From 01886aef225a5fb03dc1ee08fb606899d87f6dcf Mon Sep 17 00:00:00 2001 From: "Nicolas B. Pierron" Date: Thu, 11 Dec 2014 23:48:15 +0100 Subject: Add Firefox Sync server module. --- .../services/networking/firefox/sync-server.nix | 135 +++++++++++++++++++++ 1 file changed, 135 insertions(+) create mode 100644 nixos/modules/services/networking/firefox/sync-server.nix (limited to 'nixos/modules/services/networking/firefox/sync-server.nix') diff --git a/nixos/modules/services/networking/firefox/sync-server.nix b/nixos/modules/services/networking/firefox/sync-server.nix new file mode 100644 index 000000000000..db249fe5a72f --- /dev/null +++ b/nixos/modules/services/networking/firefox/sync-server.nix @@ -0,0 +1,135 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.firefox.syncserver; + syncServerSecretFile = "/etc/firefox/syncserver-secret.ini"; + syncServerIni = pkgs.writeText "syncserver.ini" '' + [DEFAULT] + overrides = ${cfg.privateConfig} ${syncServerSecretFile} + + [server:main] + use = egg:Paste#http + host = ${cfg.listen.address} + port = ${toString cfg.listen.port} + + [app:main] + use = egg:syncserver + + [syncserver] + public_url = ${cfg.publicUrl} + ${optionalString (cfg.sqlUri != "") "sqluri = ${cfg.sqlUri}"} + allow_new_users = ${if cfg.allowNewUsers then "true" else "false"} + + [browserid] + backend = tokenserver.verifiers.LocalVerifier + audiences = ${removeSuffix "/" cfg.publicUrl} + ''; +in + +{ + options = { + services.firefox.syncserver = { + enable = mkOption { + type = types.bool; + default = false; + example = true; + description = '' + Whether to enable a Firefox Sync Server, this give the opportunity to + Firefox users to store all synchronized data on their own server. To use this + server, Firefox users should visit the , and + replicate the following change + + + services.sync.tokenServerURI: http://localhost:5000/token/1.0/sync/1.5 + + where corresponds to the + public url of the server. + ''; + }; + + listen.address = mkOption { + type = types.str; + default = "0.0.0.0"; + description = '' + Address on which the sync server listen to. + ''; + }; + + listen.port = mkOption { + type = types.int; + default = 5000; + description = '' + Port on which the sync server listen to. + ''; + }; + + publicUrl = mkOption { + type = types.str; + default = "http://localhost:5000/"; + example = "http://sync.example.com/"; + description = '' + Public URL with which firefox users can use to access the sync server. + ''; + }; + + allowNewUsers = mkOption { + type = types.bool; + default = true; + example = false; + description = '' + Whether to allow new-user signups on the server. Only request by + existing accounts will be honored. + ''; + }; + + sqlUri = mkOption { + type = types.str; + default = "sqlite:////var/db/firefox-sync-server.db"; + example = "postgresql://scott:tiger@localhost/test"; + description = '' + The location of the database. This URL is composed of + , + where is a database name such as + , , , + etc., and the name of a DBAPI, such as + , , , + etc. + ''; + }; + + privateConfig = mkOption { + type = types.separatedString " "; + default = ""; + description = '' + If defined, this file would be used to set all fields which were omitted in the + generated ini files used for configuring the syncserver. This file is useful + for storing secrets, such as the syncserver.secret or the syncserver.sqluri + ''; + }; + }; + }; + + config = { + + systemd.services.syncserver = { + after = [ "network.target" ]; + description = "Firefox Sync Server"; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.pythonPackages.pasteScript pkgs.coreutils ]; + environment.PYTHONPATH = "${pkgs.pythonPackages.syncserver}/lib/${pkgs.pythonPackages.python.libPrefix}/site-packages"; + preStart = '' + if ! test -e ${syncServerSecretFile}; then + mkdir -p $(dirname ${syncServerSecretFile}) + echo > ${syncServerSecretFile} '[syncserver]' + echo >> ${syncServerSecretFile} "secret = $(head -c 20 /dev/urandom | sha1sum | tr -d ' -')" + fi + ''; + serviceConfig.ExecStart = "paster serve ${syncServerIni}"; + serviceConfig.User = "deluge"; + serviceConfig.Group = "deluge"; + }; + + }; +} -- cgit 1.4.1 From a0154145d52c27416c65d7c2289f3fae61182181 Mon Sep 17 00:00:00 2001 From: "Nicolas B. Pierron" Date: Fri, 12 Dec 2014 22:13:03 +0100 Subject: Firefox Sync Server: Fix copy&paste issue. --- nixos/modules/services/networking/firefox/sync-server.nix | 2 -- 1 file changed, 2 deletions(-) (limited to 'nixos/modules/services/networking/firefox/sync-server.nix') diff --git a/nixos/modules/services/networking/firefox/sync-server.nix b/nixos/modules/services/networking/firefox/sync-server.nix index db249fe5a72f..0d2306c69949 100644 --- a/nixos/modules/services/networking/firefox/sync-server.nix +++ b/nixos/modules/services/networking/firefox/sync-server.nix @@ -127,8 +127,6 @@ in fi ''; serviceConfig.ExecStart = "paster serve ${syncServerIni}"; - serviceConfig.User = "deluge"; - serviceConfig.Group = "deluge"; }; }; -- cgit 1.4.1 From 1a1fc17957516956949f019292b994aebfda6779 Mon Sep 17 00:00:00 2001 From: "Nicolas B. Pierron" Date: Fri, 12 Dec 2014 22:14:21 +0100 Subject: Firefox Sync Server: Create the private config file as non-world readable. --- .../services/networking/firefox/sync-server.nix | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) (limited to 'nixos/modules/services/networking/firefox/sync-server.nix') diff --git a/nixos/modules/services/networking/firefox/sync-server.nix b/nixos/modules/services/networking/firefox/sync-server.nix index 0d2306c69949..b357eac98b91 100644 --- a/nixos/modules/services/networking/firefox/sync-server.nix +++ b/nixos/modules/services/networking/firefox/sync-server.nix @@ -4,10 +4,9 @@ with lib; let cfg = config.services.firefox.syncserver; - syncServerSecretFile = "/etc/firefox/syncserver-secret.ini"; syncServerIni = pkgs.writeText "syncserver.ini" '' [DEFAULT] - overrides = ${cfg.privateConfig} ${syncServerSecretFile} + overrides = ${cfg.privateConfig} [server:main] use = egg:Paste#http @@ -100,12 +99,14 @@ in }; privateConfig = mkOption { - type = types.separatedString " "; - default = ""; + type = types.str; + default = "/etc/firefox/syncserver-secret.ini"; description = '' If defined, this file would be used to set all fields which were omitted in the generated ini files used for configuring the syncserver. This file is useful - for storing secrets, such as the syncserver.secret or the syncserver.sqluri + for storing secrets, such as the syncserver.secret or the syncserver.sqluri. + + If this file does not exists, it would be created with a unique secret. ''; }; }; @@ -120,10 +121,11 @@ in path = [ pkgs.pythonPackages.pasteScript pkgs.coreutils ]; environment.PYTHONPATH = "${pkgs.pythonPackages.syncserver}/lib/${pkgs.pythonPackages.python.libPrefix}/site-packages"; preStart = '' - if ! test -e ${syncServerSecretFile}; then - mkdir -p $(dirname ${syncServerSecretFile}) - echo > ${syncServerSecretFile} '[syncserver]' - echo >> ${syncServerSecretFile} "secret = $(head -c 20 /dev/urandom | sha1sum | tr -d ' -')" + if ! test -e ${cfg.privateConfig}; then + umask u=rwx,g=x,o=x + mkdir -p $(dirname ${cfg.privateConfig}) + echo > ${cfg.privateConfig} '[syncserver]' + echo >> ${cfg.privateConfig} "secret = $(head -c 20 /dev/urandom | sha1sum | tr -d ' -')" fi ''; serviceConfig.ExecStart = "paster serve ${syncServerIni}"; -- cgit 1.4.1 From 0d13ea0131cf43e7adccc437df4be8fa75ed9d3e Mon Sep 17 00:00:00 2001 From: "Nicolas B. Pierron" Date: Sun, 18 Jan 2015 12:20:44 +0100 Subject: Change default syncserver listen.port to a safer one. --- nixos/modules/services/networking/firefox/sync-server.