nixos/attestation-server: fix boot failure #80

hmenke · hmenke · commit f844239e4b1e · 2021-01-21T21:56:03.000+01:00
As already noted previously, using the service name as the user and
group name in conjunction with DynamicUser sporadically fails.  There is
a better way to provision secrets for services with upcoming systemd
247, but for now we use a SupplementaryGroup to install the secret.
diff --git a/nixos/attestation-server/module.nix b/nixos/attestation-server/module.nix
@@ -118,16 +118,15 @@ in
             "('emailLocal', '${if local then "1" else "0"}')"
           ];
         in optionals (passwordFile != null) [
-          # Note the leading + on the second command. The passwordFile could be
+          # Note the leading + on the first command. The passwordFile could be
           # anywhere in the file system, so it has to be copied as root and
-          # permissions fixed to be accessible by the service.  However, if the
-          # first command is run as root the allocation of uid and gid for the
-          # service seems to be delayed, so we just run something else first.
-          "${pkgs.coreutils}/bin/touch %S/attestation/emailPassword"
-          "+${pkgs.coreutils}/bin/install -m 0600 -o %N -g %N ${passwordFile} %S/attestation/emailPassword"
+          # permissions fixed to be accessible by the service.
+          "+${pkgs.coreutils}/bin/install -m 0640 -g keys ${passwordFile} %S/attestation/emailPassword"
+          ''${pkgs.sqlite}/bin/sqlite3 %S/attestation/attestation.db "CREATE TABLE IF NOT EXISTS Configuration (key TEXT PRIMARY KEY NOT NULL, value NOT NULL)"''
           ''${pkgs.sqlite}/bin/sqlite3 %S/attestation/attestation.db "INSERT OR REPLACE INTO Configuration VALUES ${values}"''
           "${pkgs.coreutils}/bin/rm -f %S/attestation/emailPassword"
         ];
+        SupplementaryGroups = [ "keys" ];
 
         # When sending TERM, e.g. for restart, AttestationServer fails with
         # this exit code.
diff --git a/nixos/attestation-server/test.nix b/nixos/attestation-server/test.nix
@@ -12,12 +12,11 @@ import "${pkgs.path}/nixos/tests/make-test-python.nix" ({ pkgs, ... }: {
       device = "crosshatch";
       signatureFingerprint = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
       avbFingerprint = "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB";
-      # TODO: Uncomment when https://github.com/danielfullmer/robotnix/issues/80 is resolved
-      # email = {
-      #   host = "example.com";
-      #   username = "test";
-      #   passwordFile = "${pkgs.writeText "fake-password" "testing123"}"; # NOTE: Don't use writeText like this with a real password!
-      # };
+      email = {
+        host = "example.com";
+        username = "test";
+        passwordFile = "${pkgs.writeText "fake-password" "testing123"}"; # NOTE: Don't use writeText like this with a real password!
+      };
       nginx.enable = false;
     };
   };
