From mboxrd@z Thu Jan 1 00:00:00 1970 From: ng0 Subject: Re: WIP gnu social package Date: Fri, 12 Jan 2018 17:57:02 +0000 Message-ID: <20180112175702.otgtpliotvqrvdmn@abyayala> References: <17b7428d-0a46-6aca-f184-b63890c94cf5@cock.li> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="zhjwmbt2ubi4nemg" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:56992) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ea2eO-0003g8-Hi for guix-devel@gnu.org; Fri, 12 Jan 2018 11:57:57 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ea2eJ-0002CI-R2 for guix-devel@gnu.org; Fri, 12 Jan 2018 11:57:52 -0500 Received: from aibo.runbox.com ([91.220.196.211]:33396) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1ea2eJ-00029T-5c for guix-devel@gnu.org; Fri, 12 Jan 2018 11:57:47 -0500 Content-Disposition: inline In-Reply-To: List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: nee Cc: guix-devel@gnu.org --zhjwmbt2ubi4nemg Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable nee transcribed 44K bytes: > Hello, I fixed a bunch of problems I had and now I've been adding > database migrations when the package version changes. > This is very insufficiently tested right now. > I only tested this with one pre-existing installation so far, but it > seems to work fine there. I want write system tests to cover each case. =2E... > After this is done a qvitter package could be added (I never installed > it before) and maybe the plugins code could be altered to load plugins > from guix packages. Qvitter on my server is just a symlinked folder (to a git) into the gnu-soc= ial git folder, with some additional options in config.php. It shouldn't be that hard, yes. > I'm appending the patches from my package path, since my website only > ever displays the latest version. >=20 > Am 25.09.2017 um 23:14 schrieb nee: > > - Setting up the database requires the sql root password, the new > > social_db_user password, and a password for the first admin user to > > create in gnu social. > > Having plaintext passwords in /etc/config.scm sounds pretty bad. > > I'm not sure what the solution here is. > > - Could we add a password store to guix? It could automatically > > generate passwords and pass them to services. > > - Should I generate a script that must be run manually and asks for > > password input through stdin? > > - Something else? > >=20 > I'm experimenting with the password generator approach right now. > Current downsides: > - there is a plaintext file with all the service passwords in /root/ > Positives: > - It requires no user input for a new installation. > - It's simple to move with a backup. >=20 > Gnu social needs the password for it's mysql-user to generate the config > file, so at least this one has to be saved somewhere or entered every > time you reconfigure. >=20 > I also wrote a new macro 'with-passwords. I'm not very experienced with > writing macros so it would be nice to get some feedback on it. >=20 > > - The password of the database-user ends up in the config.php which is > > generated by mixed-text-file. This file can be read by everyone. Can I > > somehow set the owner on it and remove the reading rights from other > > users? > >=20 > I moved the config.php file to /var for now, so I can use basic guile > file writing operations. I have to read up on etc-service-types some day. > Can these files be created to be not publicly readable by everyone? >=20 > > Here are some other open problems with the packages: > >=20 > > - I build php with --enable-intl now, causes a new broken tests to > > appear. > > I on a quick look I couldn't figure out what was wrong, and I'm not > > familiar with php, so I disabled the failing tests. > > Setting the language in gnu social does not seem to work. Nothing > > happens, but the installation phase does no longer complain about the > > missing php module. > >=20 > Not sure if I tested this wrong, or this was fixed by the php version > upgrade that happened meanwhile, but now setting the language works. > Before I log in GNU Social presents itself in the language of my browser. > After logging in the language from the config.php is used. >=20 > > - A bunch of plugins that are shipped with gs seem to rely on writeable > > cache directories in their working directory. > > Those can not be changed through the config file. > > It will take me some time to find and patch them all. > >=20 > I added a setting to change the cache directory for extlib/HTMLPurifier/ > upstream patch: https://git.gnu.io/gnu/gnu-social/merge_requests/156 (it > got merged) >=20 > I don't know of any other functions trying to write in the current > directory right now. >=20 > > - The admin area must be patched out and all configuration options must > > be represented by the service. > >=20 > I patched out the link to the Admin menu in the package. >=20 > > - The following plugins throw warnings: Poll, OpenId, Favorite, > > Bookmark, DirectMessage