Merge pull request #203262 from NixOS/backport-203245-to-release-22.11 (ce5fe99d) · Commits · nix / nixpkgs

nixos/modules/services/misc/pinnwand.nix

+58 −39

Original line number	Diff line number	Diff line
		@@ -19,29 +19,66 @@ in
		};

		settings = mkOption {
		type = format.type;
		default = {};
		description = lib.mdDoc ''
		Your {file}`pinnwand.toml` as a Nix attribute set. Look up
		possible options in the [pinnwand.toml-example](https://github.com/supakeen/pinnwand/blob/master/pinnwand.toml-example).
		possible options in the [documentation](https://pinnwand.readthedocs.io/en/v${pkgs.pinnwand.version}/configuration.html).
		'';
		type = types.submodule {
		freeformType = format.type;
		options = {
		database_uri = mkOption {
		type = types.str;
		default = "sqlite:////var/lib/pinnwand/pinnwand.db";
		example = "sqlite:///:memory";
		description = lib.mdDoc ''
		Database URI compatible with [SQLAlchemyhttps://docs.sqlalchemy.org/en/14/core/engines.html#database-urls].

		Additional packages may need to be introduced into the environment for certain databases.
		'';
		default = {};
		};
		};

		config = mkIf cfg.enable {
		services.pinnwand.settings = {
		database_uri = mkDefault "sqlite:////var/lib/pinnwand/pinnwand.db";
		paste_size = mkDefault 262144;
		paste_help = mkDefault ''
		paste_size = mkOption {
		type = types.ints.positive;
		default = 262144;
		example = 524288;
		description = lib.mdDoc ''
		Maximum size of a paste in bytes.
		'';
		};
		paste_help = mkOption {
		type = types.str;
		default = ''
		<p>Welcome to pinnwand, this site is a pastebin. It allows you to share code with others. If you write code in the text area below and press the paste button you will be given a link you can share with others so they can view your code as well.</p><p>People with the link can view your pasted code, only you can remove your paste and it expires automatically. Note that anyone could guess the URI to your paste so don't rely on it being private.</p>
		'';
		footer = mkDefault ''
		description = lib.mdDoc ''
		Raw HTML help text shown in the header area.
		'';
		};
		footer = mkOption {
		type = types.str;
		default = ''
		View <a href="//github.com/supakeen/pinnwand" target="_BLANK">source code</a>, the <a href="/removal">removal</a> or <a href="/expiry">expiry</a> stories, or read the <a href="/about">about</a> page.
		'';
		description = lib.mdDoc ''
		The footer in raw HTML.
		'';
		};
		};
		};
		};
		};

		config = mkIf cfg.enable {
		systemd.services.pinnwand = {
		description = "Pinnwannd HTTP Server";
		after = [ "network.target" ];
		wantedBy = [ "multi-user.target" ];

		systemd.services = let
		hardeningOptions = {
		unitConfig.Documentation = "https://pinnwand.readthedocs.io/en/latest/";

		serviceConfig = {
		ExecStart = "${pkgs.pinnwand}/bin/pinnwand --configuration-path ${configFile} http --port ${toString cfg.port}";
		User = "pinnwand";
		DynamicUser = true;

		@@ -72,32 +109,14 @@ in
		RestrictNamespaces = true;
		RestrictRealtime = true;
		SystemCallArchitectures = "native";
		SystemCallFilter = "@system-service";
		SystemCallFilter = [
		"@system-service"
		"~@privileged"
		];
		UMask = "0077";
		};

		command = "${pkgs.pinnwand}/bin/pinnwand --configuration-path ${configFile}";
		in {
		pinnwand = {
		description = "Pinnwannd HTTP Server";
		after = [ "network.target" ];
		wantedBy = [ "multi-user.target" ];

		unitConfig.Documentation = "https://pinnwand.readthedocs.io/en/latest/";

		serviceConfig = {
		ExecStart = "${command} http --port ${toString(cfg.port)}";
		} // hardeningOptions;
		};

		pinnwand-reaper = {
		description = "Pinnwand Reaper";
		startAt = "daily";

		serviceConfig = {
		ExecStart = "${command} -vvvv reap"; # verbosity increased to show number of deleted pastes
		} // hardeningOptions;
		};
		};
		};

		meta.buildDocsInSandbox = false;
		}

nixos/tests/pinnwand.nix

+28 −29

Original line number	Diff line number	Diff line
		import ./make-test-python.nix ({ pkgs, ...}:
		let
		pythonEnv = pkgs.python3.withPackages (py: with py; [ appdirs toml ]);

		port = 8000;
		baseUrl = "http://server:${toString port}";

		configureSteck = pkgs.writeScript "configure.py" ''
		#!${pythonEnv.interpreter}
		import appdirs
		import toml
		import os

