From 4bfd6c2547dab100cde1dbc60e3d623499ead2c4 Mon Sep 17 00:00:00 2001 From: Ana Hobden Date: Mon, 26 Jun 2023 10:36:46 -0700 Subject: [PATCH] Use ssl-cert-file config (#527) * Use ssl-cert-file config * Include mac change * Use canonical ssl cert file * Don't set ssl-cert-file in shell profiles * Canonicalize in diagnostics * Optionally read cert file --- src/action/common/configure_init_service.rs | 72 +------------------- src/action/common/configure_nix.rs | 10 ++- src/action/common/configure_shell_profile.rs | 13 ---- src/action/common/place_nix_configuration.rs | 11 +++ src/cli/subcommand/install.rs | 12 +--- src/diagnostics.rs | 8 ++- src/planner/linux.rs | 12 ++-- src/planner/macos.rs | 12 ++-- src/planner/steam_deck.rs | 12 ++-- 9 files changed, 35 insertions(+), 127 deletions(-) diff --git a/src/action/common/configure_init_service.rs b/src/action/common/configure_init_service.rs index 4d301b695..a8ba67902 100644 --- a/src/action/common/configure_init_service.rs +++ b/src/action/common/configure_init_service.rs @@ -34,7 +34,6 @@ Configure the init to run the Nix daemon pub struct ConfigureInitService { init: InitSystem, start_daemon: bool, - ssl_cert_file: Option, } impl ConfigureInitService { @@ -72,18 +71,7 @@ impl ConfigureInitService { pub async fn plan( init: InitSystem, start_daemon: bool, - ssl_cert_file: Option, ) -> Result, ActionError> { - let ssl_cert_file_path = if let Some(ssl_cert_file) = ssl_cert_file { - Some( - ssl_cert_file - .canonicalize() - .map_err(|e| Self::error(ActionErrorKind::Canonicalize(ssl_cert_file, e)))?, - ) - } else { - None - }; - match init { #[cfg(target_os = "macos")] InitSystem::Launchd => { @@ -114,12 +102,7 @@ impl ConfigureInitService { }, }; - Ok(Self { - init, - start_daemon, - ssl_cert_file: ssl_cert_file_path, - } - .into()) + Ok(Self { init, start_daemon }.into()) } } @@ -180,11 +163,7 @@ impl Action for ConfigureInitService { #[tracing::instrument(level = "debug", skip_all)] async fn execute(&mut self) -> Result<(), ActionError> { - let Self { - init, - start_daemon, - ssl_cert_file, - } = self; + let Self { init, start_daemon } = self; match init { #[cfg(target_os = "macos")] @@ -210,19 +189,6 @@ impl Action for ConfigureInitService { .await .map_err(Self::error)?; - if let Some(ssl_cert_file) = ssl_cert_file { - execute_command( - Command::new("launchctl") - .process_group(0) - .arg("setenv") - .arg("NIX_SSL_CERT_FILE") - .arg(format!("{ssl_cert_file:?}")) - .stdin(std::process::Stdio::null()), - ) - .await - .map_err(Self::error)?; - } - if *start_daemon { execute_command( Command::new("launchctl") @@ -350,30 +316,6 @@ impl Action for ConfigureInitService { .map_err(Self::error)?; } - if let Some(ssl_cert_file) = ssl_cert_file { - let service_conf_dir_path = PathBuf::from(format!("{SERVICE_DEST}.d")); - tokio::fs::create_dir(&service_conf_dir_path) - .await - .map_err(|e| { - ActionErrorKind::CreateDirectory(service_conf_dir_path.clone(), e) - }) - .map_err(Self::error)?; - let service_conf_file_path = - service_conf_dir_path.join("nix-ssl-cert-file.conf"); - tokio::fs::write( - service_conf_file_path, - format!( - "\ - [Service]\n\ - Environment=\"NIX_SSL_CERT_FILE={ssl_cert_file:?}\"\n\ - " - ), - ) - .await - .map_err(|e| ActionErrorKind::Write(ssl_cert_file.clone(), e)) - .map_err(Self::error)?; - } - if *start_daemon || socket_was_active { enable(SOCKET_SRC, true).await.map_err(Self::error)?; } else { @@ -514,16 +456,6 @@ impl Action for ConfigureInitService { errors.push(err); } - if self.ssl_cert_file.is_some() { - let service_conf_dir_path = PathBuf::from(format!