diff options
author | Luflosi <luflosi@luflosi.de> | 2023-04-14 16:37:32 +0200 |
---|---|---|
committer | Luflosi <luflosi@luflosi.de> | 2023-04-15 15:25:20 +0200 |
commit | f2be3ae30d960b2f7f1c816d9cab43000556fd0a (patch) | |
tree | 00e1faa17c27e1979b4ba5fd11436301a2eb6d0e /nixos/tests | |
parent | 7ceebbb35bfebd887f41418588d1ccc32d3a977a (diff) |
nixos/kubo: restrict access to the API to users in a group by default
Diffstat (limited to 'nixos/tests')
-rw-r--r-- | nixos/tests/kubo.nix | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/nixos/tests/kubo.nix b/nixos/tests/kubo.nix index 53642ee3fc8d4..496f409a40a93 100644 --- a/nixos/tests/kubo.nix +++ b/nixos/tests/kubo.nix @@ -4,7 +4,7 @@ maintainers = [ mguentner Luflosi ]; }; - nodes.machine = { ... }: { + nodes.machine = { config, ... }: { services.kubo = { enable = true; # Also will add a unix domain socket socket API address, see module. @@ -14,16 +14,22 @@ }; users.users.alice = { isNormalUser = true; + extraGroups = [ config.services.kubo.group ]; }; }; - nodes.fuse = { ... }: { + nodes.fuse = { config, ... }: { services.kubo = { enable = true; - # Only allow API access through the Unix domain socket - settings.Addresses.API = [ ]; autoMount = true; }; + users.users.alice = { + isNormalUser = true; + extraGroups = [ config.services.kubo.group ]; + }; + users.users.bob = { + isNormalUser = true; + }; }; testScript = '' @@ -59,11 +65,12 @@ machine.succeed("test ! -e /var/lib/ipfs/") with subtest("FUSE mountpoint"): + fuse.fail("echo a | su bob -l -c 'ipfs add --quieter'") # The FUSE mount functionality is broken as of v0.13.0 and v0.17.0. # See https://github.com/ipfs/kubo/issues/9044. # Workaround: using CID Version 1 avoids that. ipfs_hash = fuse.succeed( - "echo fnord3 | ipfs add --quieter --cid-version=1" + "echo fnord3 | su alice -l -c 'ipfs add --quieter --cid-version=1'" ).strip() fuse.succeed(f"cat /ipfs/{ipfs_hash} | grep fnord3") |