commit c00240e41e89becffe6f05a2df5f781ab76f863f · pyrox.dev/nixpkgs

+59 -12

nixos/modules/services/web-servers/uwsgi.nix

···

       5
        
       let

     

       6
        
         cfg = config.services.uwsgi;

     

       7
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       8
        
         buildCfg = name: c:

     

       9
        
           let

     

       10
        
             plugins =

     

       11
        
               if any (n: !any (m: m == n) cfg.plugins) (c.plugins or [])

     

       12
       -
               then throw "`plugins` attribute in UWSGI configuration contains plugins not in config.services.uwsgi.plugins"

     

       13
        
               else c.plugins or cfg.plugins;

     

       14
        
       

     

       15
        
             hasPython = v: filter (n: n == "python${v}") plugins != [];

     
···

       18
        
       

     

       19
        
             python =

     

       20
        
               if hasPython2 && hasPython3 then

     

       21
       -
                 throw "`plugins` attribute in UWSGI configuration shouldn't contain both python2 and python3"

     

       22
        
               else if hasPython2 then cfg.package.python2

     

       23
        
               else if hasPython3 then cfg.package.python3

     

       24
        
               else null;

     
···

       43
        
                             oldPaths = filter (x: x != null) (map getPath env');

     

       44
        
                         in env' ++ [ "PATH=${optionalString (oldPaths != []) "${last oldPaths}:"}${pythonEnv}/bin" ];

     

       45
        
                     }

     

       46
       -
                 else if c.type == "emperor"

     

       47
        
                   then {

     

       48
        
                     emperor = if builtins.typeOf c.vassals != "set" then c.vassals

     

       49
        
                               else pkgs.buildEnv {

     
···

       51
        
                                 paths = mapAttrsToList buildCfg c.vassals;

     

       52
        
                               };

     

       53
        
                   } // removeAttrs c [ "type" "vassals" ]

     

       54
       -
                 else throw "`type` attribute in UWSGI configuration should be either 'normal' or 'emperor'";

     

       55
        
             };

     

       56
        
       

     

       57
        
           in pkgs.writeTextDir "${name}.json" (builtins.toJSON uwsgiCfg);

     
···

       79
        
             };

     

       80
        
       

     

       81
        
             instance = mkOption {

     

       82
       -
               type =  with lib.types; let

     

       83
        
                 valueType = nullOr (oneOf [

     

       84
        
                   bool

     

       85
        
                   int

     
···

       137
        
             user = mkOption {

     

       138
        
               type = types.str;

     

       139
        
               default = "uwsgi";

     

       140
       -
               description = "User account under which uwsgi runs.";

     

       141
        
             };

     

       142
        
       

     

       143
        
             group = mkOption {

     

       144
        
               type = types.str;

     

       145
        
               default = "uwsgi";

     

       146
       -
               description = "Group account under which uwsgi runs.";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       147
        
             };

     

       148
        
           };

     

       149
        
         };

     

       150
        
       

     

       151
        
         config = mkIf cfg.enable {

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       152
        
           systemd.services.uwsgi = {

     

       153
        
             wantedBy = [ "multi-user.target" ];

     

       154
       -
             preStart = ''

     

       155
       -
               mkdir -p ${cfg.runDir}

     

       156
       -
               chown ${cfg.user}:${cfg.group} ${cfg.runDir}

     

       157
       -
             '';

     

       158
        
             serviceConfig = {

     

       0
        
       
     

       0
        
       
     

       159
        
               Type = "notify";

     

       160
       -
               ExecStart = "${cfg.package}/bin/uwsgi --uid ${cfg.user} --gid ${cfg.group} --json ${buildCfg "server" cfg.instance}/server.json";

     

       161
        
               ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";

     

       162
        
               ExecStop = "${pkgs.coreutils}/bin/kill -INT $MAINPID";

     

       163
        
               NotifyAccess = "main";

     

       164
        
               KillSignal = "SIGQUIT";

     

       0
        
       
     

       0
        
       
     

       165
        
             };

