* [bug#72400] [PATCH] services: gitile: Allow to set user and group.
@ 2024-07-31 15:00 Evgeny Pisemsky
2024-08-01 3:15 ` guix-patches--- via
2024-08-01 8:45 ` Evgeny Pisemsky
0 siblings, 2 replies; 5+ messages in thread
From: Evgeny Pisemsky @ 2024-07-31 15:00 UTC (permalink / raw)
To: 72400
[-- Attachment #1: 0001-services-gitile-Allow-to-set-user-and-group.patch --]
[-- Type: text/x-patch, Size: 5744 bytes --]
From 91ec60142ea1220cf4a87883915bf086e1344f69 Mon Sep 17 00:00:00 2001
Message-ID: <91ec60142ea1220cf4a87883915bf086e1344f69.1722437974.git.mail@pisemsky.site>
From: Evgeny Pisemsky <mail@pisemsky.site>
Date: Wed, 31 Jul 2024 17:30:50 +0300
Subject: [PATCH] services: gitile: Allow to set user and group.
Change-Id: I757d7a6c2690326272f0437eda2ba4b2fae409a0
---
doc/guix.texi | 7 +++++
gnu/services/version-control.scm | 45 ++++++++++++++++++++------------
2 files changed, 36 insertions(+), 16 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 41814042f5..9b04a0b0e5 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -129,6 +129,7 @@
Copyright @copyright{} 2024 Richard Sent@*
Copyright @copyright{} 2024 Dariqq@*
Copyright @copyright{} 2024 Denis 'GNUtoo' Carikli@*
+Copyright @copyright{} 2024 Evgeny Pisemsky@*
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -39287,6 +39288,12 @@ Version Control Services
The footer content, as a list of sxml expressions. This is shown on every
page served by Gitile.
+@item @code{user} (default: @code{"git"})
+Owner of the @code{gitile} process.
+
+@item @code{group} (default: @code{"git"})
+Owner's group of the @code{gitile} process.
+
@item @code{nginx}
An nginx server block that will be extended and used as a reverse proxy by
Gitile to serve its pages, and as a normal web server to serve its assets.
diff --git a/gnu/services/version-control.scm b/gnu/services/version-control.scm
index 14ff0a59a6..d61675345f 100644
--- a/gnu/services/version-control.scm
+++ b/gnu/services/version-control.scm
@@ -5,6 +5,7 @@
;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org>
;;; Copyright © 2018 Christopher Baines <mail@cbaines.net>
;;; Copyright © 2021 Julien Lepiller <julien@lepiller.eu>
+;;; Copyright © 2024 Evgeny Pisemsky <mail@pisemsky.site>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -74,6 +75,8 @@ (define-module (gnu services version-control)
gitile-configuration-index-title
gitile-configuration-intro
gitile-configuration-footer
+ gitile-configuration-user
+ gitile-configuration-group
gitile-configuration-nginx
gitile-service-type))
@@ -441,6 +444,10 @@ (define-record-type* <gitile-configuration>
(default '()))
(footer gitile-configuration-footer
(default '()))
+ (user gitile-configuration-user
+ (default "git"))
+ (group gitile-configuration-group
+ (default "git"))
(nginx gitile-configuration-nginx))
(define (gitile-config-file host port database repositories base-git-url
@@ -462,7 +469,7 @@ (define (gitile-config-file host port database repositories base-git-url
(define gitile-nginx-server-block
(match-lambda
(($ <gitile-configuration> package host port database repositories
- base-git-url index-title intro footer nginx)
+ base-git-url index-title intro footer user group nginx)
(list (nginx-server-configuration
(inherit nginx)
(locations
@@ -488,7 +495,7 @@ (define gitile-nginx-server-block
(define gitile-shepherd-service
(match-lambda
(($ <gitile-configuration> package host port database repositories
- base-git-url index-title intro footer nginx)
+ base-git-url index-title intro footer user group nginx)
(list (shepherd-service
(provision '(gitile))
(requirement '(loopback))
@@ -500,21 +507,27 @@ (define gitile-shepherd-service
repositories
base-git-url index-title
intro footer))
- #:user "gitile"
- #:group "git")))
+ #:user #$user
+ #:group #$group)))
(stop #~(make-kill-destructor)))))))
-(define %gitile-accounts
- (list (user-group
- (name "git")
- (system? #t))
- (user-account
- (name "gitile")
- (group "git")
- (system? #t)
- (comment "Gitile user")
- (home-directory "/var/empty")
- (shell (file-append shadow "/sbin/nologin")))))
+(define (gitile-accounts config)
+ (let ((user (gitile-configuration-user config))
+ (group (gitile-configuration-group config)))
+ (filter identity
+ (list
+ (and (equal? group "gitile")
+ (user-group
+ (name "gitile")
+ (system? #t)))
+ (and (equal? user "gitile")
+ (user-account
+ (name "gitile")
+ (group group)
+ (system? #t)
+ (comment "Gitile user")
+ (home-directory "/var/empty")
+ (shell (file-append shadow "/sbin/nologin"))))))))
(define gitile-service-type
(service-type
@@ -523,7 +536,7 @@ (define gitile-service-type
on the web.")
