nixos/kubo: restrict access to the API to users in a group by default

This commit is contained in:
Luflosi 2023-04-14 16:37:32 +02:00
parent 7ceebbb35b
commit f2be3ae30d
No known key found for this signature in database
GPG key ID: 4E41E29EDCC345D0
3 changed files with 26 additions and 10 deletions

View file

@ -137,6 +137,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- The [services.kubo.settings](#opt-services.kubo.settings) option is now no longer stateful. If you changed any of the options in [services.kubo.settings](#opt-services.kubo.settings) in the past and then removed them from your NixOS configuration again, those changes are still in your Kubo configuration file but will now be reset to the default. If you're unsure, you may want to make a backup of your configuration file (probably /var/lib/ipfs/config) and compare after the update.
- The Kubo HTTP API will no longer listen on localhost and will instead only listen on a Unix domain socket by default. Read the [services.kubo.settings.Addresses.API](#opt-services.kubo.settings.Addresses.API) option description for more information.
- The EC2 image module no longer fetches instance metadata in stage-1. This results in a significantly smaller initramfs, since network drivers no longer need to be included, and faster boots, since metadata fetching can happen in parallel with startup of other services.
This breaks services which rely on metadata being present by the time stage-2 is entered. Anything which reads EC2 metadata from `/etc/ec2-metadata` should now have an `after` dependency on `fetch-ec2-metadata.service`

View file

@ -183,10 +183,12 @@ in
options = {
Addresses.API = mkOption {
type = types.oneOf [ types.str (types.listOf types.str) ];
default = "/ip4/127.0.0.1/tcp/5001";
default = [ ];
description = lib.mdDoc ''
Multiaddr or array of multiaddrs describing the address to serve the local HTTP API on.
In addition to the multiaddrs listed here, the daemon will also listen on a Unix domain socket.
To allow the ipfs CLI tools to communicate with the daemon over that socket,
add your user to the correct group, e.g. `users.users.alice.extraGroups = [ config.services.kubo.group ];`
'';
};
@ -377,10 +379,15 @@ in
systemd.sockets.ipfs-api = {
wantedBy = [ "sockets.target" ];
# We also include "%t/ipfs.sock" because there is no way to put the "%t"
# in the multiaddr.
socketConfig.ListenStream =
[ "" "%t/ipfs.sock" ] ++ multiaddrsToListenStreams cfg.settings.Addresses.API;
socketConfig = {
# We also include "%t/ipfs.sock" because there is no way to put the "%t"
# in the multiaddr.
ListenStream =
[ "" "%t/ipfs.sock" ] ++ (multiaddrsToListenStreams cfg.settings.Addresses.API);
SocketMode = "0660";
SocketUser = cfg.user;
SocketGroup = cfg.group;
};
};
};

View file

@ -4,7 +4,7 @@
maintainers = [ mguentner Luflosi ];
};
nodes.machine = { ... }: {
nodes.machine = { config, ... }: {
services.kubo = {
enable = true;
# Also will add a unix domain socket socket API address, see module.
@ -14,16 +14,22 @@
};
users.users.alice = {
isNormalUser = true;
extraGroups = [ config.services.kubo.group ];
};
};
nodes.fuse = { ... }: {
nodes.fuse = { config, ... }: {
services.kubo = {
enable = true;
# Only allow API access through the Unix domain socket
settings.Addresses.API = [ ];
autoMount = true;
};
users.users.alice = {
isNormalUser = true;
extraGroups = [ config.services.kubo.group ];
};
users.users.bob = {
isNormalUser = true;
};
};
testScript = ''
@ -59,11 +65,12 @@
machine.succeed("test ! -e /var/lib/ipfs/")
with subtest("FUSE mountpoint"):
fuse.fail("echo a | su bob -l -c 'ipfs add --quieter'")
# The FUSE mount functionality is broken as of v0.13.0 and v0.17.0.
# See https://github.com/ipfs/kubo/issues/9044.
# Workaround: using CID Version 1 avoids that.
ipfs_hash = fuse.succeed(
"echo fnord3 | ipfs add --quieter --cid-version=1"
"echo fnord3 | su alice -l -c 'ipfs add --quieter --cid-version=1'"
).strip()
fuse.succeed(f"cat /ipfs/{ipfs_hash} | grep fnord3")