     

       166
        
           };

     

       167

···

       5
        
       let

     

       6
        
         cfg = config.services.uwsgi;

     

       7
        
       

     

       8
       +
         isEmperor = cfg.instance.type == "emperor";

     

       9
       +
       

     

       10
       +
         imperialPowers =

     

       11
       +
           [

     

       12
       +
             # spawn other user processes

     

       13
       +
             "CAP_SETUID" "CAP_SETGID"

     

       14
       +
             "CAP_SYS_CHROOT"

     

       15
       +
             # transfer capabilities

     

       16
       +
             "CAP_SETPCAP"

     

       17
       +
             # create other user sockets

     

       18
       +
             "CAP_CHOWN"

     

       19
       +
           ];

     

       20
       +
       

     

       21
        
         buildCfg = name: c:

     

       22
        
           let

     

       23
        
             plugins =

     

       24
        
               if any (n: !any (m: m == n) cfg.plugins) (c.plugins or [])

     

       25
       +
               then throw "`plugins` attribute in uWSGI configuration contains plugins not in config.services.uwsgi.plugins"

     

       26
        
               else c.plugins or cfg.plugins;

     

       27
        
       

     

       28
        
             hasPython = v: filter (n: n == "python${v}") plugins != [];

     
···

       31
        
       

     

       32
        
             python =

     

       33
        
               if hasPython2 && hasPython3 then

     

       34
       +
                 throw "`plugins` attribute in uWSGI configuration shouldn't contain both python2 and python3"

     

       35
        
               else if hasPython2 then cfg.package.python2

     

       36
        
               else if hasPython3 then cfg.package.python3

     

       37
        
               else null;

     
···

       56
        
                             oldPaths = filter (x: x != null) (map getPath env');

     

       57
        
                         in env' ++ [ "PATH=${optionalString (oldPaths != []) "${last oldPaths}:"}${pythonEnv}/bin" ];

     

       58
        
                     }

     

       59
       +
                 else if isEmperor

     

       60
        
                   then {

     

       61
        
                     emperor = if builtins.typeOf c.vassals != "set" then c.vassals

     

       62
        
                               else pkgs.buildEnv {

     
···

       64
        
                                 paths = mapAttrsToList buildCfg c.vassals;

     

       65
        
                               };

     

       66
        
                   } // removeAttrs c [ "type" "vassals" ]

     

       67
       +
                 else throw "`type` attribute in uWSGI configuration should be either 'normal' or 'emperor'";

     

       68
        
             };

     

       69
        
       

     

       70
        
           in pkgs.writeTextDir "${name}.json" (builtins.toJSON uwsgiCfg);

     
···

       92
        
             };

     

       93
        
       

     

       94
        
             instance = mkOption {

     

       95
       +
               type =  with types; let

     

       96
        
                 valueType = nullOr (oneOf [

     

       97
        
                   bool

     

       98
        
                   int

     
···

       150
        
             user = mkOption {

     

       151
        
               type = types.str;

     

       152
        
               default = "uwsgi";

     

       153
       +
               description = "User account under which uWSGI runs.";

     

       154
        
             };

     

       155
        
       

     

       156
        
             group = mkOption {

     

       157
        
               type = types.str;

     

       158
        
               default = "uwsgi";

     

       159
       +
               description = "Group account under which uWSGI runs.";

     

       160
       +
             };

     

       161
       +
       

     

       162
       +
             capabilities = mkOption {

     

       163
       +
               type = types.listOf types.str;

     

       164
       +
               apply = caps: caps ++ optionals isEmperor imperialPowers;

     

       165
       +
               default = [ ];

     

       166
       +
               example = literalExample ''

     

       167
       +
                 [

     

       168
       +
                   "CAP_NET_BIND_SERVICE" # bind on ports <1024

     

       169
       +
                   "CAP_NET_RAW"          # open raw sockets

     

       170
       +
                 ]

     

       171
       +
               '';

     

       172
       +
               description = ''

     

       173
       +
                 Grant capabilities to the uWSGI instance. See the

     

       174
       +
                 <literal>capabilities(7)</literal> for available values.

