Skip to content

Update public-inbox to 1.8.0 and add systemd services#104457

Merged
infinisil merged 7 commits intoNixOS:masterfrom
ju1m:public-inbox
May 12, 2022
Merged

Update public-inbox to 1.8.0 and add systemd services#104457
infinisil merged 7 commits intoNixOS:masterfrom
ju1m:public-inbox

Conversation

@ju1m
Copy link
Contributor

@ju1m ju1m commented Nov 21, 2020
edited
Loading

Works for me and is ready for review.

Motivation for this change

Add a public-inbox NixOS service.

Things done
# systemd-analyze security | grep public-inbox
public-inbox-httpd.service                0.6 SAFE      😀    
public-inbox-imapd.service                0.6 SAFE      😀
public-inbox-nntpd.service                0.6 SAFE      😀
  • Support enabling systemd-confinement for the services.
  • Add myself as maintainer to both the package and the service.
  • Use generators.toGitINI and introduce a formats.gitIni.
  • Add nixos/tests/public-inbox.nix.
  • Add option services.public-inbox.postfix.enable for configuring postfix using a dedicated transport, and support recipientDelimiter. No longer use a .forward file.
  • Adding a release note (not sure if I should).
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

Ping @alyssais, @catern, @spacekookie

@ofborg ofborg bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Nov 21, 2020
@ju1m ju1m force-pushed the public-inbox branch 5 times, most recently from 9f79ab7 to 67c9564 Compare November 25, 2020 06:42
@nixos-discourse
Copy link

nixos-discourse commented Nov 25, 2020

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-ready-for-review/3032/385

@ofborg ofborg bot added 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-darwin: 1 This PR causes 1 package to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. labels Nov 26, 2020
infinisil
infinisil requested changes Nov 28, 2020
View reviewed changes
@infinisil
Copy link
Member

infinisil commented Nov 28, 2020

Looking pretty good overall!

@teto teto mentioned this pull request Dec 21, 2020
Closed
10 tasks
@matthiasbeyer
Copy link
Contributor

matthiasbeyer commented Apr 11, 2021

@ju1m any plans on updating this PR so we can merge it?

Would be nice to use this to provide an archive for nixpkgs-dev.

alyssais
alyssais reviewed Apr 15, 2021
View reviewed changes
Copy link
Member

@alyssais alyssais left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm very sorry for taking so long to get to this. I should have more time available for it now. I'm also happy to help, or to take back over, if you'd prefer.

pkgs/servers/mail/public-inbox/default.nix Outdated
Copy link
Member

@alyssais alyssais Apr 15, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will break if cross-compiled. Is there no way to compile InlineC stuff up front at build time?

Copy link
Contributor Author

@ju1m ju1m Apr 15, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, according to public-inbox-tuning, recent public-inbox generates and compiles C code at runtime to increase performance:

  Process spawning
    Our optional use of Inline::C speeds up subprocess spawning from large
    daemon processes.

    To enable Inline::C, either set the "PERL_INLINE_DIRECTORY" environment
    variable to point to a writable directory, or create
    "~/.cache/public-inbox/inline-c" for any user(s) running public-inbox
    processes.

    More (optional) Inline::C use will be introduced in the future to lower
    memory use and improve scalability.

I've little experience with cross-compiling using Nixpkgs, so I don't know when or how it will break, nor how to address that concern. Should I use something else than stdenv.cc to get the target's compiler? Should I put InlineC usage behind a package option?

Copy link
Member

@alyssais alyssais Apr 16, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, I see -- Inline::C is different to XS, in that the code is generated at runtime. So we can't compile at ahead of time and will need a C compiler. In that case, the usual approach I've seen here (that is cross-friendly) is to wrap with gcc instead of stdenv.cc.

Copy link
Contributor

@catern catern Apr 17, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Inline::C is cool and all, but...
Has anyone mentioned to upstream that the lack of support for ahead of time compilation/the dependency on a compiler at runtime, is fairly annoying for packaging? I'm sure other package managers would also prefer to not add a dependency on gcc to public-inbox, I don't think that's just us. (And the public-inbox maintainer is, I think, very responsive to such concerns)

Copy link
Contributor Author

@ju1m ju1m May 10, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Inline::C is optional

alyssais
alyssais requested changes Apr 19, 2021
View reviewed changes
Copy link
Member

@alyssais alyssais left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's going to take me a little while to review this because it's so big and so different to my version, so this isn't going to be my last round of comments. But we're getting there. :)

nixos/modules/services/mail/public-inbox.nix Outdated
Copy link
Member

@alyssais alyssais Apr 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think the extra complexity of taking two different kinds of values here is worth the small convenience of being able to open the firewall automatically.