those warnings might be related to the > > php/mariadb versions used with gnu social > >=20 > > - common warnings that appear: > > Warning: Declaration of InviteAction::handle($args) should be > > compatible with Action::handle() in > > /gnu/store/qfzqxlfkrzri73jrphlqccsd35s0kcy3-gnu-social-1.2.0-beta4/acti= ons/invite.php > > on line 298 > >=20 > > Warning: Cannot modify header information - headers already sent by > > (output started at > > /gnu/store/qfzqxlfkrzri73jrphlqccsd35s0kcy3-gnu-social-1.2.0-beta4/acti= ons/invite.php:298) > > in > > /gnu/store/qfzqxlfkrzri73jrphlqccsd35s0kcy3-gnu-social-1.2.0-beta4/lib/= action.php > > on line 1277 > >=20 > > The /settings/poll url completely breaks. > >=20 > These warnings seems to be a general GNU Social problem unrelated to > guix. When php-fpm is set to not send warnings to the browser it looks > like any other installation. > ;;; GNU Guix --- Functional package management for GNU > ;;; Copyright =C2=A9 2016 Julien Lepiller > ;;; Copyright =C2=A9 2016 Marius Bakke > ;;; > ;;; This file is part of GNU Guix. > ;;; > ;;; GNU Guix is free software; you can redistribute it and/or modify it > ;;; under the terms of the GNU General Public License as published by > ;;; the Free Software Foundation; either version 3 of the License, or (at > ;;; your option) any later version. > ;;; > ;;; GNU Guix is distributed in the hope that it will be useful, but > ;;; WITHOUT ANY WARRANTY; without even the implied warranty of > ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > ;;; GNU General Public License for more details. > ;;; > ;;; You should have received a copy of the GNU General Public License > ;;; along with GNU Guix. If not, see . >=20 > (define-module (hidamari-blue php) > #:use-module (gnu packages) > #:use-module (gnu packages algebra) > #:use-module (gnu packages aspell) > #:use-module (gnu packages base) > #:use-module (gnu packages bison) > #:use-module (gnu packages compression) > #:use-module (gnu packages curl) > #:use-module (gnu packages cyrus-sasl) > #:use-module (gnu packages databases) > #:use-module (gnu packages fontutils) > #:use-module (gnu packages gd) > #:use-module (gnu packages gettext) > #:use-module (gnu packages glib) > #:use-module (gnu packages gnupg) > #:use-module (gnu packages image) > #:use-module (gnu packages icu4c) > #:use-module (gnu packages linux) > #:use-module (gnu packages multiprecision) > #:use-module (gnu packages openldap) > #:use-module (gnu packages pcre) > #:use-module (gnu packages pkg-config) > #:use-module (gnu packages readline) > #:use-module (gnu packages textutils) > #:use-module (gnu packages tls) > #:use-module (gnu packages web) > #:use-module (gnu packages xml) > #:use-module (gnu packages xorg) > #:use-module (guix packages) > #:use-module (guix download) > #:use-module (guix build-system gnu) > #:use-module ((guix licenses) #:prefix license:)) >=20 > (define-public php > (package > (name "php") > (version "7.1.9") > (home-page "https://secure.php.net/") > (source (origin > (method url-fetch) > (uri (string-append home-page "distributions/" > name "-" version ".tar.xz")) > (sha256 > (base32 > "130y50nawipd12nbs10661vzk8gvy7zsqcsxvj29mwaivm4a777c")) > (modules '((guix build utils))) > (snippet > '(with-directory-excursion "ext" > (for-each delete-file-recursively > ;; Some of the bundled libraries have no prop= er upstream. > ;; Ideally we'd extract these out as separate= packages: > ;;"mbstring/libmbfl" > ;;"date/lib" > ;;"bcmath/libbcmath" > ;;"fileinfo/libmagic" ; This is a patched ver= sion of libmagic. > '("gd/libgd" > "mbstring/oniguruma" > "pcre/pcrelib" > "sqlite3/libsqlite" > "xmlrpc/libxmlrpc" > "zip/lib")))))) > (build-system gnu-build-system) > (arguments > '(#:configure-flags > (let-syntax ((with (syntax-rules () > ((_ option input) > (string-append option "=3D" > (assoc-ref %build-inputs inpu= t)))))) > (list (with "--with-bz2" "bzip2") > (with "--with-curl" "curl") > (with "--with-freetype-dir" "freetype") > (with "--with-gd" "gd") > (with "--with-gdbm" "gdbm") > (with "--with-gettext" "glibc") ; libintl.h > (with "--with-gmp" "gmp") > (with "--with-icu-dir" "icu4c") > (with "--with-jpeg-dir" "libjpeg") > (with "--with-ldap" "openldap") > (with "--with-ldap-sasl" "cyrus-sasl") > (with "--with-libzip" "zip") > (with "--with-libxml-dir" "libxml2") > (with "--with-onig" "oniguruma") > (with "--with-pcre-dir" "pcre") > (with "--with-pcre-regex" "pcre") > (with "--with-pdo-pgsql" "postgresql") > (with "--with-pdo-sqlite" "sqlite") > (with "--with-pgsql" "postgresql") > (with "--with-png-dir" "libpng") > ;; PHP=E2=80=99s Pspell extension, while retaining its cur= rent name, > ;; now uses the Aspell library. > (with "--with-pspell" "aspell") > (with "--with-readline" "readline") > (with "--with-sqlite3" "sqlite") > (with "--with-tidy" "tidy") > (with "--with-webp-dir" "libwebp") > (with "--with-xpm-dir" "libxpm") > (with "--with-xsl" "libxslt") > (with "--with-zlib-dir" "zlib") > ;; We could add "--with-snmp", but it requires netsnmp that > ;; we don't have a package for. It is used to build the sn= mp > ;; extension of php. > "--with-iconv" > "--with-openssl" > "--with-mysqli" ; Required for, e.g. wordpress > "--with-pdo-mysql" > "--with-zlib" > "--enable-calendar" > "--enable-dba=3Dshared" > "--enable-exif" > "--enable-flatfile" > "--enable-fpm" > "--enable-ftp" > "--enable-inifile" > "--enable-intl" ; uses icu4c. Required for, e.g. GNU Social > "--enable-mbstring" > "--enable-pcntl" > "--enable-sockets")) > #:phases > (modify-phases %standard-phases > (add-after 'unpack 'do-not-record-build-flags > (lambda _ > ;; Prevent configure flags from being stored and causing > ;; unnecessary runtime dependencies. > (substitute* "scripts/php-config.in" > (("@CONFIGURE_OPTIONS@") "") > (("@PHP_LDFLAGS@") "")) > ;; This file has ISO-8859-1 encoding. > (with-fluids ((%default-port-encoding "ISO-8859-1")) > (substitute* "main/build-defs.h.in" > (("@CONFIGURE_COMMAND@") "(omitted)"))) > #t)) > (add-before 'build 'patch-/bin/sh > (lambda _ > (substitute* '("run-tests.php" "ext/standard/proc_open.c") > (("/bin/sh") (which "sh"))) > #t)) > (add-before 'check 'prepare-tests > (lambda _ > ;; Some of these files have ISO-8859-1 encoding, whereas oth= ers > ;; use ASCII, so we can't use a "catch-all" find-files here. > (with-fluids ((%default-port-encoding "ISO-8859-1")) > (substitute* '("ext/mbstring/tests/mb_send_mail02.phpt" > "ext/mbstring/tests/mb_send_mail04.phpt" > "ext/mbstring/tests/mb_send_mail05.phpt" > "ext/mbstring/tests/mb_send_mail06.phpt") > (("/bin/cat") (which "cat")))) > (substitute* '("ext/mbstring/tests/mb_send_mail01.phpt" > "ext/mbstring/tests/mb_send_mail03.phpt" > "ext/mbstring/tests/bug52861.phpt" > "ext/standard/tests/general_functions/bug3479= 4.phpt" > "ext/standard/tests/general_functions/bug4466= 7.phpt" > "ext/standard/tests/general_functions/proc_op= en.phpt") > (("/bin/cat") (which "cat"))) >=20 > ;; The encoding of this file is not recognized, so we simply= drop it. > (delete-file "ext/mbstring/tests/mb_send_mail07.phpt") >=20 > (substitute* "ext/standard/tests/streams/bug60602.phpt" > (("'ls'") (string-append "'" (which "ls") "'"))) >=20 > ;; Drop tests that are known to fail. > (for-each delete-file > '("ext/posix/tests/posix_getgrgid.phpt" ; Requi= res /etc/group. > "ext/sockets/tests/bug63000.phpt" ; Fails= to detect OS. > "ext/sockets/tests/socket_shutdown.phpt" ; Requi= res DNS. > "ext/sockets/tests/socket_send.phpt" ; Likew= ise. > "ext/sockets/tests/mcast_ipv4_recv.phpt" ; Requi= res multicast. > ;; These needs /etc/services. > "ext/standard/tests/general_functions/getservbyn= ame_basic.phpt" > "ext/standard/tests/general_functions/getservbyp= ort_basic.phpt" > "ext/standard/tests/general_functions/getservbyp= ort_variation1.phpt" > ;; And /etc/protocols. > "ext/standard/tests/network/getprotobyname_basic= =2Ephpt" > "ext/standard/tests/network/getprotobynumber_bas= ic.phpt" > ;; And exotic locales. > "ext/standard/tests/strings/setlocale_basic1.php= t" > "ext/standard/tests/strings/setlocale_basic2.php= t" > "ext/standard/tests/strings/setlocale_basic3.php= t" > "ext/standard/tests/strings/setlocale_variation1= =2Ephpt" >=20 > ;; --enable-intl tests that fail, maybe also because of exotic locale= s? > "ext/intl/tests/bug74230.phpt" > "ext/intl/tests/spoofchecker_001.phpt" > "ext/intl/tests/timezone_IDforWindowsID_basic.phpt" > "ext/intl/tests/timezone_windowsID_basic.phpt" >=20 >=20 > ;; XXX: These gd tests fails. Likely because ou= r version > ;; is different from the (patched) bundled one. > ;; Here, gd quits immediately after "fatal libpn= g error"; while the > ;; test expects it to additionally return a "set= jmp" error and warning. > "ext/gd/tests/bug39780_extern.phpt" > "ext/gd/tests/libgd00086_extern.phpt" > ;; Extra newline in gd-png output. > "ext/gd/tests/bug45799.phpt" > ;; Different error message than expected from im= agecrop(). > "ext/gd/tests/bug66356.phpt" > ;; Similarly for imagecreatefromgd2(). > "ext/gd/tests/bug72339.phpt" > ;; Call to undefined function imageantialias(). = They are > ;; supposed to fail anyway. > "ext/gd/tests/bug72482.phpt" > "ext/gd/tests/bug72482_2.phpt" > "ext/gd/tests/bug73213.phpt" > ;; Test expects generic "gd warning" but gets th= e actual function name. > "ext/gd/tests/createfromwbmp2_extern.phpt" > ;; TODO: Enable these when libgd is built with x= pm support. > "ext/gd/tests/xpm2gd.phpt" > "ext/gd/tests/xpm2jpg.phpt" > "ext/gd/tests/xpm2png.phpt" >=20 > ;; XXX: These iconv tests have the expected outc= ome, > ;; but with different error messages. > ;; Expects "illegal character", instead gets "un= known error (84)". > "ext/iconv/tests/bug52211.phpt" > ;; Expects "wrong charset", gets unknown error (= 22). > "ext/iconv/tests/iconv_mime_decode_variation3.ph= pt" > "ext/iconv/tests/iconv_strlen_error2.phpt" > "ext/iconv/tests/iconv_strlen_variation2.phpt" > "ext/iconv/tests/iconv_substr_error2.phpt" > ;; Expects