     

       175
       +
                 <note>

     

       176
       +
                   <para>

     

       177
       +
                     uWSGI runs as an unprivileged user (even as Emperor) with the minimal

     

       178
       +
                     capabilities required. This option can be used to add fine-grained

     

       179
       +
                     permissions without running the service as root.

     

       180
       +
                   </para>

     

       181
       +
                   <para>

     

       182
       +
                     When in Emperor mode, any capability to be inherited by a vassal must

     

       183
       +
                     be specified again in the vassal configuration using <literal>cap</literal>.

     

       184
       +
                     See the uWSGI <link

     

       185
       +
                     xlink:href="https://uwsgi-docs.readthedocs.io/en/latest/Capabilities.html">docs</link>

     

       186
       +
                     for more information.

     

       187
       +
                   </para>

     

       188
       +
                 </note>

     

       189
       +
               '';

     

       190
        
             };

     

       191
        
           };

     

       192
        
         };

     

       193
        
       

     

       194
        
         config = mkIf cfg.enable {

     

       195
       +
           systemd.tmpfiles.rules = optional (cfg.runDir != "/run/uwsgi") ''

     

       196
       +
             d ${cfg.runDir} 775 ${cfg.user} ${cfg.group}

     

       197
       +
           '';

     

       198
       +
       

     

       199
        
           systemd.services.uwsgi = {

     

       200
        
             wantedBy = [ "multi-user.target" ];

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       201
        
             serviceConfig = {

     

       202
       +
               User = cfg.user;

     

       203
       +
               Group = cfg.group;

     

       204
        
               Type = "notify";

     

       205
       +
               ExecStart = "${cfg.package}/bin/uwsgi --json ${buildCfg "server" cfg.instance}/server.json";

     

       206
        
               ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";

     

       207
        
               ExecStop = "${pkgs.coreutils}/bin/kill -INT $MAINPID";

     

       208
        
               NotifyAccess = "main";

     

       209
        
               KillSignal = "SIGQUIT";

     

       210
       +
               AmbientCapabilities = cfg.capabilities;

     

       211
       +
               CapabilityBoundingSet = cfg.capabilities;

     

       212
        
             };

     

       213
        
           };

     

       214

+45 -16

nixos/tests/uwsgi.nix

···

       6
        
         };

     

       7
        
       

     

       8
        
         machine = { pkgs, ... }: {

     

       9
       -
           services.uwsgi.enable = true;

     

       10
       -
           services.uwsgi.plugins = [ "python3" "php" ];

     

       11
       -
           services.uwsgi.instance = {

     

       12
       -
             type = "emperor";

     

       13
       -
             vassals.python = {

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       14
        
               type = "normal";

     

       15
       -
               master = true;

     

       16
       -
               workers = 2;

     

       17
       -
               http = ":8000";

     

       18
        
               module = "wsgi:application";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       19
        
               chdir = pkgs.writeTextDir "wsgi.py" ''

     

       20
        
                 from flask import Flask

     

       0
        
       
     

       21
        
                 application = Flask(__name__)

     

       22
        
       

     

       23
        
                 @application.route("/")

     

       24
        
                 def hello():

     

       25
       -
                     return "Hello World!"

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       26
        
               '';

     

       27
       -
               pythonPackages = self: with self; [ flask ];

     

       28
        
             };

     

       29
       -
             vassals.php = {

     

       0
        
       
     

       30
        
               type = "normal";

     

       31
        
               master = true;

     

       32
        
               workers = 2;

     

       33
       -
               http-socket = ":8001";

     

       34
        
               http-socket-modifier1 = 14;

     

       35
        
               php-index = "index.php";

     

       36
        
               php-docroot = pkgs.writeTextDir "index.php" ''

     
···

       44
        
           ''

     

       45
        
             machine.wait_for_unit("multi-user.target")

     

       46
        
             machine.wait_for_unit("uwsgi.service")

