nixpkgs
nixpkgs copied to clipboard
NixOS
nixos/v2ray: pass the config to the service as a credential
If config.services.v2ray.configFile points to a file which is not world-readable (e.g., it belongs to and can be readable by root only), the service would fail to start with the following error:
Failed to start: main/commands: failed to load config: [/etc/v2ray/config.json] > fail to load /etc/v2ray/config.json: open /etc/v2ray/config.json: permission denied
This can happen, for example, if you use tools like agenix/ragenix (1) to decrypt config files stored in a Git repo encrypted:
config = {
# ...
age.secrets = {
v2ray = {
file = ../../secrets/v2ray/server.age;
mode = "400";
};
};
# ...
services.v2ray = {
enable = true;
configFile = config.age.secrets.v2ray.path;
};
# ...
};
Agenix would decrypt ../../secrets/v2ray/server.age using the private SSH keys on that machine on system activation and mount them to a well- known path (exposed as config.age.secrets.v2ray.path). In this example, the decrypted file would be readable by root only.
Since the systemd service is started with a dynamically allocated user (2), it cannot read the config file and fails.
Description of changes
In this PR I utilize service credentials (3) (namely, LoadCredential=) to pass the config file to the service, which allows the dynamic service user to be able to read it.
Things done
- Built on platform(s)
- [ ] x86_64-linux
- [ ] aarch64-linux
- [ ] x86_64-darwin
- [ ] aarch64-darwin
- For non-Linux: Is sandboxing enabled in
nix.conf? (See Nix manual)- [ ]
sandbox = relaxed - [ ]
sandbox = true
- [ ]
- [x] Tested, as applicable:
- [x] NixOS test(s) (look inside nixos/tests) — run
nix-build -A nixosTests.v2ray. - and/or package tests
- or, for functions and "core" functionality, tests in lib/tests or pkgs/test
- made sure NixOS tests are linked to the relevant packages
- [x] NixOS test(s) (look inside nixos/tests) — run
- [ ] Tested compilation of all packages that depend on this change using
nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage - [ ] Tested basic functionality of all binary files (usually in
./result/bin/) -
24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
- [ ] (Package updates) Added a release notes entry if the change is major or breaking
- [ ] (Module updates) Added a release notes entry if the change is significant
- [ ] (Module addition) Added a release notes entry if adding a new NixOS module
- [x] Fits CONTRIBUTING.md.
Add a :+1: reaction to pull requests you find important.
