diff --git a/nixos/modules/services/mail/mailman.nix b/nixos/modules/services/mail/mailman.nix index ca30c830c58b5..060b5c12e8d36 100644 --- a/nixos/modules/services/mail/mailman.nix +++ b/nixos/modules/services/mail/mailman.nix @@ -547,7 +547,9 @@ in mv $out/bin/mailman $out/bin/.mailman-wrapped echo '#!${pkgs.runtimeShell} sudo=exec - if [[ "$USER" != mailman ]]; then + if [[ "''${USER:-root}" == 'root' ]]; then + sudo='exec runuser -u mailman --' + elif [[ "$USER" != "mediagoblin" ]]; then sudo="exec /run/wrappers/bin/sudo -u mailman" fi $sudo ${placeholder "out"}/bin/.mailman-wrapped "$@" diff --git a/nixos/modules/services/misc/omnom.nix b/nixos/modules/services/misc/omnom.nix index 48d7a326d3acb..41182c38c11d1 100644 --- a/nixos/modules/services/misc/omnom.nix +++ b/nixos/modules/services/misc/omnom.nix @@ -259,7 +259,9 @@ in #! ${pkgs.runtimeShell} cd ${cfg.dataDir} sudo=exec - if [[ "$USER" != ${cfg.user} ]]; then + if [[ "''${USER:-root}" == 'root' ]]; then + sudo='exec runuser -u ${cfg.user} --' + elif [[ "$USER" != "${cfg.user}" ]]; then sudo='exec /run/wrappers/bin/sudo -u ${cfg.user}' fi $sudo ${lib.getExe cfg.package} "$@" diff --git a/nixos/modules/services/misc/paperless.nix b/nixos/modules/services/misc/paperless.nix index 9df4e99ff9a5c..d11dd6adfb398 100644 --- a/nixos/modules/services/misc/paperless.nix +++ b/nixos/modules/services/misc/paperless.nix @@ -54,7 +54,9 @@ let cd '${cfg.dataDir}' sudo=exec - if [[ "$USER" != ${cfg.user} ]]; then + if [[ "''${USER:-root}" == 'root' ]]; then + sudo='exec runuser -u ${cfg.user} --' + elif [[ "$USER" != "${cfg.user}" ]]; then ${ if config.security.sudo.enable then "sudo='exec ${config.security.wrapperDir}/sudo -u ${cfg.user} -E'" diff --git a/nixos/modules/services/monitoring/librenms.nix b/nixos/modules/services/monitoring/librenms.nix index 497cd38a4b09f..d6074fda58420 100644 --- a/nixos/modules/services/monitoring/librenms.nix +++ b/nixos/modules/services/monitoring/librenms.nix @@ -41,7 +41,9 @@ let artisanWrapper = pkgs.writeShellScriptBin "librenms-artisan" '' cd ${package} sudo=exec - if [[ "$USER" != ${cfg.user} ]]; then + if [[ "''${USER:-root}" == 'root' ]]; then + sudo='exec runuser -u ${cfg.user} --' + elif [[ "$USER" != "${cfg.user}" ]]; then sudo='exec /run/wrappers/bin/sudo -u ${cfg.user}' fi $sudo ${package}/artisan "$@" @@ -50,8 +52,10 @@ let lnmsWrapper = pkgs.writeShellScriptBin "lnms" '' cd ${package} sudo=exec - if [[ "$USER" != ${cfg.user} ]]; then - sudo='exec /run/wrappers/bin/sudo -u ${cfg.user}' + if [[ "''${USER:-root}" == 'root' ]]; then + sudo='exec runuser -u ${cfg.user} --' + elif [[ "$USER" != "${cfg.user}" ]]; then + sudo='exec /run/wrappers/bin/sudo -u ${cfg.user}' fi $sudo ${package}/lnms "$@" ''; diff --git a/nixos/modules/services/networking/pihole-ftl.nix b/nixos/modules/services/networking/pihole-ftl.nix index 3840d6fefd124..9e28da3c776f2 100644 --- a/nixos/modules/services/networking/pihole-ftl.nix +++ b/nixos/modules/services/networking/pihole-ftl.nix @@ -25,7 +25,9 @@ let piholeScript = pkgs.writeScriptBin "pihole" '' sudo=exec - if [[ "$USER" != '${cfg.user}' ]]; then + if [[ "''${USER:-root}" == 'root' ]]; then + sudo='exec runuser -u ${cfg.user} --' + elif [[ "$USER" != "${cfg.user}" ]]; then sudo='exec /run/wrappers/bin/sudo -u ${cfg.user}' fi $sudo ${getExe cfg.piholePackage} "$@" diff --git a/nixos/modules/services/security/crowdsec.nix b/nixos/modules/services/security/crowdsec.nix index 78d861604dad8..ed9d3613486da 100644 --- a/nixos/modules/services/security/crowdsec.nix +++ b/nixos/modules/services/security/crowdsec.nix @@ -513,7 +513,9 @@ in # cscli needs crowdsec on it's path in order to be able to run `cscli explain` export PATH="$PATH:${lib.makeBinPath [ cfg.package ]}" sudo=exec - if [ "$USER" != "${cfg.user}" ]; then + if [[ "''${USER:-root}" == 'root' ]]; then + sudo='exec runuser -u ${cfg.user} --' + elif [[ "$USER" != "${cfg.user}" ]]; then ${ if config.security.sudo.enable then "sudo='exec ${config.security.wrapperDir}/sudo -u ${cfg.user}'" diff --git a/nixos/modules/services/web-apps/gancio.nix b/nixos/modules/services/web-apps/gancio.nix index 6dc6c26bc089f..42879068fd397 100644 --- a/nixos/modules/services/web-apps/gancio.nix +++ b/nixos/modules/services/web-apps/gancio.nix @@ -171,7 +171,9 @@ in echo '#!${pkgs.runtimeShell} cd /var/lib/gancio/ sudo=exec - if [[ "$USER" != ${cfg.user} ]]; then + if [[ "''${USER:-root}" == 'root' ]]; then + sudo='exec runuser -u ${cfg.user} --' + elif [[ "$USER" != "${cfg.user}" ]]; then sudo="exec /run/wrappers/bin/sudo -u ${cfg.user}" fi $sudo ${lib.getExe cfg.package} "''${@:--help}" diff --git a/nixos/modules/services/web-apps/healthchecks.nix b/nixos/modules/services/web-apps/healthchecks.nix index 80f10b4af6afd..befb1e36111c7 100644 --- a/nixos/modules/services/web-apps/healthchecks.nix +++ b/nixos/modules/services/web-apps/healthchecks.nix @@ -27,7 +27,9 @@ let healthchecksManageScript = pkgs.writeShellScriptBin "healthchecks-manage" '' sudo=exec - if [[ "$USER" != "${cfg.user}" ]]; then + if [[ "''${USER:-root}" == 'root' ]]; then + sudo='exec runuser -u ${cfg.user} --preserve-environment --' + elif [[ "$USER" != "${cfg.user}" ]]; then sudo='exec /run/wrappers/bin/sudo -u ${cfg.user} --preserve-env --preserve-env=PYTHONPATH' fi export $(cat ${environmentFile} | xargs) diff --git a/nixos/modules/services/web-apps/libretranslate.nix b/nixos/modules/services/web-apps/libretranslate.nix index b243f42e81008..90412a0a5bea7 100644 --- a/nixos/modules/services/web-apps/libretranslate.nix +++ b/nixos/modules/services/web-apps/libretranslate.nix @@ -11,7 +11,9 @@ let set -a export HOME="/var/lib/libretranslate" sudo=exec - if [[ "$USER" != ${cfg.user} ]]; then + if [[ "''${USER:-root}" == 'root' ]]; then + sudo='exec runuser -u ${cfg.user} --preserve-environment --' + elif [[ "$USER" != "${cfg.user}" ]]; then sudo='exec /run/wrappers/bin/sudo -u ${cfg.user} --preserve-env' fi $sudo ${cfg.package}/bin/ltmanage keys --api-keys-db-path ${cfg.dataDir}/db/api_keys.db "$@" diff --git a/nixos/modules/services/web-apps/mastodon.nix b/nixos/modules/services/web-apps/mastodon.nix index 8021abb42edea..4d5aa66af065f 100644 --- a/nixos/modules/services/web-apps/mastodon.nix +++ b/nixos/modules/services/web-apps/mastodon.nix @@ -150,7 +150,9 @@ let ${sourceExtraEnv} sudo=exec - if [[ "$USER" != ${cfg.user} ]]; then + if [[ "''${USER:-root}" == 'root' ]]; then + sudo='exec runuser -u ${cfg.user} --preserve-environment --' + elif [[ "$USER" != "${cfg.user}" ]]; then sudo='exec /run/wrappers/bin/sudo -u ${cfg.user} --preserve-env' fi $sudo ${cfg.package}/bin/tootctl "$@" diff --git a/nixos/modules/services/web-apps/mediagoblin.nix b/nixos/modules/services/web-apps/mediagoblin.nix index 081bfa763f9b8..4c6f90f739c31 100644 --- a/nixos/modules/services/web-apps/mediagoblin.nix +++ b/nixos/modules/services/web-apps/mediagoblin.nix @@ -196,7 +196,9 @@ in environment.systemPackages = [ (pkgs.writeShellScriptBin "mediagoblin-gmg" '' sudo=exec - if [[ "$USER" != mediagoblin ]]; then + if [[ "''${USER:-root}" == 'root' ]]; then + sudo='exec runuser -u mediagoblin --' + elif [[ "$USER" != "mediagoblin" ]]; then sudo='exec /run/wrappers/bin/sudo -u mediagoblin' fi $sudo sh -c "cd /var/lib/mediagoblin; env GI_TYPELIB_PATH=${GI_TYPELIB_PATH} GST_PLUGIN_PATH=${GST_PLUGIN_PATH} PATH=$PATH:${lib.makeBinPath path} ${lib.getExe' finalPackage "gmg"} $*" diff --git a/nixos/modules/services/web-apps/pdfding.nix b/nixos/modules/services/web-apps/pdfding.nix index cb5c5e7291393..538a61d09fd8b 100644 --- a/nixos/modules/services/web-apps/pdfding.nix +++ b/nixos/modules/services/web-apps/pdfding.nix @@ -302,7 +302,9 @@ in set +a ${loadCreds} sudo=exec - if [[ "$USER" != ${cfg.user} ]]; then + if [[ "''${USER:-root}" == 'root' ]]; then + sudo='exec runuser -u ${cfg.user} --preserve-environment --' + elif [[ "$USER" != "${cfg.user}" ]]; then sudo='${config.security.wrapperDir}/sudo -E -u ${cfg.user}' fi ${cmd} diff --git a/nixos/modules/services/web-apps/pixelfed.nix b/nixos/modules/services/web-apps/pixelfed.nix index 23a63607b8eca..1898c6e094a5f 100644 --- a/nixos/modules/services/web-apps/pixelfed.nix +++ b/nixos/modules/services/web-apps/pixelfed.nix @@ -42,7 +42,9 @@ let pixelfed-manage = pkgs.writeShellScriptBin "pixelfed-manage" '' cd ${pixelfed} sudo=exec - if [[ "$USER" != ${user} ]]; then + if [[ "''${USER:-root}" == 'root' ]]; then + sudo='exec runuser -u ${cfg.user} --' + elif [[ "$USER" != "${cfg.user}" ]]; then sudo='exec /run/wrappers/bin/sudo -u ${user}' fi $sudo ${phpPackage}/bin/php artisan "$@" diff --git a/nixos/modules/services/web-apps/pretalx.nix b/nixos/modules/services/web-apps/pretalx.nix index 37527a4e16881..6673292c87c26 100644 --- a/nixos/modules/services/web-apps/pretalx.nix +++ b/nixos/modules/services/web-apps/pretalx.nix @@ -328,7 +328,9 @@ in (pkgs.writeScriptBin "pretalx-manage" '' cd ${cfg.settings.filesystem.data} sudo=exec - if [[ "$USER" != ${cfg.user} ]]; then + if [[ "''${USER:-root}" == 'root' ]]; then + sudo='exec runuser -u ${cfg.user} --preserve-environment --' + elif [[ "$USER" != "${cfg.user}" ]]; then sudo='exec /run/wrappers/bin/sudo -u ${cfg.user} --preserve-env=PRETALX_CONFIG_FILE' fi set -a diff --git a/nixos/modules/services/web-apps/pretix.nix b/nixos/modules/services/web-apps/pretix.nix index c62ae9bcc49e0..eac3b97a76ac9 100644 --- a/nixos/modules/services/web-apps/pretix.nix +++ b/nixos/modules/services/web-apps/pretix.nix @@ -399,7 +399,9 @@ in (pkgs.writeScriptBin "pretix-manage" '' cd ${cfg.settings.pretix.datadir} sudo=exec - if [[ "$USER" != ${cfg.user} ]]; then + if [[ "''${USER:-root}" == 'root' ]]; then + sudo='exec runuser -u ${cfg.user} --preserve-environment --' + elif [[ "$USER" != "${cfg.user}" ]]; then sudo='exec /run/wrappers/bin/sudo -u ${cfg.user} ${optionalString withRedis "-g redis-pretix"} --preserve-env=PRETIX_CONFIG_FILE' fi export PRETIX_CONFIG_FILE=${configFile} diff --git a/nixos/modules/services/web-apps/snipe-it.nix b/nixos/modules/services/web-apps/snipe-it.nix index 818aea70a039e..aeef7d56df639 100644 --- a/nixos/modules/services/web-apps/snipe-it.nix +++ b/nixos/modules/services/web-apps/snipe-it.nix @@ -28,7 +28,9 @@ let #! ${pkgs.runtimeShell} cd "${snipe-it}/share/php/snipe-it" sudo=exec - if [[ "$USER" != ${user} ]]; then + if [[ "''${USER:-root}" == 'root' ]]; then + sudo='exec runuser -u ${cfg.user} --' + elif [[ "$USER" != "${cfg.user}" ]]; then sudo='exec /run/wrappers/bin/sudo -u ${user}' fi $sudo ${phpPackage}/bin/php artisan $* diff --git a/nixos/tests/web-apps/mastodon/remote-databases.nix b/nixos/tests/web-apps/mastodon/remote-databases.nix index 8b49a908de425..0e103c9879643 100644 --- a/nixos/tests/web-apps/mastodon/remote-databases.nix +++ b/nixos/tests/web-apps/mastodon/remote-databases.nix @@ -24,7 +24,7 @@ import ../../make-test-python.nix ( izorkin ]; - nodes = { + containers = { databases = { config, ... }: { @@ -76,7 +76,7 @@ import ../../make-test-python.nix ( }; nginx = - { nodes, ... }: + { containers, ... }: { networking = { interfaces.eth1 = { @@ -111,7 +111,7 @@ import ../../make-test-python.nix ( tryFiles = "$uri @proxy"; }; locations."@proxy" = { - proxyPass = "http://192.168.2.201:${toString nodes.server.services.mastodon.webPort}"; + proxyPass = "http://192.168.2.201:${toString containers.server.services.mastodon.webPort}"; proxyWebsockets = true; }; }; @@ -121,8 +121,6 @@ import ../../make-test-python.nix ( server = { config, pkgs, ... }: { - virtualisation.memorySize = 2048; - environment = { etc = { "mastodon/password-redis-db".text = redisPassword; @@ -211,10 +209,6 @@ import ../../make-test-python.nix ( databases.wait_for_open_port(31637) databases.wait_for_open_port(5432) ''; - extraShutdown = '' - nginx.shutdown() - databases.shutdown() - ''; }; } ) diff --git a/nixos/tests/web-apps/mastodon/script.nix b/nixos/tests/web-apps/mastodon/script.nix index be6cbc87ae9bc..7c8d2d6d46d44 100644 --- a/nixos/tests/web-apps/mastodon/script.nix +++ b/nixos/tests/web-apps/mastodon/script.nix @@ -45,9 +45,4 @@ client.fail("curl --fail https://mastodon.local/about") server.succeed("mastodon-tootctl ip_blocks remove 192.168.0.0/16") client.succeed("curl --fail https://mastodon.local/about") - - server.shutdown() - client.shutdown() - - ${extraShutdown} '' diff --git a/nixos/tests/web-apps/mastodon/standard.nix b/nixos/tests/web-apps/mastodon/standard.nix index d4769d4b39ec4..c910fed089297 100644 --- a/nixos/tests/web-apps/mastodon/standard.nix +++ b/nixos/tests/web-apps/mastodon/standard.nix @@ -22,13 +22,11 @@ import ../../make-test-python.nix ( turion ]; - nodes = { + containers = { server = { pkgs, ... }: { - virtualisation.memorySize = 2048; - networking = { interfaces.eth1 = { ipv4.addresses = [