("{SERVICE_DEST}.d")); - if let Err(err) = tokio::fs::remove_dir_all(&service_conf_dir_path) - .await - .map_err(|e| ActionErrorKind::Remove(service_conf_dir_path.clone(), e)) - { - errors.push(err); - } - } - if let Err(err) = tokio::fs::remove_file(TMPFILES_DEST) .await .map_err(|e| ActionErrorKind::Remove(PathBuf::from(TMPFILES_DEST), e)) diff --git a/src/action/common/configure_nix.rs b/src/action/common/configure_nix.rs index e427dfede..b3225db39 100644 --- a/src/action/common/configure_nix.rs +++ b/src/action/common/configure_nix.rs @@ -34,18 +34,16 @@ impl ConfigureNix { let configure_shell_profile = if settings.modify_profile { Some( - ConfigureShellProfile::plan( - shell_profile_locations, - settings.ssl_cert_file.clone(), - ) - .await - .map_err(Self::error)?, + ConfigureShellProfile::plan(shell_profile_locations) + .await + .map_err(Self::error)?, ) } else { None }; let place_nix_configuration = PlaceNixConfiguration::plan( settings.nix_build_group_name.clone(), + settings.ssl_cert_file.clone(), settings.extra_conf.clone(), settings.force, ) diff --git a/src/action/common/configure_shell_profile.rs b/src/action/common/configure_shell_profile.rs index d99c605b4..2a5479dde 100644 --- a/src/action/common/configure_shell_profile.rs +++ b/src/action/common/configure_shell_profile.rs @@ -26,25 +26,13 @@ impl ConfigureShellProfile { #[tracing::instrument(level = "debug", skip_all)] pub async fn plan( locations: ShellProfileLocations, - ssl_cert_file: Option, ) -> Result, ActionError> { let mut create_or_insert_files = Vec::default(); let mut create_directories = Vec::default(); - let maybe_ssl_cert_file_setting = if let Some(ssl_cert_file) = ssl_cert_file { - format!( - "export NIX_SSL_CERT_FILE={:?}\n", - ssl_cert_file.canonicalize().map_err(|e| { - Self::error(ActionErrorKind::Canonicalize(ssl_cert_file, e)) - })? - ) - } else { - "".to_string() - }; let shell_buf = format!( "\n\ # Nix\n\ - {maybe_ssl_cert_file_setting}\ if [ -e '{PROFILE_NIX_FILE_SHELL}' ]; then\n\ {inde}. '{PROFILE_NIX_FILE_SHELL}'\n\ fi\n\ @@ -80,7 +68,6 @@ impl ConfigureShellProfile { let fish_buf = format!( "\n\ # Nix\n\ - {maybe_ssl_cert_file_setting}\ if test -e '{PROFILE_NIX_FILE_FISH}'\n\ {inde}. '{PROFILE_NIX_FILE_FISH}'\n\ end\n\ diff --git a/src/action/common/place_nix_configuration.rs b/src/action/common/place_nix_configuration.rs index d7d09bc1a..a99eae771 100644 --- a/src/action/common/place_nix_configuration.rs +++ b/src/action/common/place_nix_configuration.rs @@ -6,6 +6,7 @@ use crate::action::{ Action, ActionDescription, ActionError, ActionErrorKind, ActionTag, StatefulAction, }; use std::collections::hash_map::Entry; +use std::path::PathBuf; const NIX_CONF_FOLDER: &str = "/etc/nix"; const NIX_CONF: &str = "/etc/nix/nix.conf"; @@ -23,6 +24,7 @@ impl PlaceNixConfiguration { #[tracing::instrument(level = "debug", skip_all)] pub async fn plan( nix_build_group_name: String, + ssl_cert_file: Option, extra_conf: Vec, force: bool, ) -> Result, ActionError> { @@ -53,6 +55,15 @@ impl PlaceNixConfiguration { "bash-prompt-prefix".to_string(), "(nix:$name)\\040".to_string(), ); + if let Some(ssl_cert_file) = ssl_cert_file { + let ssl_cert_file_canonical = ssl_cert_file + .canonicalize() + .map_err(|e| Self::error(ActionErrorKind::Canonicalize(ssl_cert_file, e)))?; + settings.insert( + "ssl-cert-file".to_string(), + ssl_cert_file_canonical.display().to_string(), + ); + } settings.insert( "extra-nix-path".to_string(), "nixpkgs=flake:nixpkgs".to_string(), diff --git a/src/cli/subcommand/install.rs b/src/cli/subcommand/install.rs index 9b87a1fc1..033e28e0b 100644 --- a/src/cli/subcommand/install.rs +++ b/src/cli/subcommand/install.rs @@ -307,7 +307,7 @@ impl CommandExecute for Install { println!