix-patches@gnu.org 
 help / color / mirror / code / Atom feed
* [bug#72400] [PATCH] services: gitile: Allow to set user and group.
@ 2024-07-31 15:00 Evgeny Pisemsky
  2024-08-01  3:15 ` guix-patches--- via
  2024-08-01  8:45 ` Evgeny Pisemsky
  0 siblings, 2 replies; 5+ messages in thread
From: Evgeny Pisemsky @ 2024-07-31 15:00 UTC (permalink / raw)
  To: 72400

[-- Attachment #1: 0001-services-gitile-Allow-to-set-user-and-group.patch --]
[-- Type: text/x-patch, Size: 5744 bytes --]

From 91ec60142ea1220cf4a87883915bf086e1344f69 Mon Sep 17 00:00:00 2001
Message-ID: <91ec60142ea1220cf4a87883915bf086e1344f69.1722437974.git.mail@pisemsky.site>
From: Evgeny Pisemsky <mail@pisemsky.site>
Date: Wed, 31 Jul 2024 17:30:50 +0300
Subject: [PATCH] services: gitile: Allow to set user and group.

Change-Id: I757d7a6c2690326272f0437eda2ba4b2fae409a0
---
 doc/guix.texi                    |  7 +++++
 gnu/services/version-control.scm | 45 ++++++++++++++++++++------------
 2 files changed, 36 insertions(+), 16 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 41814042f5..9b04a0b0e5 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -129,6 +129,7 @@
 Copyright @copyright{} 2024 Richard Sent@*
 Copyright @copyright{} 2024 Dariqq@*
 Copyright @copyright{} 2024 Denis 'GNUtoo' Carikli@*
+Copyright @copyright{} 2024 Evgeny Pisemsky@*
 
 Permission is granted to copy, distribute and/or modify this document
 under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -39287,6 +39288,12 @@ Version Control Services
 The footer content, as a list of sxml expressions.  This is shown on every
 page served by Gitile.
 
+@item @code{user} (default: @code{"git"})
+Owner of the @code{gitile} process.
+
+@item @code{group} (default: @code{"git"})
+Owner's group of the @code{gitile} process.
+
 @item @code{nginx}
 An nginx server block that will be extended and used as a reverse proxy by
 Gitile to serve its pages, and as a normal web server to serve its assets.
diff --git a/gnu/services/version-control.scm b/gnu/services/version-control.scm
index 14ff0a59a6..d61675345f 100644
--- a/gnu/services/version-control.scm
+++ b/gnu/services/version-control.scm
@@ -5,6 +5,7 @@
 ;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org>
 ;;; Copyright © 2018 Christopher Baines <mail@cbaines.net>
 ;;; Copyright © 2021 Julien Lepiller <julien@lepiller.eu>
+;;; Copyright © 2024 Evgeny Pisemsky <mail@pisemsky.site>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -74,6 +75,8 @@ (define-module (gnu services version-control)
             gitile-configuration-index-title
             gitile-configuration-intro
             gitile-configuration-footer
+            gitile-configuration-user
+            gitile-configuration-group
             gitile-configuration-nginx
 
             gitile-service-type))
@@ -441,6 +444,10 @@ (define-record-type* <gitile-configuration>
          (default '()))
   (footer gitile-configuration-footer
           (default '()))
+  (user gitile-configuration-user
+        (default "git"))
+  (group gitile-configuration-group
+         (default "git"))
   (nginx gitile-configuration-nginx))
 
 (define (gitile-config-file host port database repositories base-git-url
@@ -462,7 +469,7 @@ (define (gitile-config-file host port database repositories base-git-url
 (define gitile-nginx-server-block
   (match-lambda
     (($ <gitile-configuration> package host port database repositories
-        base-git-url index-title intro footer nginx)
+        base-git-url index-title intro footer user group nginx)
      (list (nginx-server-configuration
              (inherit nginx)
              (locations
@@ -488,7 +495,7 @@ (define gitile-nginx-server-block
 (define gitile-shepherd-service
   (match-lambda
     (($ <gitile-configuration> package host port database repositories
-        base-git-url index-title intro footer nginx)
+        base-git-url index-title intro footer user group nginx)
      (list (shepherd-service
              (provision '(gitile))
              (requirement '(loopback))
@@ -500,21 +507,27 @@ (define gitile-shepherd-service
                                                    repositories
                                                    base-git-url index-title
                                                    intro footer))
-                              #:user "gitile"
-                              #:group "git")))
+                              #:user #$user
+                              #:group #$group)))
              (stop #~(make-kill-destructor)))))))
 
-(define %gitile-accounts
-  (list (user-group
-         (name "git")
-         (system? #t))
-        (user-account
-          (name "gitile")
-          (group "git")
-          (system? #t)
-          (comment "Gitile user")
-          (home-directory "/var/empty")
-          (shell (file-append shadow "/sbin/nologin")))))
+(define (gitile-accounts config)
+  (let ((user (gitile-configuration-user config))
+        (group (gitile-configuration-group config)))
+    (filter identity
+            (list
+             (and (equal? group "gitile")
+                  (user-group
+                   (name "gitile")
+                   (system? #t)))
+             (and (equal? user "gitile")
+                  (user-account
+                   (name "gitile")
+                   (group group)
+                   (system? #t)
+                   (comment "Gitile user")
+                   (home-directory "/var/empty")
+                   (shell (file-append shadow "/sbin/nologin"))))))))
 