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'nixos/modules/services/networking/firefox/sync-server.nix') diff --git a/nixos/modules/services/networking/firefox/sync-server.nix b/nixos/modules/services/networking/firefox/sync-server.nix index b357eac98b91..58b07e51387e 100644 --- a/nixos/modules/services/networking/firefox/sync-server.nix +++ b/nixos/modules/services/networking/firefox/sync-server.nix @@ -50,7 +50,8 @@ in listen.address = mkOption { type = types.str; - default = "0.0.0.0"; + default = "127.0.0.1"; + example = "0.0.0.0"; description = '' Address on which the sync server listen to. ''; -- cgit 1.4.1 From 8196727fad8a7eabf26313bd3175c1ee9e8cca43 Mon Sep 17 00:00:00 2001 From: "Nicolas B. Pierron" Date: Sun, 18 Jan 2015 12:21:23 +0100 Subject: Improve the documentation of the syncserver module. --- .../services/networking/firefox/sync-server.nix | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) (limited to 'nixos/modules/services/networking/firefox/sync-server.nix') diff --git a/nixos/modules/services/networking/firefox/sync-server.nix b/nixos/modules/services/networking/firefox/sync-server.nix index 58b07e51387e..6ed7a6beb9e8 100644 --- a/nixos/modules/services/networking/firefox/sync-server.nix +++ b/nixos/modules/services/networking/firefox/sync-server.nix @@ -41,7 +41,8 @@ in replicate the following change - services.sync.tokenServerURI: http://localhost:5000/token/1.0/sync/1.5 + services.sync.tokenServerURI: http://localhost:5000/token/1.0/sync/1.5 + where corresponds to the public url of the server. @@ -95,7 +96,10 @@ in , , , etc., and the name of a DBAPI, such as , , , - etc. + etc. The + SQLAlchemy documentation provides more examples and describe the syntax of + the expected URL. ''; }; @@ -103,12 +107,14 @@ in type = types.str; default = "/etc/firefox/syncserver-secret.ini"; description = '' - If defined, this file would be used to set all fields which were omitted in the - generated ini files used for configuring the syncserver. This file is useful - for storing secrets, such as the syncserver.secret or the syncserver.sqluri. - - If this file does not exists, it would be created with a unique secret. - ''; + The private config file is used to extend the generated config with confidential + information, such as the setting if it contains a + password, and the setting is used by the server to + generate cryptographically-signed authentication tokens. + + If this file does not exists, then it is created with a generated + settings. + ''; }; }; }; -- cgit 1.4.1 From 130f66b683d37a0f636e6c8283873011b196eeac Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Sun, 18 Jan 2015 14:21:40 -0800 Subject: nixos/sync-server: Respect the enable option --- nixos/modules/services/networking/firefox/sync-server.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos/modules/services/networking/firefox/sync-server.nix') diff --git a/nixos/modules/services/networking/firefox/sync-server.nix b/nixos/modules/services/networking/firefox/sync-server.nix index 6ed7a6beb9e8..79f32f3358cb 100644 --- a/nixos/modules/services/networking/firefox/sync-server.nix +++ b/nixos/modules/services/networking/firefox/sync-server.nix @@ -119,7 +119,7 @@ in }; }; - config = { + config = mkIf cfg.enable { systemd.services.syncserver = { after = [ "network.target" ]; -- cgit 1.4.1