b111495 feat(nixos): Support running rad commands for service — heartwood

Radicle Heartwood Protocol & Stack

feat(nixos): Support running rad commands for service

✗ CI failure null committed 1 year ago

commit b11149595e0dfc5c6e8a13228b48de314df41dc0
parent d92262e060830f1c55ec6b9ac95df764c9fbe3fe

2 passed 1 failed (3 total) View logs

2 files changed +58 -7

added resources/nixos/README.md

@@ -0,0 +1,33 @@

 # Changes to the official service
 The official service makes it very difficult to do any kind of `rad` operations.
 Its config, public and private keys are world-readable in the store, but **not** in the user's
 `HOME`.
 With this service, you are able to
 ```sh
 # Enter the radicle user
 sudo -s -u radicle
 rad self # or any other read-only radicle command
 ```
 # How to use
 Simply import [`service.nix`][service.nix] into your configuration and configure it as you would
 the official one. See the [quickstart guide][seeding quickstart] for more information
 on configuration.
 ```nix
 {
   imports = [ /path/to/repository/resources/nixos/service.nix ];
   services.radicle = {
     enable = true;
     # The rest of the configuration
   };
 }
 ```
 [seeding quickstart]: https://radicle.xyz/guides/quickstart/seeding
 [service.nix]: ./service.nix

modified resources/nixos/service.nix

@@ -7,7 +7,7 @@ let

   env = rec {
     # rad fails if it cannot stat $HOME/.gitconfig
     HOME = "/var/lib/radicle";
     RAD_HOME = HOME;
     RAD_HOME = "${HOME}/.radicle";
   };
   # Convenient wrapper to run `rad` in the namespaces of `radicle-node.service`

@@ -42,10 +42,6 @@ let

     wantedBy = [ "multi-user.target" ];
     serviceConfig = lib.mkMerge [
       {
         BindReadOnlyPaths = [
           "${cfg.configFile}:${env.RAD_HOME}/config.json"
           "${if lib.types.path.check cfg.publicKey then cfg.publicKey else pkgs.writeText "radicle.pub" cfg.publicKey}:${env.RAD_HOME}/keys/radicle.pub"
         ];
         KillMode = "process";
         StateDirectory = [ "radicle" ];
         User = config.users.users.radicle.name;

@@ -113,6 +109,11 @@ let

   };
 in
 {
   # Replace the existing module
   disabledModules = [
     "services/misc/radicle.nix"
   ];
   options = {
     services.radicle = {
       enable = lib.mkEnableOption "Radicle Seed Node";

@@ -210,7 +211,7 @@ in

         nginx = lib.mkOption {
           # Type of a single virtual host, or null.
           type = lib.types.nullOr (lib.types.submodule (
             lib.recursiveUpdate (import ../web-servers/nginx/vhost-options.nix { inherit config lib; }) {
             lib.recursiveUpdate (import "${toString <nixos>}/nixos/modules/services/web-servers/nginx/vhost-options.nix" { inherit config lib; }) {
               options.serverName = {
                 default = "radicle-${config.networking.hostName}.${config.networking.domain}";
                 defaultText = "radicle-\${config.networking.hostName}.\${config.networking.domain}";

@@ -247,6 +248,24 @@ in

   config = lib.mkIf cfg.enable (lib.mkMerge [
     {
       systemd.mounts = [
          {
           description = "Radicle node configuration";
           what = "${cfg.configFile}";
           where = "${env.RAD_HOME}/config.json";
           type = "none";
           options = "bind";
           wantedBy = [ "radicle-node.service" ] ++ lib.optional cfg.httpd.enable "radicle-httpd.service";
         }
         {
           description = "Radicle node public key";
           what = "${if lib.types.path.check cfg.publicKey then cfg.publicKey else pkgs.writeText "radicle.pub" cfg.publicKey}";
           where = "${env.RAD_HOME}/keys/radicle.pub";
           type = "none";
           options = "bind";
           wantedBy = [ "radicle-node.service" ] ++ lib.optional cfg.httpd.enable "radicle-httpd.service";
         }
       ];
       systemd.services.radicle-node = lib.mkMerge [
         (commonServiceConfig "radicle-node")
         {

@@ -355,4 +374,3 @@ in

     lorenzleutgeb
   ];
 }