Commit 7ec75525 authored by Emily's avatar Emily
Browse files

hydron: drop 

This package was marked as vulnerable in
<https://github.com/NixOS/nixpkgs/pull/255959>, almost a year ago and
over a year after the project was archived upstream. The package and
module are unusable without bypassing a security warning in 23.05,
23.11, and 24.05.

Given that the package is intended as an organizer for
potentially‐untrusted media files, the vulnerability is critical and
leads to remote code execution, and there is basically no prospect
of upstream releasing a fix, remove the package and module entirely
for 24.11.
parent 90ee91b6

nixos/modules/misc/ids.nix

+2 −2
Original line number Diff line number Diff line
@@ -327,7 +327,7 @@ in 
      hdfs = 295;

      mapred = 296;

      hadoop = 297;

      hydron = 298;

      #hydron = 298; # removed 2024-08-03

      cfssl = 299;

      cassandra = 300;

      qemu-libvirtd = 301;
@@ -637,7 +637,7 @@ in 
      hdfs = 295;

      mapred = 296;

      hadoop = 297;

      hydron = 298;

      #hydron = 298; # removed 2024-08-03

      cfssl = 299;

      cassandra = 300;

      qemu-libvirtd = 301;

nixos/modules/module-list.nix

+0 −1
Original line number Diff line number Diff line
@@ -1495,7 +1495,6 @@ 
  ./services/web-servers/fcgiwrap.nix

  ./services/web-servers/garage.nix

  ./services/web-servers/hitch/default.nix

  ./services/web-servers/hydron.nix

  ./services/web-servers/jboss/default.nix

  ./services/web-servers/keter

  ./services/web-servers/lighttpd/cgit.nix

nixos/modules/rename.nix

+1 −0
Original line number Diff line number Diff line
@@ -67,6 +67,7 @@ in 
    (mkRemovedOptionModule [ "services" "fprot" ] "The corresponding package was removed from nixpkgs.")

    (mkRemovedOptionModule [ "services" "frab" ] "The frab module has been removed")

    (mkRemovedOptionModule [ "services" "homeassistant-satellite"] "The `services.homeassistant-satellite` module has been replaced by `services.wyoming-satellite`.")

    (mkRemovedOptionModule [ "services" "hydron" ] "The `services.hydron` module has been removed as the project has been archived upstream since 2022 and is affected by a severe remote code execution vulnerability.")

    (mkRemovedOptionModule [ "services" "ihatemoney" ] "The ihatemoney module has been removed for lack of downstream maintainer")

    (mkRemovedOptionModule [ "services" "kippo" ] "The corresponding package was removed from nixpkgs.")

    (mkRemovedOptionModule [ "services" "mailpile" ] "The corresponding package was removed from nixpkgs.")

nixos/modules/services/web-servers/hydron.nix

deleted100644 → 0
+0 −164
Original line number Diff line number Diff line 
{ config, lib, pkgs, ... }:



let

  cfg = config.services.hydron;

in with lib; {

  options.services.hydron = {

    enable = mkEnableOption "hydron";



    dataDir = mkOption {

      type = types.path;

      default = "/var/lib/hydron";

      example = "/home/okina/hydron";

      description = "Location where hydron runs and stores data.";

    };



    interval = mkOption {

      type = types.str;

      default = "weekly";

      example = "06:00";

      description = ''

        How often we run hydron import and possibly fetch tags. Runs by default every week.



        The format is described in

        {manpage}`systemd.time(7)`.

      '';

    };



    password = mkOption {

      type = types.str;

      default = "hydron";

      example = "dumbpass";

      description = "Password for the hydron database.";

    };



    passwordFile = mkOption {

      type = types.path;

      default = "/run/keys/hydron-password-file";

      example = "/home/okina/hydron/keys/pass";

      description = "Password file for the hydron database.";

    };



    postgresArgs = mkOption {

      type = types.str;

      description = "Postgresql connection arguments.";

      example = ''

        {

          "driver": "postgres",

          "connection": "user=hydron password=dumbpass dbname=hydron sslmode=disable"

        }

      '';

    };



    postgresArgsFile = mkOption {

      type = types.path;

      default = "/run/keys/hydron-postgres-args";

      example = "/home/okina/hydron/keys/postgres";

      description = "Postgresql connection arguments file.";

    };



    listenAddress = mkOption {

      type = types.nullOr types.str;

      default = null;

      example = "127.0.0.1:8010";

      description = "Listen on a specific IP address and port.";