conversion error, gets "error conditi= on Termsig=3D11". > "ext/iconv/tests/iconv_strpos_error2.phpt" > "ext/iconv/tests/iconv_strrpos_error2.phpt" > ;; Similar, but iterating over multiple values. > ;; iconv breaks the loop after the first error w= ith Termsig=3D11. > "ext/iconv/tests/iconv_strpos_variation4.phpt" > "ext/iconv/tests/iconv_strrpos_variation3.phpt" >=20 > ;; XXX: These test failures appear legitimate, n= eeds investigation. > ;; open_basedir() restriction failure. > "ext/curl/tests/bug61948.phpt" > ;; Expects a false boolean, gets empty array fro= m glob(). > "ext/standard/tests/file/bug41655_1.phpt" > "ext/standard/tests/file/glob_variation5.phpt" > ;; Test output is correct, but in wrong order. > "ext/standard/tests/streams/proc_open_bug64438.p= hpt" > ;; The test expects an Array, but instead get th= e contents(?). > "ext/gd/tests/bug43073.phpt" > ;; imagettftext() returns wrong coordinates. > "ext/gd/tests/bug48732-mb.phpt" > "ext/gd/tests/bug48732.phpt" > ;; Similarly for imageftbbox(). > "ext/gd/tests/bug48801-mb.phpt" > "ext/gd/tests/bug48801.phpt" > ;; Different expected output from imagecolorallo= cate(). > "ext/gd/tests/bug53504.phpt" > ;; Wrong image size after scaling an image. > "ext/gd/tests/bug73272.phpt" > ;; Expects iconv to detect illegal characters, i= nstead gets > ;; "unknown error (84)" and heap corruption(!). > "ext/iconv/tests/bug48147.phpt" > ;; Expects illegal character ".", gets "=3D?utf-= 8?Q?." > "ext/iconv/tests/bug51250.phpt" > ;; @iconv() does not return expected output. > "ext/iconv/tests/iconv003.phpt" > ;; iconv throws "buffer length exceeded" on some= string checks. > "ext/iconv/tests/iconv_mime_encode.phpt" > ;; file_get_contents(): iconv stream filter > ;; ("ISO-8859-1"=3D>"UTF-8") unknown error. > "ext/standard/tests/file/bug43008.phpt" > ;; Table data not created in sqlite(?). > "ext/pdo_sqlite/tests/bug_42589.phpt")) >=20 > ;; Skip tests requiring network access. > (setenv "SKIP_ONLINE_TESTS" "1") > ;; Without this variable, 'make test' passes regardless of f= ailures. > (setenv "REPORT_EXIT_STATUS" "1") > #t))) > #:test-target "test")) > (inputs > `(("aspell" ,aspell) > ("bzip2" ,bzip2) > ("curl" ,curl) > ("cyrus-sasl" ,cyrus-sasl) > ("freetype" ,freetype) > ("gd" ,gd) > ("gdbm" ,gdbm) > ("glibc" ,glibc) > ("gmp" ,gmp) > ("gnutls" ,gnutls) > ("icu4c" ,icu4c) > ("libgcrypt" ,libgcrypt) > ("libjpeg" ,libjpeg) > ("libpng" ,libpng) > ("libwebp" ,libwebp) > ("libxml2" ,libxml2) > ("libxpm" ,libxpm) > ("libxslt" ,libxslt) > ("libx11" ,libx11) > ("oniguruma" ,oniguruma) > ("openldap" ,openldap) > ("openssl" ,openssl) > ("pcre" ,pcre) > ("postgresql" ,postgresql) > ("readline" ,readline) > ("sqlite" ,sqlite) > ("tidy" ,tidy) > ("zip" ,zip) > ("zlib" ,zlib))) > (native-inputs > `(("pkg-config" ,pkg-config) > ("bison" ,bison) > ("intltool" ,intltool) > ("procps" ,procps))) ; For tests. > (synopsis "PHP programming language") > (description > "PHP (PHP Hypertext Processor) is a server-side (CGI) scripting > language designed primarily for web development but is also used as > a general-purpose programming language. PHP code may be embedded into > HTML code, or it can be used in combination with various web template > systems, web content management systems and web frameworks." ) > (license (list > (license:non-copyleft "file://LICENSE") ; The PHP lic= ense. > (license:non-copyleft "file://Zend/LICENSE") ; The Zend li= cense. > license:lgpl2.1 ; ext/mbstrin= g/libmbfl > license:lgpl2.1+ ; ext/bcmath/= libbcmath > license:bsd-2 ; ext/fileinf= o/libmagic > license:expat)))) ; ext/date/lib > (define-module (hidamari-blue gnu-social) > #:use-module (guix utils) > #:use-module (guix build utils) > #:use-module ((guix licenses) #:prefix license:) > #:use-module (guix store) > #:use-module (guix packages) > #:use-module (guix download) > #:use-module (guix git-download) > #:use-module (gnu packages web) > #:use-module (gnu packages bash) > #:use-module (gnu packages gettext) > #:use-module (hidamari-blue php) > #:use-module (gnu packages databases) > #:use-module (guix build-system gnu) > #:use-module (guix records) > #:use-module (guix gexp) > #:use-module (srfi srfi-1) > #:use-module (srfi srfi-43) > #:use-module (ice-9 match) >=20 > #:use-module (gnu services) > #:use-module (gnu services shepherd) > #:use-module (gnu services web) > #:use-module (gnu system shadow) >=20 > #:export (gnu-social-service-type > gnu-social-nginx-block > gnu-social >=20 > > gnu-social-config > make-gnu-social-config > gnu-social-config? >=20 > gnu-social-site-name > gnu-social-site-domain > gnu-social-site-type > gnu-social-avatar-dir > gnu-social-attachments-dir > gnu-social-pid-dir > gnu-social-logfile > gnu-social-ssl? > gnu-social-db-user > gnu-social-password-file > gnu-social-db-host > gnu-social-db-socket > gnu-social-db-database > gnu-social-admin-handle > gnu-social-admin-email > gnu-social-user > gnu-social-gnu-social > gnu-social-php > gnu-social-mysql > gnu-social-theme > gnu-social-logo > gnu-social-timezone > gnu-social-language > gnu-social-text-limit > gnu-social-dupe-limit > gnu-social-site-notice)) >=20 > ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; > ;;; START OF password stuff > ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; > (define alphanumeric-str "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTU= VWXYZ1234567890") > (define ascii-special-str "!