-
-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rustdesk-server: init module #272501
rustdesk-server: init module #272501
Conversation
e2465c0
to
f3d0f89
Compare
ping @sjau : you asked for it ;) |
b87b964
to
ffa0b3e
Compare
All those force-pushes to rename rustdesk → rustdesk-server everywhere in the module & module name ^^ |
ffa0b3e
to
6eb37e0
Compare
The CI says "error: attribute 'rustdesk-server' missing" although rustdesk-server is in unstable channel 🤔 |
I believe this is due to the lack of a The easiest way to avoid it is to just swap the whole option out for |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here's a few comments
users.users.rustdesk = { | ||
description = "System user for RustDesk"; | ||
isSystemUser = true; | ||
group = "rustdesk"; | ||
}; | ||
users.groups.rustdesk = {}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just to make sure - have you tried making this work with systemds DynamicUser
? It is usually preferable to creating system users, but isn't always viable due to misc. circumstances.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, it looks like only the hbbs
process needs to access the database, so maybe it's not an issue if the two processes don't have the same user…
[root@musi:/var/lib/rustdesk]# ls
db_v2.sqlite3 db_v2.sqlite3-shm db_v2.sqlite3-wal id_ed25519 id_ed25519.pub
[root@musi:/var/lib/rustdesk]# lsof .
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
hbbr 1099978 rustdesk cwd DIR 8,1 4096 5284441 .
hbbs 1099979 rustdesk cwd DIR 8,1 4096 5284441 .
bash 1167872 root cwd DIR 8,1 4096 5284441 .
lsof 1168024 root cwd DIR 8,1 4096 5284441 .
lsof 1168025 root cwd DIR 8,1 4096 5284441 .
[root@musi:/var/lib/rustdesk]# lsof db_v2.sqlite3*
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
hbbs 1099979 rustdesk mem-r REG 8,1 32768 5244174 db_v2.sqlite3-shm
hbbs 1099979 rustdesk 9ur REG 8,1 24576 5244173 db_v2.sqlite3
hbbs 1099979 rustdesk 10u REG 8,1 0 5244167 db_v2.sqlite3-wal
hbbs 1099979 rustdesk 11ur REG 8,1 32768 5244174 db_v2.sqlite3-shm
[root@musi:/var/lib/rustdesk]# lsof id_ed25519*
[root@musi:/var/lib/rustdesk]#
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know. As there are 2 services involved together, I like having them at one system user. And I'm not a big fan of DynamicUser
. But if you (or someone else) insist a bit, then ok I'll make and test the change!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
DynamicUser and system user creation can be combined - in that case only the extra isolation of DynamicUser is applied (and if database socket authentication is used then it's usually required aswell to have a fixed system user instead of just DynamicUser)
also you don't really need to get rid of the security flags you already set
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm unfortunately unable to test this right now due to missing hardware. Is someone able to test this patch?
diff --git a/nixos/modules/services/monitoring/rustdesk-server.nix b/nixos/modules/services/monitoring/rustdesk-server.nix
index a4d85be3caec..885fb608af99 100644
--- a/nixos/modules/services/monitoring/rustdesk-server.nix
+++ b/nixos/modules/services/monitoring/rustdesk-server.nix
@@ -35,15 +35,16 @@ in {
Slice = "system-rustdesk.slice";
User = "rustdesk";
Group = "rustdesk";
+ DynamicUser = "yes";
Environment = [];
WorkingDirectory = "/var/lib/rustdesk";
StateDirectory = "rustdesk";
StateDirectoryMode = "0750";
LockPersonality = true;
- NoNewPrivileges = true;
+ # NoNewPrivileges = true; # implied by DynamicUser
PrivateDevices = true;
PrivateMounts = true;
- PrivateTmp = true;
+ # PrivateTmp = true; # implied by DynamicUser
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
@@ -53,10 +54,10 @@ in {
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
- ProtectSystem = "strict";
- RemoveIPC = true;
+ # ProtectSystem = "strict"; # implied by DynamicUser
+ # RemoveIPC = true; # implied by DynamicUser
RestrictNamespaces = true;
- RestrictSUIDSGID = true;
+ # RestrictSUIDSGID = true; # implied by DynamicUser
};
};
in lib.mkIf cfg.enable {
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just tested this and it works.
Data is now in /var/lib/private/rustdesk
instead of /var/lib/rustdesk
like before.
6eb37e0
to
211322f
Compare
1a401ce
to
6ed678f
Compare
Just tested this and it works for me. The rd-server data (database, keys) are stored in /var/lib/rustdesk. I bind-mount them to /data/rustdesk, so it won't get wiped on my setup upon reboot. |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/prs-ready-for-review/3032/3206 |
Why does ofBorg complain about |
Just rebased on master to trigger ofborg again and see if it helps. |
856c1dd
to
0cc2451
Compare
0cc2451
to
65544c6
Compare
this was a suggestion on NixOS#272501
Description of changes
Create simple rustdesk module.
Works well on my homeserver, even behind a NAT, with proper port forwarding.
Mentionned in #211751
Things done
nix.conf
? (See Nix manual)sandbox = relaxed
sandbox = true
nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)Add a 👍 reaction to pull requests you find important.