    };



    importPaths = mkOption {

      type = types.listOf types.path;

      default = [];

      example = [ "/home/okina/Pictures" ];

      description = "Paths that hydron will recursively import.";

    };



    fetchTags = mkOption {

      type = types.bool;

      default = true;

      description = "Fetch tags for imported images and webm from gelbooru.";

    };

  };



  config = mkIf cfg.enable {

    services.hydron.passwordFile = mkDefault (pkgs.writeText "hydron-password-file" cfg.password);

    services.hydron.postgresArgsFile = mkDefault (pkgs.writeText "hydron-postgres-args" cfg.postgresArgs);

    services.hydron.postgresArgs = mkDefault ''

      {

        "driver": "postgres",

        "connection": "user=hydron password=${cfg.password} host=/run/postgresql dbname=hydron sslmode=disable"

      }

    '';



    services.postgresql = {

      enable = true;

      ensureDatabases = [ "hydron" ];

      ensureUsers = [

        { name = "hydron";

          ensureDBOwnership = true;

        }

      ];

    };



    systemd.tmpfiles.rules = [

      "d '${cfg.dataDir}' 0750 hydron hydron - -"

      "d '${cfg.dataDir}/.hydron' - hydron hydron - -"

      "d '${cfg.dataDir}/images' - hydron hydron - -"

      "Z '${cfg.dataDir}' - hydron hydron - -"



      "L+ '${cfg.dataDir}/.hydron/db_conf.json' - - - - ${cfg.postgresArgsFile}"

    ];



    systemd.services.hydron = {

      description = "hydron";

      after = [ "network.target" "postgresql.service" ];

      wantedBy = [ "multi-user.target" ];



      serviceConfig = {

        User = "hydron";

        Group = "hydron";

        ExecStart = "${pkgs.hydron}/bin/hydron serve"

        + optionalString (cfg.listenAddress != null) " -a ${cfg.listenAddress}";

      };

    };



    systemd.services.hydron-fetch = {

      description = "Import paths into hydron and possibly fetch tags";



      serviceConfig = {

        Type = "oneshot";

        User = "hydron";

        Group = "hydron";

        ExecStart = "${pkgs.hydron}/bin/hydron import "

        + optionalString cfg.fetchTags "-f "

        + (escapeShellArg cfg.dataDir) + "/images " + (escapeShellArgs cfg.importPaths);

      };

    };



    systemd.timers.hydron-fetch = {

      description = "Automatically import paths into hydron and possibly fetch tags";

      after = [ "network.target" "hydron.service" ];

      wantedBy = [ "timers.target" ];



      timerConfig = {

        Persistent = true;

        OnCalendar = cfg.interval;

      };

    };



    users = {

      groups.hydron.gid = config.ids.gids.hydron;



      users.hydron = {

        description = "hydron server service user";

        home = cfg.dataDir;

        group = "hydron";

        uid = config.ids.uids.hydron;

      };

    };

  };



  imports = [

    (mkRenamedOptionModule [ "services" "hydron" "baseDir" ] [ "services" "hydron" "dataDir" ])

  ];



  meta.maintainers = with maintainers; [ Madouura ];

}

pkgs/servers/hydron/default.nix

deleted100644 → 0
+0 −37
Original line number Diff line number Diff line 
{ lib

, buildGoModule

, fetchFromGitHub

, gitUpdater

, pkg-config

, ffmpeg_4

}:



buildGoModule rec {

  pname = "hydron";

  version = "3.3.6";



  src = fetchFromGitHub {

    owner = "bakape";

    repo = "hydron";

    rev = "v${version}";

    hash = "sha256-Q1pZf5FPQw+pHItcZyOGx0N+iHmz9rW0+ANFsketh6E=";

  };



  vendorHash = "sha256-hKF2RCGnk/5hNS65vGoDdF1OUPSLe4PDegYlKTeqJDM=";

  proxyVendor = true;



  nativeBuildInputs = [ pkg-config ];

  buildInputs = [ ffmpeg_4 ];



  passthru.updateScript = gitUpdater {

    rev-prefix = "v";

  };



  meta = with lib; {

    homepage = "https://github.com/bakape/hydron";

    description = "High performance media tagger and organizer";

    license = with licenses; [ lgpl3Plus ];

    knownVulnerabilities = [ "CVE-2023-4863" ];  # Via https://github.com/chai2010/webp dep

    maintainers = with maintainers; [ Madouura ];

  };

}