 (define gitile-service-type
   (service-type
@@ -523,7 +536,7 @@ (define gitile-service-type
 on the web.")
     (extensions
       (list (service-extension account-service-type
-                               (const %gitile-accounts))
+                               gitile-accounts)
             (service-extension shepherd-root-service-type
                                gitile-shepherd-service)
             (service-extension nginx-service-type

base-commit: 01d4363168ed10ea223047f7a7b83201f161ec0b
-- 
2.45.2





^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [bug#72400] [PATCH] services: gitile: Allow to set user and group.
  2024-07-31 15:00 [bug#72400] [PATCH] services: gitile: Allow to set user and group Evgeny Pisemsky
@ 2024-08-01  3:15 ` guix-patches--- via
  2024-08-01  8:45 ` Evgeny Pisemsky
  1 sibling, 0 replies; 5+ messages in thread
From: guix-patches--- via @ 2024-08-01  3:15 UTC (permalink / raw)
  To: 72400; +Cc: julien

Hi, does the default gitile user work for you out of the box?
I'm asking as I'm speculating you have the git user own the 
repositories.
I sent out https://issues.guix.gnu.org/71143#1 a while ago to fix it.




^ permalink raw reply	[flat|nested] 5+ messages in thread

* [bug#72400] [PATCH] services: gitile: Allow to set user and group.
  2024-07-31 15:00 [bug#72400] [PATCH] services: gitile: Allow to set user and group Evgeny Pisemsky
  2024-08-01  3:15 ` guix-patches--- via
@ 2024-08-01  8:45 ` Evgeny Pisemsky
  2024-08-02 16:15   ` guix-patches--- via
  1 sibling, 1 reply; 5+ messages in thread
From: Evgeny Pisemsky @ 2024-08-01  8:45 UTC (permalink / raw)
  To: 72400; +Cc: mcsinyx, julien

Hello! It does not work, and that is the reason for this patch.

At this point group access is not enough, I have to run gitile from
git user (of gitolite) who owns repositories. Same for fcgiwrap.

This problem is related to the change in libgit2, and for a long time
I just kept it downgraded, but this cannot be forever.

I also tried to play with safe-directory option without any success,
but even if it worked setting config for every service that works with
git seems like a huge overhead.

Changing default user to git may be quite radical, but since the
documentation states this:

> Gitile works best in collaboration with Gitolite, and will serve the
> public repositories from Gitolite by default.

I think it is sane.




^ permalink raw reply	[flat|nested] 5+ messages in thread

* [bug#72400] [PATCH] services: gitile: Allow to set user and group.
  2024-08-01  8:45 ` Evgeny Pisemsky
@ 2024-08-02 16:15   ` guix-patches--- via
  2024-08-05 10:13     ` Evgeny Pisemsky
  0 siblings, 1 reply; 5+ messages in thread
From: guix-patches--- via @ 2024-08-02 16:15 UTC (permalink / raw)
  To: Evgeny Pisemsky, 72400; +Cc: julien

[-- Attachment #1: Type: text/plain, Size: 802 bytes --]

On 2024-08-01 at 11:45+03:00, Evgeny Pisemsky wrote:
> Hello! It does not work, and that is the reason for this patch.
>
> At this point group access is not enough, I have to run gitile from
> git user (of gitolite) who owns repositories. Same for fcgiwrap.
>
> Changing default user to git may be quite radical, but since the
> documentation states this:
>
> > Gitile works best in collaboration with Gitolite, and will serve the
> > public repositories from Gitolite by default.
>
> I think it is sane.

Seconded, and IMHO the Guix service documentation should mention
that the default user for gitile is to match the owner
of the repositories:

On 2024-07-31 at 18:00+03:00, Evgeny Pisemsky wrote:
+@item @code{user} (default: @code{"git"})
+Owner of the @code{gitile} process.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 687 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [bug#72400] [PATCH] services: gitile: Allow to set user and group.
  2024-08-02 16:15   ` guix-patches--- via
@ 2024-08-05 10:13     ` Evgeny Pisemsky
  0 siblings, 0 replies; 5+ messages in thread
From: Evgeny Pisemsky @ 2024-08-05 10:13 UTC (permalink / raw)
  To: Nguyễn Gia Phong; +Cc: julien, 72400

Nguyễn Gia Phong <mcsinyx@disroot.org> writes:

> Seconded, and IMHO the Guix service documentation should mention
> that the default user for gitile is to match the owner
> of the repositories:

As I understand running from git is not secure as it gives gitile
write access to the repos with possibility to corrupt them on error.

I've commented at #71143 about fixing group access for gitile. TLDR:

> (use-modules (git settings))
> (set-owner-validation! #f)
> (run-server ...)

I agree that documentation update is needed. IMO the following, while
being a breaking change, can make the service more sane and flexible:

1. Allow to change user and group as proposed in the initial patch.
2. Set default user and group to "gitile" and document that if they
   changed to other values, they expected to exist on a system, to
   avoid warnings like "the following groups appear more than once".
3. Remove the default value of the "repositories" field to enforce
   users to specify what they want to serve. Document that gitile's
   user/group must have at least read access to this directory.
4. Provide configuration for gitolite as an example, not as default.
5. Remove unnecessary fields like "database" from configuration.

I'm interested what authors and maintainers think about all of this.




^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2024-08-05 10:15 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-07-31 15:00 [bug#72400] [PATCH] services: gitile: Allow to set user and group Evgeny Pisemsky
2024-08-01  3:15 ` guix-patches--- via
2024-08-01  8:45 ` Evgeny Pisemsky
2024-08-02 16:15   ` guix-patches--- via
2024-08-05 10:13     ` Evgeny Pisemsky

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).