Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cloudflared service improvements #1

Open
wants to merge 7 commits into
base: cloudflared
Choose a base branch
from
Open

cloudflared service improvements #1

wants to merge 7 commits into from

Conversation

crinklywrappr
Copy link

@crinklywrappr crinklywrappr commented Aug 23, 2022
edited
Loading

originCert

I found that cloudflared sometimes wanted access to the original certificate during testing, so I added a nullable originCert option. Looking at it now, it probably needs a mkIf (tunnel.originCert != null) in the configuration definition. I'll come back to that if you think it's necessary.

credentialsFile

types.path suites it better.

warp-routing.enabled

  • added to configuration file - it was missing.
  • default to false, since it's going into the file regardless of the value.

default ingress

Default to HTTP status 404. One less thing to spell out in the system configuration.

add cloudflared as a system package

Many other services do this.

refine the systemd service unit

  • used the approach you described in this forum post.
  • added a RestartSec setting, since it restarted too quickly to be useful during testing w/ a failing tunnel.
  • appended warp-svc to the after rule b/c of the warp-routing.enabled option. This is based on the work @WolfangAukang is doing in this PR.

@crinklywrappr crinklywrappr changed the title cloudflared service improvemnts cloudflared service improvements Aug 23, 2022
@bbigras bbigras force-pushed the cloudflared branch 2 times, most recently from 0db9c4f to c770b44 Compare December 10, 2022 19:07
bbigras pushed a commit that referenced this pull request Aug 28, 2024
@Ma27
gitea: drop PAM support
b395692 
Strongly inspired by the forgejo counterpart[1], for the following
reasons:

* The feature is broken with the current module and crashes on
  authentication with the following stacktrace (with a PAM service
  `gitea` added):

      server # Stack trace of thread 1008:
      server # #0  0x00007f3116917dfb __nptl_setxid (libc.so.6 + 0x8ddfb)
      server # #1  0x00007f3116980ae6 setuid (libc.so.6 + 0xf6ae6)
      server # NixOS#2  0x00007f30cc80f420 _unix_run_helper_binary (pam_unix.so + 0x5420)
      server # NixOS#3  0x00007f30cc8108c9 _unix_verify_password (pam_unix.so + 0x68c9)
      server # NixOS#4  0x00007f30cc80e1b5 pam_sm_authenticate (pam_unix.so + 0x41b5)
      server # NixOS#5  0x00007f3116a84e5b _pam_dispatch (libpam.so.0 + 0x3e5b)
      server # NixOS#6  0x00007f3116a846a3 pam_authenticate (libpam.so.0 + 0x36a3)
      server # NixOS#7  0x00000000029b1e7a n/a (.gitea-wrapped + 0x25b1e7a)
      server # NixOS#8  0x000000000047c7e4 n/a (.gitea-wrapped + 0x7c7e4)
      server # ELF object binary architecture: AMD x86-64
      server #
      server # [   42.420827] gitea[897]: pam_unix(gitea:auth): unix_chkpwd abnormal exit: 159
      server # [   42.423142] gitea[897]: pam_unix(gitea:auth): authentication failure; logname= uid=998 euid=998 tty= ruser= rhost=  user=snenskek

  It only worked after turning off multiple sandbox settings and adding
  `shadow` as supplementary group to `gitea.service`.

  I'm not willing to maintain additional multiple sandbox settings for
  different features, especially given that it was probably not used for
  quite a long time:

  * There was no PR or bugreport about sandboxing issues related to
    PAM.

  * Ever since the module exists, it used the user `gitea`, i.e. it had
    never read-access to `/etc/shadow`.

* Upstream has it disabled by default[2].

If somebody really needs it, it can still be brought back by an overlay
updating `tags` accordingly and modifying the systemd service config.

[1] 07641a9
[2] https://docs.gitea.com/usage/authentication#pam-pluggable-authentication-module
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@crinklywrappr @bbigras