\"#$%&'()*+,-./:;<=3D>?[\\]^_`{|}~ ") > (define (string->vector str) (list->vector (string->list str))) > (define alphanumeric (string->vector alphanumeric-str)) > (define ascii (string->vector (string-append alphanumeric-str ascii-speci= al-str))) >=20 > (define* (random-string str-length #:optional (alphabet ascii)) > (call-with-input-file "/dev/urandom" > (lambda (port) > (define alphabet-max (vector-length alphabet)) > (define (loop acc i) > (if (< i str-length) > (cons (floor (/ (get-u8 port) alphabet-max)) > acc) > (list->string acc))) > (loop '() 0)))) >=20 > (define (read-password-file file) > (if (file-exists? file) > (call-with-input-file file > (lambda (port) > (read port))) > (error "Passoword file" file " does not exist."))) >=20 > (define (write-password-file file data) > (define data-without-meta > (filter (match-lambda=20 > (('meta:password-was-generated . x) #f) > (_ #t)) > data)) > ;; touch file with limited permissions > (call-with-output-file (string-append file ".tmp") (const #t)) > (chown file 0 0) > (chmod file #o600) > ;; write > (call-with-output-file (string-append file ".tmp") > (lambda (port) > (write data-without-meta port))) > ;; finalize > (rename-file (string-append file ".tmp") file)) >=20 > (define (optional-password secrets name) > (assoc-ref secrets name)) >=20 > (define (required-password secrets name) > (define found (assoc name secrets)) > (if found > (cdr found) > (error "No secret named: " name " in password file."))) >=20 > (define* (generatable-password! secrets name length #:optional (alphabet = ascii)) > (define found (assoc name secrets)) > (if found > (cdr found) > (let ((new-password (random-string alphabet))) > (set! secrets (cons* (cons name new-password) > (cons 'meta:password-was-generated #t) > secrets)) > new-password))) >=20 > ;;; Example: > ;; (with-passwords > ;; "/root/guix.passwords-store" ; where it will be stored > ;; ((optional mysql-root-password) ; will be #f if it is not in the file > ;; ;; will be generated for 23 alphanumeric characters > ;; ;; and written to the file after the body is run. > ;; (generatable gnu-social-mysql-password 23 alphanumeric) > ;; ;; will throw an error if it is not in the file > ;; (required gnu-social-admin-password))=09 > ;; (init-gnu-social config > ;; mysql-root-password > ;; gnu-social-mysql-password > ;; gnu-social-admin-password)) >=20 > (define-syntax with-passwords > (syntax-rules (optional) > ;; entry point > ((_ file (bindings ...) body ...) > ((lambda (%secrets) > (binding %secrets file (bindings ...) body ...)) > (read-password-file file))))) > (define-syntax binding > (syntax-rules (optional required generatable) > ;; bindings > ((binding %secrets file ((optional name) rest ...) body ...) > (let ((name (optional-password %secrets 'name))) > (binding %secrets file (rest ...) body ...))) > ((binding %secrets file ((required name) rest ...) body ...) > (let ((name (required-password %secrets 'name))) > (binding %secrets file (rest ...) body ...))) > ((binding %secrets file ((generatable name length) rest ...) body ...) > (let ((name (generatable-password! %secrets 'name length))) > (binding %secrets file (rest ...) body ...))) > ((binding %secrets file ((generatable name length alphabet) rest ...)= body ...) > (let ((name (generatable-password! %secrets 'name length alphabet))) > (binding %secrets file(rest ...) body ...))) > ;; final body > ((binding %secrets file () body ...) > (let ((result (begin body ...))) > ;; write generated passwords before returning the result > (when (assoc-ref %secrets 'meta:password-was-generated) > (write-password-file file %secrets)) > result)))) >=20 >=20 > ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; > ;;; END OF password stuff > ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; >=20 > (define (mysql-database-exists? database) > ;;; TODO take mysql service settings > (file-exists? (string-append "/var/lib/mysql/" database))) >=20 > ;;;=20 >=20 > ;;; TODO test profilesettings -> openID > ;;; TODO config for optional different domains for static files > (define-record-type* > gnu-social-config make-gnu-social-config > gnu-social-config? > ;; --- mandetory during init --- > (site-name gnu-social-site-name > (default "gnu social")) > (site-domain gnu-social-site-domain > (default "localhost")) > ;; can be set to single user to change the start page and menues > (site-type