Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add writable option to services.ttyd #268504

Closed
wants to merge 1 commit into from
Closed

add writable option to services.ttyd #268504

wants to merge 1 commit into from

Conversation

carstoid
Copy link
Contributor

@carstoid carstoid commented Nov 19, 2023
edited
Loading

addresses breaking change in ttyd 1.7.4, where the web terminal is now readonly by default, by providing a new option "writable"

see issue #268501

@carstoid
add writable option
192b2c3 
addresses breaking change in ttyd 1.7.4, where the web terminal is now readonly by default, by providing a new option "writable"
@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Nov 19, 2023
@NixOSInfra NixOSInfra added the 12. first-time contribution This PR is the author's first one; please be gentle! label Nov 19, 2023
@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 labels Nov 19, 2023
@atopuzov
Copy link
Contributor

I think this should default to true as we run ${pkgs.shadow}/bin/login to basically allow shell over web. Or just better set to true without an additional parameter.
I ran into this when testing out 23.11 so we should back port this change.

For reference default behavior was changed in ttyd in tsl0922/ttyd@f8efcdd

@atopuzov atopuzov mentioned this pull request Nov 28, 2023
Closed
38 tasks
@06kellyjac
Copy link
Member

We could make it writable true for stateVersion 23.05 and earlier but I'd be against purposefully being insecure and out of line with the upstream project for users who have no existing usages to regress/break

@atopuzov
Copy link
Contributor

but I'd be against purposefully being insecure

06kellyjac I don't think this is a secure/insecure thing. Without writeable the service that the service provides makes no sense.
Eg. ttyd service is set to run login

nixpkgs/nixos/modules/services/web-servers/ttyd.nix

Lines 185 to 194 in 47a0bce

script = if cfg.passwordFile != null then ''
PASSWORD=$(cat ${escapeShellArg cfg.passwordFile})
${pkgs.ttyd}/bin/ttyd ${lib.escapeShellArgs args} \
--credential ${escapeShellArg cfg.username}:"$PASSWORD" \
${pkgs.shadow}/bin/login
''
else ''
${pkgs.ttyd}/bin/ttyd ${lib.escapeShellArgs args} \
${pkgs.shadow}/bin/login
'';
and if it is set to not writeable you can't put in your username/password and log in into the server. Which kind of makes it useless.

@pbsds
Copy link
Member

pbsds commented Nov 28, 2023
edited
Loading

The login entrypoint should be configurable. Some might want to configure this to run htop, or glances, or nvtop, where writeable = false; might makes sense. But until then it would make sense to default to writeable = true;.

@infinisil
Copy link
Member

How about making it an error if it's not set, with an explanatory message about this situation

pbsds
pbsds reviewed Dec 8, 2023
View reviewed changes
nixos/modules/services/web-servers/ttyd.nix
Comment on lines +80 to +81
type = types.bool;
default = false;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
type = types.bool;
default = false;
type = types.nullOr types.bool;
default = null;

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and this in the config below

diff --git a/nixos/modules/services/web-servers/ttyd.nix b/nixos/modules/services/web-servers/ttyd.nix
index 3b1d87ccb483..2b652f367efb 100644
--- a/nixos/modules/services/web-servers/ttyd.nix
+++ b/nixos/modules/services/web-servers/ttyd.nix
@@ -165,6 +165,8 @@ in
       [ { assertion = cfg.enableSSL
             -> cfg.certFile != null && cfg.keyFile != null && cfg.caFile != null;
           message = "SSL is enabled for ttyd, but no certFile, keyFile or caFile has been specified."; }
+        { assertion = cfg.writeable != null;
+          message = "services.ttyd.writeable must be set"; }
         { assertion = ! (cfg.interface != null && cfg.socket != null);
           message = "Cannot set both interface and socket for ttyd."; }
         { assertion = (cfg.username != null) == (cfg.passwordFile != null);

@pbsds pbsds mentioned this pull request Jan 31, 2024
Merged
13 tasks
@pbsds
Copy link
Member

pbsds commented Jan 31, 2024
edited
Loading

i continue the effort in #285314

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pbsds pbsds pbsds left review comments

@SuperSandro2000 SuperSandro2000 SuperSandro2000 approved these changes

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 12. first-time contribution This PR is the author's first one; please be gentle!
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@carstoid @atopuzov @06kellyjac @pbsds @infinisil @SuperSandro2000 @NixOSInfra