diff options
| author | Luflosi <luflosi@luflosi.de> | 2022-08-05 20:56:15 +0200 |
|---|---|---|
| committer | Luflosi <luflosi@luflosi.de> | 2023-01-24 16:33:03 +0100 |
| commit | 78f357f134f2184ff4583ba82fd51c19fc40297c (patch) | |
| tree | d84fbc7e4ee5c004f39b89fc7ff21d56bc818f9c /nixos/modules/services/network-filesystems | |
| parent | eb45a616747157b8e5f0438a14ce6d43972f5327 (diff) | |
| download | nixlib-78f357f134f2184ff4583ba82fd51c19fc40297c.tar nixlib-78f357f134f2184ff4583ba82fd51c19fc40297c.tar.gz nixlib-78f357f134f2184ff4583ba82fd51c19fc40297c.tar.bz2 nixlib-78f357f134f2184ff4583ba82fd51c19fc40297c.tar.lz nixlib-78f357f134f2184ff4583ba82fd51c19fc40297c.tar.xz nixlib-78f357f134f2184ff4583ba82fd51c19fc40297c.tar.zst nixlib-78f357f134f2184ff4583ba82fd51c19fc40297c.zip | |
nixos/kubo: make the configuration options idempotent
Without this commit, unsetting any of the `services.kubo.settings` options does not reset the value back to the default. This commit gets rid of this statefulness. This is achieved by generating the default config, applying the user specified config options to it and then patching the `Identity` and `Pinning` config options from the old config back in. This new config is then applied using `ipfs config replace`. The only remaining stateful parts of the config are the `Identity` and `Pinning.RemoteServices` settings as those can't be changed with `ipfs config replace`. `Pinning.RemoteServices` also contains secrets that shouldn't be in the Nix store. Setting these options wasn't possible before as it would result in an error when the daemon tried to start. I added some assertions to guard against this case.
Diffstat (limited to 'nixos/modules/services/network-filesystems')
| -rw-r--r-- | nixos/modules/services/network-filesystems/kubo.nix | 57 |
1 files changed, 47 insertions, 10 deletions
diff --git a/nixos/modules/services/network-filesystems/kubo.nix b/nixos/modules/services/network-filesystems/kubo.nix index 13a062c32128..4d423c905986 100644 --- a/nixos/modules/services/network-filesystems/kubo.nix +++ b/nixos/modules/services/network-filesystems/kubo.nix @@ -5,6 +5,23 @@ let settingsFormat = pkgs.formats.json {}; + rawDefaultConfig = lib.importJSON (pkgs.runCommand "kubo-default-config" { + nativeBuildInputs = [ cfg.package ]; + } '' + export IPFS_PATH="$TMPDIR" + ipfs init --empty-repo --profile=${profile} + ipfs --offline config show > "$out" + ''); + + # Remove the PeerID (an attribute of "Identity") of the temporary Kubo repo. + # The "Pinning" section contains the "RemoteServices" section, which would prevent + # the daemon from starting as that setting can't be changed via ipfs config replace. + defaultConfig = builtins.removeAttrs rawDefaultConfig [ "Identity" "Pinning" ]; + + customizedConfig = lib.recursiveUpdate defaultConfig cfg.settings; + + configFile = settingsFormat.generate "kubo-config.json" customizedConfig; + kuboFlags = utils.escapeSystemdExecArgs ( optional cfg.autoMount "--mount" ++ optional cfg.enableGC "--enable-gc" ++ @@ -161,9 +178,9 @@ in }; }; description = lib.mdDoc '' - Attrset of daemon configuration to set using {command}`ipfs config`, every time the daemon starts. + Attrset of daemon configuration. See [https://github.com/ipfs/kubo/blob/master/docs/config.md](https://github.com/ipfs/kubo/blob/master/docs/config.md) for reference. - Keep in mind that this configuration is stateful; i.e., unsetting anything in here does not reset the value to the default! + You can't set `Identity` or `Pinning`. ''; default = { }; example = { @@ -211,6 +228,21 @@ in ###### implementation config = mkIf cfg.enable { + assertions = [ + { + assertion = !builtins.hasAttr "Identity" cfg.settings; + message = '' + You can't set services.kubo.settings.Identity because the ``config replace`` subcommand used at startup does not support modifying any of the Identity settings. + ''; + } + { + assertion = !((builtins.hasAttr "Pinning" cfg.settings) && (builtins.hasAttr "RemoteServices" cfg.settings.Pinning)); + message = '' + You can't set services.kubo.settings.Pinning.RemoteServices because the ``config replace`` subcommand used at startup does not work with it. + ''; + } + ]; + environment.systemPackages = [ cfg.package ]; environment.variables.IPFS_PATH = cfg.dataDir; @@ -262,21 +294,26 @@ in preStart = '' if [[ ! -f "$IPFS_PATH/config" ]]; then - ipfs init ${optionalString cfg.emptyRepo "-e"} --profile=${profile} + ipfs init ${optionalString cfg.emptyRepo "-e"} else # After an unclean shutdown this file may exist which will cause the config command to attempt to talk to the daemon. This will hang forever if systemd is holding our sockets open. rm -vf "$IPFS_PATH/api" '' + optionalString cfg.autoMigrate '' ${pkgs.kubo-migrator}/bin/fs-repo-migrations -to '${cfg.package.repoVersion}' -y '' + '' - ipfs --offline config profile apply ${profile} >/dev/null fi - '' + '' - ipfs --offline config show \ - | ${pkgs.jq}/bin/jq '. * $settings' --argjson settings ${ - escapeShellArg (builtins.toJSON cfg.settings) - } \ - | ipfs --offline config replace - + ipfs --offline config show | + ${pkgs.jq}/bin/jq -s '.[0].Pinning as $Pinning | .[0].Identity as $Identity | .[1] + {$Identity,$Pinning}' - '${configFile}' | + + # This command automatically injects the private key and other secrets from + # the old config file back into the new config file. + # Unfortunately, it doesn't keep the original `Identity.PeerID`, + # so we need `ipfs config show` and jq above. + # See https://github.com/ipfs/kubo/issues/8993 for progress on fixing this problem. + # Kubo also wants a specific version of the original "Pinning.RemoteServices" + # section (redacted by `ipfs config show`), such that that section doesn't + # change when the changes are applied. Whyyyyyy..... + ipfs --offline config replace - ''; serviceConfig = { ExecStart = [ "" "${cfg.package}/bin/ipfs daemon ${kuboFlags}" ]; |