Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

filebrowser: 2.23.0 -> 2.28.0, add service module #289750

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

filebrowser: 2.23.0 -> 2.28.0, add service module #289750

wants to merge 5 commits into from

Conversation

christoph-heiss
Copy link
Contributor

@christoph-heiss christoph-heiss commented Feb 18, 2024
edited
Loading

Description of changes

Updates the filebrowser package from 2.23.0 to 2.28.0 and adds an appropriate service module for it.

Changelog: filebrowser/filebrowser@v2.23.0...v2.28.0

cc @nielsegberts As this package has not been updated in nearly a year, are you still interested?

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.05 Release Notes (or backporting 23.05 and 23.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@fin444
Copy link
Contributor

fin444 commented Feb 20, 2024

I haven't done rigorous testing, and I'm not experienced enough to provide full review of a module, but it is working well for me and seems good overall.

Filebrowser's configuration has setting the host/port and socket under the same field, but that feels a bit weird IMO. Additionally, sockets typically (AFAIK) get put in /run/service/service.sock (/run/filebrowser/filebrowser.sock), however there are no permissions to this location unless

systemd.services.filebrowser.serviceConfig.RuntimeDirectory = "filebrowser";

Though, this directory would be useless if sockets are turned off. Maybe services.filebrowser.useSocket or similar, and then set host/port otherwise?

Also, I think services.filebrowser.disableCommandRunner would be more clear than services.filebrowser.disableExec, even if it doesn't match the CLI args.

@christoph-heiss
Copy link
Contributor Author

I haven't done rigorous testing, and I'm not experienced enough to provide full review of a module, but it is working well for me and seems good overall.

Thanks for the review! I'll happily discuss how to make this module better.

Filebrowser's configuration has setting the host/port and socket under the same field, but that feels a bit weird IMO.

Well, while writing this I pondered over this quite a bit myself, since filebrowser itself takes a separate option for the socket. But most services take either a IP-address or a socket path for the address, since the type can be determined quite reliably anyway.

Additionally, sockets typically (AFAIK) get put in /run/service/service.sock (/run/filebrowser/filebrowser.sock), however there are no permissions to this location unless

systemd.services.filebrowser.serviceConfig.RuntimeDirectory = "filebrowser";

Though, this directory would be useless if sockets are turned off. Maybe
services.filebrowser.useSocket or similar, and then set host/port otherwise?

Most modules AFAIK just put it under /run directly anyway - and since we'll only have one file, I would avoid the extra directory too.
We could also do it how e.g. services.postgrey does it, although I'd name the option address.
Such that one could do

services.filebrowser.listenAddress = { address = "0.0.0.0"; port = 8080; }; # or
services.filebrowser.listenAddress = { socket = "/run/filebrowser.sock"; mode = "0666"; };

Also, I think services.filebrowser.disableCommandRunner would be more clear than services.filebrowser.disableExec, even if it doesn't match the CLI args.

Seems sensible. 👍 Personally I don't have a strong opionon on this tho.

@fin444
Copy link
Contributor

fin444 commented Feb 21, 2024

That sounds like a good method, it still feels a bit weird but I'm not sure there's a better way. For the socket path, /run/filebrowser.sock would also work, I just don't know about the permissions. I tried setting the socket to that, but it failed off permissions, which is why I thought it needed its own directory created by systemd. Reading through Postgrey's module, I don't really see how they solve this issue but clearly they do.

@christoph-heiss christoph-heiss changed the title filebrowser: 2.23.0 -> 2.27.0, add service module filebrowser: 2.23.0 -> 2.28.0, add service module Apr 20, 2024
@christoph-heiss
filebrowser: 2.23.0 -> 2.28.0
6599a79 
Signed-off-by: Christoph Heiss <[email protected]>
@christoph-heiss
filebrowser: add myself as maintainer
7358a59 
Signed-off-by: Christoph Heiss <[email protected]>
@christoph-heiss
filebrowser: drop nielsegberts from maintainers
a101a33 
This package hasn't been updated in ~1.5 years and the maintainer does
not seem to respond.

Signed-off-by: Christoph Heiss <[email protected]>
@christoph-heiss
Copy link
Contributor Author

@fin444 Sorry for the long feedback loop!

In any case, I have now simply removed the socket option, since it's quite a bit of work and needs a more thought-out plan as can be seen. I'd rather not get this PR stuck on this forever.