gnu-social-site-type > (default "community")) > (avatar-dir gnu-social-avatar-dir > (default "/srv/http/gnu-social/avatar")) > (attachments-dir gnu-social-attachments-dir > (default "/srv/http/gnu-social/file")) > (pid-dir gnu-social-pid-dir > (default "/var/gnusocial/pid")) > (logfile gnu-social-logfile > (default #f)) > (ssl? gnu-social-ssl? > (default #f)) > (db-user gnu-social-db-user > (default "gnusocial")) > (password-file gnu-social-password-file > (default "/root/guix.password-store")) > ;; "localhost" won't work because of mysql.default_socket is incorrectl= y defined in the php.ini > ;; https://stackoverflow.com/questions/1676688/php-mysql-connection-not= -working-2002-no-such-file-or-directory#comment48706064_6959675 > (db-host gnu-social-db-host > (default "127.0.0.1")) > (db-socket gnu-social-db-socket > (default #f)) > (db-database gnu-social-db-database > (default "gnusocial")) > (admin-handle gnu-social-admin-handle > (default "admin")) > (admin-email admin-email > (default "#f")) > ;; TODO need a new user for the config file, since that is read by php-= fpm > (user gnu-social-user ; system user who owns the writable di= rectories > (default "nginx")) > ;; packages > (gnu-social gnu-social-gnu-social > (default gnu-social)) > (php gnu-social-php > (default php)) > (mysql gnu-social-mysql > (default mariadb)) > ;; --- optional customizations --- > (theme gnu-social-theme > (default "neo-gnu")) > (logo gnu-social-logo > (default #f)) ; url string > (timezone gnu-social-timezone > (default "UTC")) > (language gnu-social-language > (default "en")) > ;; How long notices can be. Set to 0 for unlimited. > (text-limit gnu-social-text-limit > (default 1000)) > ;; How long users must wait (in seconds) to post the same thing again. > (dupe-limit gnu-social-dupe-limit > (default 60)) > ;; String to be displayed in the header (max 255 characters). > (site-notice gnu-social-site-notice > (default #f))) >=20 > (define* (gnu-social-nginx-block nginx > gnu-social > gnu-social-config > #:key > (fastcgi-php-socket "/var/run/php7-fpm.s= ock") > (listen '("80" "443 ssl")) > ;; (https-port #f) > (ssl-certificate #f) > (ssl-certificate-key #f) > (server-tokens? #f)) > (match-record > gnu-social-config > > (site-domain avatar-dir attachments-dir) >=20 > (nginx-server-configuration > (index (list "index.php")) > (server-name (list site-domain)) > (root (file-append gnu-social "/share/gnu-social")) > ;; (http-port http-port) > ;; (https-port https-port) > (listen listen) > (ssl-certificate ssl-certificate) > (ssl-certificate-key ssl-certificate-key) > (server-tokens? server-tokens?) > (locations > (list > (nginx-location-configuration > (uri "~ \\.php$") > (body (list > "fastcgi_split_path_info ^(.+\\.php)(/.+)$;" > (string-append "fastcgi_pass unix:" fastcgi-php-socket ";") > "fastcgi_index index.php;" > (list "include " nginx "/share/nginx/conf/fastcgi.conf;")))) > (nginx-location-configuration > (uri "/avatar") > (body (list (string-append "alias " avatar-dir ";")))) > (nginx-location-configuration > (uri "/file") > (body (list (string-append "alias " attachments-dir ";")))) > (nginx-location-configuration > (uri "/scripts") > (body (list "deny all;"))) > ;; not really required, but for my own legacy redirect > ;; (nginx-location-configuration > ;; (uri "/index.php/") > ;; (body (list "rewrite ^/index.php/(.*)$ /index.php?p=3D$1 last")= )) > (nginx-location-configuration > (uri "/") > (body (list "try_files $uri $uri/ @gnusocial;"))) > (nginx-named-location-configuration > (name "gnusocial") > ;; TODO optimize to not use regex > ;; (body (list "rewrite ^ /index.php?p=3D$1 last;")) > (body (list "rewrite ^(.*)$ /index.php?p=3D$1 last;")))))))) >=20 > ;;; TODO defined multiple times (web.scm, telephony.scm) > (define flatten > (lambda (. lst) > (define (flatten1 head out) > (if (list? head) > (fold-right flatten1 out head) > (cons head out))) > (fold-right flatten1 '() lst))) >=20 > (define-syntax-rule (write-text-file name args ...) > (begin > (call-with-output-file name > (lambda (port) > (display (apply string-append (flatten (list args ...))) port))) > name)) >=20 > (define (write-gnu-social-config-file config db-password) > (mkdir-p "/var/gnusocial/config.d/") > (match-record > config > > (site-name site-domain site-type avatar-dir attachments-dir pid-dir lo= gfile ssl? > db-user db-host db-socket db-database admin-handle admin-em= ail user > gnu-social php mysql theme logo timezone language text-limi= t dupe-limit site-notice) >=20 > (let* ((mysqli (string-append "mysqli://" > db-user > (if db-password > (string-append ":" db-password) > "") > "@" (if db-socket > (string-append "@unix(" db-socke= t ")") > db-host) > "/" db-database)) > ;; TODO use config variable for php-fpm user > (gnu-social-user (getpwnam "php-fpm")) > (config-file (string-append "/var/gnusocial/config.d/" > site-domain ".php")) > (optional (lambda (prefix value suffix) > (if value (string-append