(extensions
(list (service-extension account-service-type
- (const %gitile-accounts))
+ gitile-accounts)
(service-extension shepherd-root-service-type
gitile-shepherd-service)
(service-extension nginx-service-type
base-commit: 01d4363168ed10ea223047f7a7b83201f161ec0b
--
2.45.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [bug#72400] [PATCH] services: gitile: Allow to set user and group.
2024-07-31 15:00 [bug#72400] [PATCH] services: gitile: Allow to set user and group Evgeny Pisemsky
@ 2024-08-01 3:15 ` guix-patches--- via
2024-08-01 8:45 ` Evgeny Pisemsky
1 sibling, 0 replies; 5+ messages in thread
From: guix-patches--- via @ 2024-08-01 3:15 UTC (permalink / raw)
To: 72400; +Cc: julien
Hi, does the default gitile user work for you out of the box?
I'm asking as I'm speculating you have the git user own the
repositories.
I sent out https://issues.guix.gnu.org/71143#1 a while ago to fix it.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [bug#72400] [PATCH] services: gitile: Allow to set user and group.
2024-07-31 15:00 [bug#72400] [PATCH] services: gitile: Allow to set user and group Evgeny Pisemsky
2024-08-01 3:15 ` guix-patches--- via
@ 2024-08-01 8:45 ` Evgeny Pisemsky
2024-08-02 16:15 ` guix-patches--- via
1 sibling, 1 reply; 5+ messages in thread
From: Evgeny Pisemsky @ 2024-08-01 8:45 UTC (permalink / raw)
To: 72400; +Cc: mcsinyx, julien
Hello! It does not work, and that is the reason for this patch.
At this point group access is not enough, I have to run gitile from
git user (of gitolite) who owns repositories. Same for fcgiwrap.
This problem is related to the change in libgit2, and for a long time
I just kept it downgraded, but this cannot be forever.
I also tried to play with safe-directory option without any success,
but even if it worked setting config for every service that works with
git seems like a huge overhead.
Changing default user to git may be quite radical, but since the
documentation states this:
> Gitile works best in collaboration with Gitolite, and will serve the
> public repositories from Gitolite by default.
I think it is sane.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [bug#72400] [PATCH] services: gitile: Allow to set user and group.
2024-08-01 8:45 ` Evgeny Pisemsky
@ 2024-08-02 16:15 ` guix-patches--- via
2024-08-05 10:13 ` Evgeny Pisemsky
0 siblings, 1 reply; 5+ messages in thread
From: guix-patches--- via @ 2024-08-02 16:15 UTC (permalink / raw)
To: Evgeny Pisemsky, 72400; +Cc: julien
[-- Attachment #1: Type: text/plain, Size: 802 bytes --]
On 2024-08-01 at 11:45+03:00, Evgeny Pisemsky wrote:
> Hello! It does not work, and that is the reason for this patch.
>
> At this point group access is not enough, I have to run gitile from
> git user (of gitolite) who owns repositories. Same for fcgiwrap.
>
> Changing default user to git may be quite radical, but since the
> documentation states this:
>
> > Gitile works best in collaboration with Gitolite, and will serve the
> > public repositories from Gitolite by default.
>
> I think it is sane.
Seconded, and IMHO the Guix service documentation should mention
that the default user for gitile is to match the owner
of the repositories:
On 2024-07-31 at 18:00+03:00, Evgeny Pisemsky wrote:
+@item @code{user} (default: @code{"git"})
+Owner of the @code{gitile} process.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 687 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* [bug#72400] [PATCH] services: gitile: Allow to set user and group.
2024-08-02 16:15 ` guix-patches--- via
@ 2024-08-05 10:13 ` Evgeny Pisemsky
0 siblings, 0 replies; 5+ messages in thread
From: Evgeny Pisemsky @ 2024-08-05 10:13 UTC (permalink / raw)
To: Nguyễn Gia Phong; +Cc: julien, 72400
Nguyễn Gia Phong <mcsinyx@disroot.org> writes:
> Seconded, and IMHO the Guix service documentation should mention
> that the default user for gitile is to match the owner
> of the repositories:
As I understand running from git is not secure as it gives gitile
write access to the repos with possibility to corrupt them on error.
I've commented at #71143 about fixing group access for gitile. TLDR:
> (use-modules (git settings))
> (set-owner-validation! #f)
> (run-server ...)
I agree that documentation update is needed. IMO the following, while
being a breaking change, can make the service more sane and flexible:
1. Allow to change user and group as proposed in the initial patch.
2. Set default user and group to "gitile" and document that if they
changed to other values, they expected to exist on a system, to
avoid warnings like "the following groups appear more than once".
3. Remove the default value of the "repositories" field to enforce
users to specify what they want to serve. Document that gitile's
user/group must have at least read access to this directory.
4. Provide configuration for gitolite as an example, not as default.
5. Remove unnecessary fields like "database" from configuration.
I'm interested what authors and maintainers think about all of this.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-08-05 10:15 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-07-31 15:00 [bug#72400] [PATCH] services: gitile: Allow to set user and group Evgeny Pisemsky
2024-08-01 3:15 ` guix-patches--- via
2024-08-01 8:45 ` Evgeny Pisemsky
2024-08-02 16:15 ` guix-patches--- via
2024-08-05 10:13 ` Evgeny Pisemsky
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).