Copy link
Contributor Author

@ju1m ju1m May 10, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure to understand what you want, isn't openFirewall working well enough?

@ju1m ju1m changed the title Update public-inbox to 1.6.0 and add systemd services Update public-inbox to 1.6.1 and add systemd services Apr 23, 2021
@ju1m
Copy link
Contributor Author

ju1m commented Apr 23, 2021

Thanks for all your feedbacks.
I've uploaded some changes in a "release early" spirit because of the recent regain in interest for this PR, but before taking time to test them nor finishing to address all the concerns raised. I'll make another pass in a few days.

infinisil
infinisil reviewed May 3, 2021
View reviewed changes
infinisil
infinisil requested changes May 3, 2021
View reviewed changes
@ju1m ju1m force-pushed the public-inbox branch 2 times, most recently from 00d31cb to 9b6cab8 Compare May 11, 2021 03:09
@ju1m ju1m requested a review from alyssais May 11, 2021 03:27
Gaelan
Gaelan reviewed May 19, 2021
View reviewed changes
@ju1m
Copy link
Contributor Author

ju1m commented May 2, 2022

  • Fix git clone inboxes by reallowing @timer syscalls

@ju1m
Copy link
Contributor Author

ju1m commented May 2, 2022

  • Enable confinement. It was not that hard after all, but obviously I may very well have overlooked some corner cases (eg. missing BindPaths=/BindReadOnlyPaths= for some directory in /run).
    Ping @Gaelan.

@aanderse
Copy link
Member

aanderse commented May 3, 2022

Currently there isn't a single module within NixOS that uses confinement. Merging this PR as-is would set a precedent. I'm not saying that is a good or bad precedent, but I'm saying it is a precedent people should understand and agree to. Given how overzealous this community is about hardening services I see it as almost a certainty that countless modules will start using confinement as soon as developers are aware of the change this PR introduces.

So what are all of the implications of using confinement? Should you remove confinement from this PR, merge, then take this discussion elsewhere and depending on the outcome of that conversation start a new PR to add confinement back?

@nixos-discourse
Copy link

nixos-discourse commented May 4, 2022

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/nixos-policy-regarding-systemd-confinement/18976/1

@ju1m
Copy link
Contributor Author

ju1m commented May 4, 2022

  • Revert confinement.enable = true, but keep supporting its enabling by the user.
  • Started a discussion about the policy to follow regarding systemd-confinement.

@Artturin Artturin added the 12.approvals: 2 This PR was reviewed and approved by two persons. label May 4, 2022
@ju1m ju1m changed the title Update public-inbox to 1.7.0 and add systemd services Update public-inbox to 1.8.0 and add systemd services May 6, 2022
SuperSandro2000
SuperSandro2000 reviewed May 9, 2022
View reviewed changes
@ju1m
Copy link
Contributor Author

ju1m commented May 11, 2022

  • Reenable on all platforms but disable tests on Darwin

@ofborg ofborg bot added 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-darwin: 1 This PR causes 1 package to rebuild on Darwin. and removed 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. labels May 11, 2022
SuperSandro2000
SuperSandro2000 reviewed May 11, 2022
View reviewed changes
@ju1m
Copy link
Contributor Author

ju1m commented May 11, 2022

  • Use stdenv.cc.cc instead of gcc directly.

@infinisil infinisil merged commit fd50826 into NixOS:master May 12, 2022
@infinisil
Copy link
Member

infinisil commented May 12, 2022

This PR has had enough feedback, imo it looks good enough for a merge, any further improvements can be done with other PRs. Thanks for the hard work @ju1m!

@ju1m ju1m deleted the public-inbox branch December 26, 2022 20:21
@infinisil infinisil mentioned this pull request Oct 10, 2023
Merged
@hsjobeki hsjobeki mentioned this pull request Nov 9, 2024
Merged
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SuperSandro2000 SuperSandro2000 SuperSandro2000 left review comments

@infinisil infinisil infinisil approved these changes

@aanderse aanderse Awaiting requested review from aanderse

@alyssais alyssais Awaiting requested review from alyssais

+2 more reviewers

@Gaelan Gaelan Gaelan left review comments

@catern catern catern left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: clean-up This PR removes packages or removes other cruft 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-darwin: 1 This PR causes 1 package to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 11.by: package-maintainer This PR was created by a maintainer of all the package it changes. 12.approvals: 2 This PR was reviewed and approved by two persons.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.