prefix value suffix) ""))) > ;; TODO function defined multiple times > (touch (lambda (file-name) > (call-with-output-file file-name (const #t))))) >=20 > ;; limit permissions to the config, since it contains the db password > ;; owned by root (0), readable by gnu-social's user group > (touch config-file) > (chown config-file 0 (passwd:gid gnu-social-user))=09 > (chmod config-file #o640) > (write-text-file > config-file > " "if (!defined('GNUSOCIAL')) { exit(1); }\n" > "$config['site']['name'] =3D '" site-name "';\n" > "$config['site']['server'] =3D '" site-domain "';\n" > "$config['site']['path'] =3D false;\n" > "$config['site']['fancy'] =3D true;\n" > "$config['site']['ssl'] =3D '" (if ssl? "always" "never") "';\n" > "$config['site']['theme'] =3D '" theme "';\n" >=20 > "$config['site']['profile'] =3D '" site-type "';\n" > (optional "$config['site']['logo'] =3D'" logo "';\n") > (optional "$config['site']['timezone'] =3D'" timezone "';\n") > (optional "$config['site']['language'] =3D'" language "';\n") > "$config['site']['textlimit'] =3D" (number->string text-limit) ";\n" > "$config['site']['dupelimit'] =3D" (number->string dupe-limit) ";\n" >=20 > "$config['db']['database'] =3D '" mysqli "';\n" > "$config['db']['type'] =3D 'mysql';\n" >=20 > "$config['avatar']['dir'] =3D '" avatar-dir "';\n" > "$config['attachments']['dir'] =3D '" attachments-dir "';\n" > "$config['cache']['dir'] =3D '" "/tmp/" "';\n" > "$config['daemon']['piddir'] =3D '" pid-dir "';\n" >=20 >=20 > "// Uncomment below for better performance. Just remember you must = run\n" > "// php scripts/checkschema.php whenever your enabled plugins chang= e!\n" > "$config['db']['schemacheck'] =3D 'script';\n" >=20 > (if logfile > (string-append "$config['site']['logfile'] =3D '" logfile "';\n") > ""))))) >=20 > (define gnu-social > (let ((commit "50f9f23ff19a4f577c429d80411378d6a1747725")) > (package > (name "gnu-social") > (version "1.2.0-beta4") > (source (origin > ;; I made some cli-installer patches > ;; waiting for them to get accepted into master: > ;; https://git.gnu.io/gnu/gnu-social/merge_requests/155 > (method url-fetch) > (uri "https://hidamari.blue/gnu-social.tar.bz2") > (sha256 > (base32 > "0l9vh9lxn6d42yh1nfd4ydsrizp7qa018wz9da41a14fd44bwqwi")) > ;; (method git-fetch) ; no tarball available > ;; (uri (git-reference > ;; (url "https://git.gnu.io/gnu/gnu-social.git") > ;; (commit commit))) ; using the latest version > ;; (sha256 > ;; (base32 > ;; "1xja9pbw8dy8jqc44f7z4vd8mrkpcirq1yxxvf4w0lf778z4xasr"= )) > )) > (build-system gnu-build-system) > (arguments > `(#:phases > (modify-phases > %standard-phases > (delete 'configure) > (delete 'check) > (replace > 'install > (lambda* > (#:key outputs #:allow-other-keys) > (let ((out (string-append (assoc-ref %outputs "out") "/share/= gnu-social/")) > (php-bin (string-append (assoc-ref %build-inputs "php")= "/bin/php")) > (bash (string-append (assoc-ref %build-inputs "bash") "= /bin/bash"))) >=20 > ;; overwrite the config_files array to only try one config = file. > (substitute* "lib/gnusocial.php" > (("\\$config_files\\[\\] =3D INSTALLDIR\\.'/co= nfig\\.php';") > "$config_files =3D array('/var/gnusocial/conf= ig.d/'.$_server.'.php');")) >=20 > (substitute* "lib/installer.php" > (("require_once INSTALLDIR . '/lib/common.php'= ;") > "$server =3D $this->server; require_once INST= ALLDIR . '/lib/common.php'; ")) >=20 > (substitute* "lib/primarynav.php" > (("\\$user->hasRight\\(Right::CONFIGURESITE\\)= ") > "false")) > =20 > (delete-file "install.php") > (mkdir-p out) > (copy-recursively "." out) > #t)))))) >=20 > ;; TODO replace the bundled jquery if someone ever manages to packag= e that juggernaut > (inputs `(("php" ,php) > ("bash" ,bash))) > (native-inputs `(("gettext" ,gnu-gettext))) > (home-page "https://gnu.io/social") > (synopsis "Federated microblogging platform for the web") > (description > "GNU Social is a federated microblogging platform.") > (license license:agpl3+)))) >=20 > (define (gnu-social-activation config) > (match-record > config > > (site-name site-domain site-type avatar-dir attachments-dir pid-dir lo= gfile ssl? > db-user password-file db-host db-socket db-database admin-h= andle admin-email user > gnu-social php mysql theme logo timezone language text-limi= t dupe-limit site-notice) > =20 > (let* ((gnu-social-version (package-version gnu-social)) > ;; TODO put into config > (installed-version-filepath "/var/gnusocial/version") > (installed-version (if (file-exists? installed-version-filepath) > (call-with-input-file installed-version-filepath > (lambda (port) > (read port))) > #f))) > (with-passwords > password-file > ((optional mysql-root-password) > (generatable gnu-social-db-password 32) > (generatable gnu-social-admin-password 32)) > #~(begin > (use-modules (guix build utils) > (ice-9 match) > (srfi srfi-1)) > (let ((user (getpwnam #$user)) > (sh (string-append #$bash "/bin/sh")) > (php (string-append #$php "/bin/php")) > (mysql (string-append #$mysql "/bin/mysql")) > (install-script (string-append #$gnu-social "/share/gnu-social/scripts/= install_cli.php")) > (config-file #$(write-gnu-social-config-file config gnu-social-db-passw= ord)) > ;; TODO remove, since it's already in web.scm, might move to guix utils > (flatten (lambda (. lst) > (define (flatten1 head out) > (if (list? head) > (fold-right flatten1 out head) > (cons head out))) > (fold-right flatten1 '() lst))) > (touch (lambda (file-name) > (call-with-output-file file-name (const #t)))) > (write-installed-version > (lambda () > ;; create proof of successful version installation as .tmp > (call-with-output-file (string-append #$installed-version-filepath "= =2Etmp") > (lambda (port) > (write #$gnu-social-version port))) > ;; rename to actual name > (rename-file (string-append #$installed-version-filepath ".tmp") > #$installed-version-filepath) > #t))) > ;; prepare writable directories > (mkdir-p #$avatar-dir) > (mkdir-p #$attachments-dir) > (chown #$avatar-dir (passwd:uid user) (passwd:gid user)) > (chown #$attachments-dir (passwd:uid user) (passwd:gid user)) >=20 > ;; prepare logfile > (touch #$logfile) > (chown #$logfile (passwd:uid user) (passwd:gid user)) >=20 > (display "wrote gnu-social config ") (display config-file) (newline) >=20 > ;; upgrade/install && check-addon-changes > (and (cond ((not (equal? #$installed-version #$gnu-social-version)) > ;; upgrade existing installation > (fromat #t "Upgrading gnu-social database ~a from ~a to ~a." > #$database > #$installed-version #$gnu-social-version) > (and (zero? (system* php (string-append #$gnu-social "/share/gnu-socia= l/scripts/stopdaemons.sh"))) > (zero? (system* php (string-append #$gnu-social "/share/gnu-socia= l/scripts/upgrade.php") > "--server" #$site-domain)) > (zero? (system* php (string-append #$gnu-social "/share/gnu-socia= l/scripts/startdaemons.sh"))) > (write-installed-version))) > ((not #$installed-version) > ;; inital install > ;; create database if it's the default setup > (format "Installing database for gnu social version ~a." #$gnu-social-= version) > ;; create mysql database and user > (and (zero? (apply system* mysql > "--execute" > ;; TODO FIXME escape ' signs in username/password > (string-append " > CREATE DATABASE IF NOT EXISTS " #$db-database "; > CREATE USER IF NOT EXISTS '" #$db-user "'@'localhost' identified by '" #$= gnu-social-db-password "'; > GRANT ALL PRIVILEGES ON " #$db-database ".* TO '" #$db-user "'@'localhost= ';") > =20 > "--user" "root" > (cond (#$db-host (list "--host" #$db-host)) > (#$db-socket (list "--socket" #$db-socket)) > (#t (error "gnu-social-service: " > "either db-host or db-socket must be set"))) > ;; TODO FIXME SECURITY this will appear in the system's process l= ist > (if #$mysql-root-password > (list (string-append "--password=3D" #$mysql-root-password)) > '()))) > ;; call the install script > (zero? (apply system* php install-script > (filter (lambda (x) (or (not (list? x)) > (not (null? x)))) > (flatten > "--skip-config" > "--sitename" #$site-name > "--server" #$site-domain > "--site-profile" #$site-type >=20 > "--dbtype" "mysql" > "--host" #$db-host > "--database" #$db-database > "--username" #$db-user > (if #$gnu-social-db-password > (list "--password" #$gnu-social-db-password) > '()) >=20 > "--admin-nick" #$admin-handle > "--admin-pass" #$gnu-social-admin-password > (if #$admin-email > (list "--admin-email" #$admin-email) > '()))))) > (write-installed-version))) > ;; same version already installed, do nothing > (else #t)) > ;; call the routing update script, in case any new addons were install= ed > (zero? (system* php (string-append #$gnu-social "/share/gnu-social/scr= ipts/checkschema.php") > "--server" #$site-domain))))))))) >=20 > (define gnu-social-service-type > (service-type (name 'gnu-social) > (extensions > (list (service-extension activation-service-type > gnu-social-activation))))) --=20 GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588 GnuPG: https://c.n0.is/ng0_pubkeys/tree/keys WWW: https://n0.is/a/ :: https://ea.n0.is --zhjwmbt2ubi4nemg Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEqIyK3RKYKNfqwC5S4i+bv+40hYgFAlpY9u0ACgkQ4i+bv+40 hYh+DQ/+O9I+X51EJUGwjasuj0augiJVHG5y7zyXtWaySMGPkNx1IA9FLSipck8K cSGZj8M/mdKMqDwNJRnDGX5cmjPbJCdYcE046Yv6zjZY5xnUwLXxLEBKWa9uzQ0n dhwTLFbcodXUF6wPKkGJrvknWVbrlUeQ2FxH7X//sUlJaN9mWO3UoybXSyqPEgtA 3YeCEIXWDvIUN5QJrdv/2XLNLw1Dglltthz1efJRMB2cOaKMTgJjijySJk4RV/9N LgXRm+2klUjLf+HvXBS//CHeMDg+sRbZrxXttDpA7FlQYKXT3x2EhQREErOfDdKX mVJaSdrNbKSI/+/KZemJjR5l/aUP6ZVC/3epo0H4XJ+qKW/pYUSLV3T/zz8TRJVq 6bJLfBT1ov9OgGjmRGm4hkyAxBEWhsHpXqRjA1mU4o8IxuxWbt5QLceSVBH5sfL+ XV3CxKvYXkSPI47h3Kf4IkaOGOs1CVl3lQNNNQ0s/py0AsiQbdyuc+t5zj9JXg5A N6mTrf2OK3dtu2S0Czsj5/Lrt+1pVgGyq9i8PicppwqG+cH7URhIVUz3t/+s01xy ctwwrHj8LievXl1msRbcTNJ4BYvVb1fKlPwR3UWqYjCDDwJZWPKreBY6Ta5nGx22 TRCWTntdqWeMksLUHLoc3WQ1XaRfp4pYpg65MXryo6FTGe+s1us= =ilID -----END PGP SIGNATURE----- --zhjwmbt2ubi4nemg--