rustdesk-server: init module #272501
rustdesk-server: init module #272501
Conversation
ppom0
force-pushed
the
rustdesk-module
branch
from
e2465c0
to
f3d0f89
Compare
|
ping @sjau : you asked for it ;) |
ppom0
force-pushed
the
rustdesk-module
branch
2 times, most recently
from
b87b964
to
ffa0b3e
Compare
|
All those force-pushes to rename rustdesk → rustdesk-server everywhere in the module & module name ^^ |
ppom0
force-pushed
the
rustdesk-module
branch
from
ffa0b3e
to
6eb37e0
Compare
|
The CI says "error: attribute 'rustdesk-server' missing" although rustdesk-server is in unstable channel 🤔 |
I believe this is due to the lack of a The easiest way to avoid it is to just swap the whole option out for |
| users.users.rustdesk = { | ||
| description = "System user for RustDesk"; | ||
| isSystemUser = true; | ||
| group = "rustdesk"; | ||
| }; | ||
| users.groups.rustdesk = {}; |
There was a problem hiding this comment.
Just to make sure - have you tried making this work with systemds DynamicUser? It is usually preferable to creating system users, but isn't always viable due to misc. circumstances.
There was a problem hiding this comment.
Well, it looks like only the hbbs process needs to access the database, so maybe it's not an issue if the two processes don't have the same user…
[root@musi:/var/lib/rustdesk]# ls
db_v2.sqlite3 db_v2.sqlite3-shm db_v2.sqlite3-wal id_ed25519 id_ed25519.pub
[root@musi:/var/lib/rustdesk]# lsof .
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
hbbr 1099978 rustdesk cwd DIR 8,1 4096 5284441 .
hbbs 1099979 rustdesk cwd DIR 8,1 4096 5284441 .
bash 1167872 root cwd DIR 8,1 4096 5284441 .
lsof 1168024 root cwd DIR 8,1 4096 5284441 .
lsof 1168025 root cwd DIR 8,1 4096 5284441 .
[root@musi:/var/lib/rustdesk]# lsof db_v2.sqlite3*
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
hbbs 1099979 rustdesk mem-r REG 8,1 32768 5244174 db_v2.sqlite3-shm
hbbs 1099979 rustdesk 9ur REG 8,1 24576 5244173 db_v2.sqlite3
hbbs 1099979 rustdesk 10u REG 8,1 0 5244167 db_v2.sqlite3-wal
hbbs 1099979 rustdesk 11ur REG 8,1 32768 5244174 db_v2.sqlite3-shm
[root@musi:/var/lib/rustdesk]# lsof id_ed25519*
[root@musi:/var/lib/rustdesk]#
There was a problem hiding this comment.
I don't know. As there are 2 services involved together, I like having them at one system user. And I'm not a big fan of DynamicUser. But if you (or someone else) insist a bit, then ok I'll make and test the change!
There was a problem hiding this comment.
DynamicUser and system user creation can be combined - in that case only the extra isolation of DynamicUser is applied (and if database socket authentication is used then it's usually required aswell to have a fixed system user instead of just DynamicUser)
also you don't really need to get rid of the security flags you already set
There was a problem hiding this comment.
I'm unfortunately unable to test this right now due to missing hardware. Is someone able to test this patch?
diff --git a/nixos/modules/services/monitoring/rustdesk-server.nix b/nixos/modules/services/monitoring/rustdesk-server.nix
index a4d85be3caec..885fb608af99 100644
--- a/nixos/modules/services/monitoring/rustdesk-server.nix
+++ b/nixos/modules/services/monitoring/rustdesk-server.nix
@@ -35,15 +35,16 @@ in {
Slice = "system-rustdesk.slice";
User = "rustdesk";
Group = "rustdesk";
+ DynamicUser = "yes";
Environment = [];
WorkingDirectory = "/var/lib/rustdesk";
StateDirectory = "rustdesk";
StateDirectoryMode = "0750";
LockPersonality = true;
- NoNewPrivileges = true;
+ # NoNewPrivileges = true; # implied by DynamicUser
PrivateDevices = true;
PrivateMounts = true;
- PrivateTmp = true;
+ # PrivateTmp = true; # implied by DynamicUser
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
@@ -53,10 +54,10 @@ in {
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
- ProtectSystem = "strict";
- RemoveIPC = true;
+ # ProtectSystem = "strict"; # implied by DynamicUser
+ # RemoveIPC = true; # implied by DynamicUser
RestrictNamespaces = true;
- RestrictSUIDSGID = true;
+ # RestrictSUIDSGID = true; # implied by DynamicUser
};
};
in lib.mkIf cfg.enable {
There was a problem hiding this comment.
Just tested this and it works.
Data is now in /var/lib/private/rustdesk instead of /var/lib/rustdesk like before.
ppom0
force-pushed
the
rustdesk-module
branch
from
6eb37e0
to
211322f
Compare
ppom0
force-pushed
the
rustdesk-module
branch
3 times, most recently
from
1a401ce
to
6ed678f
Compare
|
Just tested this and it works for me. The rd-server data (database, keys) are stored in /var/lib/rustdesk. I bind-mount them to /data/rustdesk, so it won't get wiped on my setup upon reboot. |
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/prs-ready-for-review/3032/3206 |
|
Why does ofBorg complain about |
|
Just rebased on master to trigger ofborg again and see if it helps. |
mkg20001
force-pushed
the
rustdesk-module
branch
from
856c1dd
to
0cc2451
Compare
mkg20001
force-pushed
the
rustdesk-module
branch
from
0cc2451
to
65544c6
Compare
this was a suggestion on NixOS#272501
Description of changes
Create simple rustdesk module.
Works well on my homeserver, even behind a NAT, with proper port forwarding.
Mentionned in #211751
Things done
nix.conf? (See Nix manual)sandbox = relaxedsandbox = truenix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)Add a 👍 reaction to pull requests you find important.