( "\ {success}\n\ - To get started using Nix, open a new shell or run `{maybe_ssl_cert_file_reminder}{shell_reminder}`\n\ + To get started using Nix, open a new shell or run `{shell_reminder}`\n\ ", success = "Nix was installed successfully!".green().bold(), shell_reminder = match std::env::var("SHELL") { @@ -316,16 +316,6 @@ impl CommandExecute for Install { Ok(_) | Err(_) => ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh".bold(), }, - maybe_ssl_cert_file_reminder = if let Some(ssl_cert_file) = &settings.ssl_cert_file { - format!( - "export NIX_SSL_CERT_FILE={:?}; ", - ssl_cert_file - .canonicalize() - .map_err(|e| { eyre!(e).wrap_err(format!("Could not canonicalize {}", ssl_cert_file.display())) })? - ) - } else { - "".to_string() - } ); }, } diff --git a/src/diagnostics.rs b/src/diagnostics.rs index 4b4e8ba10..18de1cc9d 100644 --- a/src/diagnostics.rs +++ b/src/diagnostics.rs @@ -89,7 +89,7 @@ impl DiagnosticData { os_version, triple: target_lexicon::HOST.to_string(), is_ci, - ssl_cert_file, + ssl_cert_file: ssl_cert_file.and_then(|v| v.canonicalize().ok()), failure_chain: None, }) } @@ -174,8 +174,10 @@ impl DiagnosticData { tracing::debug!("Sending diagnostic to `{endpoint}`"); let mut buildable_client = reqwest::Client::builder(); if let Some(ssl_cert_file) = &self.ssl_cert_file { - let ssl_cert = parse_ssl_cert(&ssl_cert_file).await?; - buildable_client = buildable_client.add_root_certificate(ssl_cert); + let ssl_cert = parse_ssl_cert(&ssl_cert_file).await.ok(); + if let Some(ssl_cert) = ssl_cert { + buildable_client = buildable_client.add_root_certificate(ssl_cert); + } } let client = buildable_client .build() diff --git a/src/planner/linux.rs b/src/planner/linux.rs index 8f7e90629..b394a1ab5 100644 --- a/src/planner/linux.rs +++ b/src/planner/linux.rs @@ -88,14 +88,10 @@ impl Planner for Linux { } plan.push( - ConfigureInitService::plan( - self.init.init, - self.init.start_daemon, - self.settings.ssl_cert_file.clone(), - ) - .await - .map_err(PlannerError::Action)? - .boxed(), + ConfigureInitService::plan(self.init.init, self.init.start_daemon) + .await + .map_err(PlannerError::Action)? + .boxed(), ); plan.push( RemoveDirectory::plan(crate::settings::SCRATCH_DIR) diff --git a/src/planner/macos.rs b/src/planner/macos.rs index 6cc1c6de1..9577dc0c0 100644 --- a/src/planner/macos.rs +++ b/src/planner/macos.rs @@ -157,14 +157,10 @@ impl Planner for Macos { .await .map_err(PlannerError::Action)? .boxed(), - ConfigureInitService::plan( - InitSystem::Launchd, - true, - self.settings.ssl_cert_file.clone(), - ) - .await - .map_err(PlannerError::Action)? - .boxed(), + ConfigureInitService::plan(InitSystem::Launchd, true) + .await + .map_err(PlannerError::Action)? + .boxed(), RemoveDirectory::plan(crate::settings::SCRATCH_DIR) .await .map_err(PlannerError::Action)? diff --git a/src/planner/steam_deck.rs b/src/planner/steam_deck.rs index b6abe0e6a..38f7426b2 100644 --- a/src/planner/steam_deck.rs +++ b/src/planner/steam_deck.rs @@ -334,14 +334,10 @@ impl Planner for SteamDeck { .map_err(PlannerError::Action)? .boxed(), // Init is required for the steam-deck archetype to make the `/nix` mount - ConfigureInitService::plan( - InitSystem::Systemd, - true, - self.settings.ssl_cert_file.clone(), - ) - .await - .map_err(PlannerError::Action)? - .boxed(), + ConfigureInitService::plan(InitSystem::Systemd, true) + .await + .map_err(PlannerError::Action)? + .boxed(), StartSystemdUnit::plan("ensure-symlinked-units-resolve.service".to_string(), true) .await .map_err(PlannerError::Action)?