		CONFIG = {
		"base": "${baseUrl}/",
		"confirm": False,
		"magic": True,
		"ignore": True
		}

		os.makedirs(appdirs.user_config_dir('steck'))
		with open(os.path.join(appdirs.user_config_dir('steck'), 'steck.toml'), "w") as fd:
		toml.dump(CONFIG, fd)
		'';
		in
		{
		name = "pinnwand";
		@@ -44,7 +24,32 @@ in

		client = { pkgs, ... }:
		{
		environment.systemPackages = [ pkgs.steck ];
		environment.systemPackages = [
		pkgs.steck

		(pkgs.writers.writePython3Bin "setup-steck.py" {
		libraries = with pkgs.python3.pkgs; [ appdirs toml ];
		flakeIgnore = [
		"E501"
		];
		}
		''
		import appdirs
		import toml
		import os

		CONFIG = {
		"base": "${baseUrl}/",
		"confirm": False,
		"magic": True,
		"ignore": True
		}

		os.makedirs(appdirs.user_config_dir('steck'))
		with open(os.path.join(appdirs.user_config_dir('steck'), 'steck.toml'), "w") as fd:
		toml.dump(CONFIG, fd)
		'')
		];
		};
		};

		@@ -55,7 +60,7 @@ in
		client.wait_for_unit("network.target")

		# create steck.toml config file
		client.succeed("${configureSteck}")
		client.succeed("setup-steck.py")

		# wait until the server running pinnwand is reachable
		client.wait_until_succeeds("ping -c1 server")
		@@ -75,12 +80,6 @@ in
		if line.startswith("Removal link:"):
		removal_link = line.split(":", 1)[1]


		# start the reaper, it shouldn't do anything meaningful here
		server.systemctl("start pinnwand-reaper.service")
		server.wait_until_fails("systemctl is-active -q pinnwand-reaper.service")
		server.log(server.execute("journalctl -u pinnwand-reaper -e --no-pager")[1])

		# check whether paste matches what we sent
		client.succeed(f"curl {raw_url} > /tmp/machine-id")
		client.succeed("diff /tmp/machine-id /etc/machine-id")
		@@ -89,6 +88,6 @@ in
		client.succeed(f"curl {removal_link}")
		client.fail(f"curl --fail {raw_url}")

		server.log(server.succeed("systemd-analyze security pinnwand"))
		server.log(server.execute("systemd-analyze security pinnwand \| grep '✗'")[1])
		'';
		})

pkgs/servers/pinnwand/default.nix

+8 −18

Original line number	Diff line number	Diff line
		@@ -7,24 +7,16 @@

		with python3.pkgs; buildPythonApplication rec {
		pname = "pinnwand";
		version = "1.3.0";
		version = "1.4.0";
		format = "pyproject";

		src = fetchFromGitHub {
		owner = "supakeen";
		repo = pname;
		rev = "v${version}";
		sha256 = "046xk2y59wa0pdp7s3hp1gh8sqdw0yl4xab22r2x44iwwcyb0gy5";
		rev = "refs/tags/v${version}";
		hash = "sha256-zJH2ojLQChElRvU2TWg4lW+Mey+wP0XbLJhVF16nvss=";
		};

		postPatch = ''
		substituteInPlace pyproject.toml \
		--replace 'click = "^7.0"' 'click = "*"' \
		--replace 'docutils = "^0.16"' 'docutils = "*"' \
		--replace 'sqlalchemy = "^1.3"' 'sqlalchemy = "*"' \
		--replace 'token-bucket = "^0.2.0"' 'token-bucket = "*"'
		'';

		nativeBuildInputs = [
		poetry-core
		];
		@@ -36,15 +28,12 @@ with python3.pkgs; buildPythonApplication rec {
		pygments-better-html
		sqlalchemy
		token-bucket
		toml
		tomli
		tornado
		];

		checkInputs = [ pytestCheckHook ];

		disabledTests = [
		# pygments renamed rst to restructuredText, hence a mismatch on this test
		"test_guess_language"
		checkInputs = [
		pytestCheckHook
		];

		__darwinAllowLocalNetworking = true;
		@@ -52,9 +41,10 @@ with python3.pkgs; buildPythonApplication rec {
		passthru.tests = nixosTests.pinnwand;

		meta = with lib; {
		changelog = "https://github.com/supakeen/pinnwand/releases/tag/v${version}";
		description = "A Python pastebin that tries to keep it simple";
		homepage = "https://supakeen.com/project/pinnwand/";
		license = licenses.mit;
		description = "A Python pastebin that tries to keep it simple";
		maintainers = with maintainers; [ hexa ];
		};
		}

Admin message