@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-ready-for-review/3032/3816

@AndersonTorres
Copy link
Member

Marking @nielsegberts here #290642

@cimm cimm mentioned this pull request Apr 22, 2024
Open
SuperSandro2000
SuperSandro2000 reviewed Apr 25, 2024
View reviewed changes
nixos/modules/services/web-apps/filebrowser.nix
${pkgs.coreutils}/bin/mkdir -p ${toString cfg.rootDir}
'';

ExecStart = "${cfg.package}/bin/filebrowser --config ${configFile}";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
ExecStart = "${cfg.package}/bin/filebrowser --config ${configFile}";
ExecStart = "${lib.getExe cfg.package} --config ${configFile}";

nixos/modules/services/web-apps/filebrowser.nix
Comment on lines +153 to +167
NoNewPrivileges = "yes";
PrivateTmp = "yes";
PrivateDevices = "yes";
DevicePolicy = "closed";
ProtectSystem = "strict";
ProtectHome = "tmpfs";
ProtectControlGroups = "yes";
ProtectKernelModules = "yes";
ProtectKernelTunables = "yes";
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
RestrictNamespaces = "yes";
RestrictRealtime = "yes";
RestrictSUIDSGID = "yes";
MemoryDenyWriteExecute = "yes";
LockPersonality = "yes";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In nixpkgs we mostly use true instead of "yes"

nixos/modules/services/web-apps/filebrowser.nix
type = types.str;
default = "filebrowser";
description = ''
If `services.filebrowser.user` is set, this must be set as well. Must
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can't we create the default user?

nixos/modules/services/web-apps/filebrowser.nix
Comment on lines +108 to +112
disableThumbnails = mkEnableOption "Disable image thumbnails.";
disablePreviewResize = mkEnableOption "Disable resize of image previews.";
disableCommandRunner = mkEnableOption "Disable the Command Runner feature.";
disableTypeDetectionByHeader = mkEnableOption
"Disable file type detection by reading file headers.";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The description of those will be prefixed with Wether to enable which I don't think the description considered.

nixos/modules/services/web-apps/filebrowser.nix

baseUrl = mkOption {
type = types.nullOr types.str;
default = null;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this default to / ?

nixos/modules/services/web-apps/filebrowser.nix
cert = cfg.tlsCertificate;
key = cfg.tlsCertificateKey;
})
// (optionalAttrs (cfg.baseUrl != null) { baseurl = cfg.baseUrl; })
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

optionalAttrs doesn't require sourounding brackets

nixos/modules/services/web-apps/filebrowser.nix
Comment on lines +24 to +28
// (optionalAttrs (cfg.cacheDir != null) { cache-dir = cfg.cacheDir; })
// (optionalAttrs cfg.disableThumbnails { disable-thumbnails = true; })
// (optionalAttrs cfg.disablePreviewResize { disable-preview-resize = true; })
// (optionalAttrs cfg.disableCommandRunner { disable-exec = true; })
// (optionalAttrs cfg.disableTypeDetectionByHeader { disable-type-detection-by-header = true; })
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not use an rfc 42 freeform setting type for this?

nixos/modules/services/web-apps/filebrowser.nix
cfg.tlsCertificate != null;

configFile = pkgs.writeText "filebrowser-config.json" (generators.toJSON {} ({
database = "/var/lib/filebrowser/filebrowser.db";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We use 2 spaces to intend nix code

Suggested change
database = "/var/lib/filebrowser/filebrowser.db";
database = "/var/lib/filebrowser/filebrowser.db";

nixos/modules/services/web-apps/filebrowser.nix
assert cfg.user != "filebrowser" -> cfg.group != "filebrowser";
cfg.user == "filebrowser";
enableTls =
assert cfg.tlsCertificate != null -> cfg.tlsCertificateKey != null;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be a module level assertion

nixos/modules/services/web-apps/filebrowser.nix
Comment on lines +8 to +10
enableDynamicUser =
assert cfg.user != "filebrowser" -> cfg.group != "filebrowser";
cfg.user == "filebrowser";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I find it kinda strange and unexpected that DynamicUser gets disabled when the user and group settings are changed.

@h7x4 h7x4 mentioned this pull request Jun 1, 2024
Open
13 tasks
@AndersonTorres
Copy link
Member

PING

@phanirithvij phanirithvij mentioned this pull request Aug 29, 2024
Merged
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SuperSandro2000 SuperSandro2000 SuperSandro2000 left review comments

@nielsegberts nielsegberts Awaiting requested review from nielsegberts

@AndersonTorres AndersonTorres Awaiting requested review from AndersonTorres

Assignees
No one assigned
Labels
2.status: merge conflict 6.topic: nixos 8.has: changelog 8.has: documentation 8.has: module (update) 10.rebuild-darwin: 1-10 10.rebuild-darwin: 1 10.rebuild-linux: 1-10 11.by: package-maintainer
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@christoph-heiss @fin444 @nixos-discourse @AndersonTorres @SuperSandro2000 @wegank