     

       47
       -
             machine.wait_for_open_port(8000)

     

       48
       -
             machine.wait_for_open_port(8001)

     

       49
       -
             assert "Hello World" in machine.succeed("curl -fv 127.0.0.1:8000")

     

       50
       -
             assert "Hello World" in machine.succeed("curl -fv 127.0.0.1:8001")

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       51
        
           '';

     

       52
        
       })

···

       6
        
         };

     

       7
        
       

     

       8
        
         machine = { pkgs, ... }: {

     

       9
       +
           users.users.hello  =

     

       10
       +
             { isSystemUser = true;

     

       11
       +
               group = "hello";

     

       12
       +
             };

     

       13
       +
           users.groups.hello = { };

     

       14
       +
       

     

       15
       +
           services.uwsgi = {

     

       16
       +
             enable = true;

     

       17
       +
             plugins = [ "python3" "php" ];

     

       18
       +
             capabilities = [ "CAP_NET_BIND_SERVICE" ];

     

       19
       +
             instance.type = "emperor";

     

       20
       +
       

     

       21
       +
             instance.vassals.hello = {

     

       22
        
               type = "normal";

     

       23
       +
               immediate-uid = "hello";

     

       24
       +
               immediate-gid = "hello";

     

       0
        
       
     

       25
        
               module = "wsgi:application";

     

       26
       +
               http = ":80";

     

       27
       +
               cap = "net_bind_service";

     

       28
       +
               pythonPackages = self: [ self.flask ];

     

       29
        
               chdir = pkgs.writeTextDir "wsgi.py" ''

     

       30
        
                 from flask import Flask

     

       31
       +
                 import subprocess

     

       32
        
                 application = Flask(__name__)

     

       33
        
       

     

       34
        
                 @application.route("/")

     

       35
        
                 def hello():

     

       36
       +
                     return "Hello, World!"

     

       37
       +
       

     

       38
       +
                 @application.route("/whoami")

     

       39
       +
                 def whoami():

     

       40
       +
                     whoami = "${pkgs.coreutils}/bin/whoami"

     

       41
       +
                     proc = subprocess.run(whoami, capture_output=True)

     

       42
       +
                     return proc.stdout.decode().strip()

     

       43
        
               '';

     

       0
        
       
     

       44
        
             };

     

       45
       +
       

     

       46
       +
             instance.vassals.php = {

     

       47
        
               type = "normal";

     

       48
        
               master = true;

     

       49
        
               workers = 2;

     

       50
       +
               http-socket = ":8000";

     

       51
        
               http-socket-modifier1 = 14;

     

       52
        
               php-index = "index.php";

     

       53
        
               php-docroot = pkgs.writeTextDir "index.php" ''

     
···

       61
        
           ''

     

       62
        
             machine.wait_for_unit("multi-user.target")

     

       63
        
             machine.wait_for_unit("uwsgi.service")

     

       64
       +
       

     

       65
       +
             with subtest("uWSGI has started"):

     

       66
       +
                 machine.wait_for_unit("uwsgi.service")

     

       67
       +
       

     

       68
       +
             with subtest("Vassal can bind on port <1024"):

     

       69
       +
                 machine.wait_for_open_port(80)

     

       70
       +
                 hello = machine.succeed("curl -f http://machine").strip()

     

       71
       +
                 assert "Hello, World!" in hello, f"Excepted 'Hello, World!', got '{hello}'"

     

       72
       +
       

     

       73
       +
             with subtest("Vassal is running as dedicated user"):

     

       74
       +
                 username = machine.succeed("curl -f http://machine/whoami").strip()

     

       75
       +
                 assert username == "hello", f"Excepted 'hello', got '{username}'"

     

       76
       +
       

     

       77
       +
             with subtest("PHP plugin is working"):

     

       78
       +
                 machine.wait_for_open_port(8000)

     

       79
       +
                 assert "Hello World" in machine.succeed("curl -fv http://machine:8000")

     

       80
        
           '';

     

       81
        
       })