From 249f6c4c1df410ee339a8136416092fdcc0b16c2 Mon Sep 17 00:00:00 2001 From: IndeedNotJames Date: Wed, 1 Mar 2023 23:44:21 +0100 Subject: [PATCH 1/2] nixos/tests/gitea: test gpg commit signing key `/api/v1/signing-key.gpg` spawns a `gpg` process, which is great to test if `gpg` is available and can be invoked from in the unit. Which is somewhat relevant, since `gpg` was missing from the unit's `$PATH` until recently. And even after adding `gpg` to the unit's `$PATH`, configuring commit signing for a instance resulted in http/500s nonetheless. That's due to `@memlock` being present in `SystemCallFilter=~` and `gpg` trying to use `mlock` (probably to prevent secrets in the memory to swap), resulting in an immediate `SIGKILL` of any spawned `gpg` processes. --- nixos/tests/gitea.nix | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/nixos/tests/gitea.nix b/nixos/tests/gitea.nix index d856ecca9a13..da61abd84e89 100644 --- a/nixos/tests/gitea.nix +++ b/nixos/tests/gitea.nix @@ -8,6 +8,21 @@ with import ../lib/testing-python.nix { inherit system pkgs; }; with pkgs.lib; let + ## gpg --faked-system-time='20230301T010000!' --quick-generate-key snakeoil ed25519 sign + signingPrivateKey = '' + -----BEGIN PGP PRIVATE KEY BLOCK----- + + lFgEY/6jkBYJKwYBBAHaRw8BAQdADXiZRV8RJUyC9g0LH04wLMaJL9WTc+szbMi7 + 5fw4yP8AAQCl8EwGfzSLm/P6fCBfA3I9znFb3MEHGCCJhJ6VtKYyRw7ktAhzbmFr + ZW9pbIiUBBMWCgA8FiEE+wUM6VW/NLtAdSixTWQt6LZ4x50FAmP+o5ACGwMFCQPC + ZwAECwkIBwQVCgkIBRYCAwEAAh4FAheAAAoJEE1kLei2eMedFTgBAKQs1oGFZrCI + TZP42hmBTKxGAI1wg7VSdDEWTZxut/2JAQDGgo2sa4VHMfj0aqYGxrIwfP2B7JHO + GCqGCRf9O/hzBA== + =9Uy3 + -----END PGP PRIVATE KEY BLOCK----- + ''; + signingPrivateKeyId = "4D642DE8B678C79D"; + supportedDbTypes = [ "mysql" "postgres" "sqlite3" ]; makeGiteaTest = type: nameValuePair type (makeTest { name = "${giteaPackage.pname}-${type}"; @@ -21,8 +36,9 @@ let database = { inherit type; }; package = giteaPackage; settings.service.DISABLE_REGISTRATION = true; + settings."repository.signing".SIGNING_KEY = signingPrivateKeyId; }; - environment.systemPackages = [ giteaPackage pkgs.jq ]; + environment.systemPackages = [ giteaPackage pkgs.gnupg pkgs.jq ]; services.openssh.enable = true; }; client1 = { config, pkgs, ... }: { @@ -58,6 +74,13 @@ let server.wait_for_open_port(3000) server.succeed("curl --fail http://localhost:3000/") + server.succeed( + "su -l gitea -c 'gpg --homedir /var/lib/gitea/data/home/.gnupg " + + "--import ${toString (pkgs.writeText "gitea.key" signingPrivateKey)}'" + ) + + assert "BEGIN PGP PUBLIC KEY BLOCK" in server.succeed("curl http://localhost:3000/api/v1/signing-key.gpg") + server.succeed( "curl --fail http://localhost:3000/user/sign_up | grep 'Registration is disabled. " + "Please contact your site administrator.'" From 93c1d370db28ad4573fb9890c90164ba55391ce7 Mon Sep 17 00:00:00 2001 From: IndeedNotJames Date: Wed, 1 Mar 2023 23:44:21 +0100 Subject: [PATCH 2/2] nixos/gitea: fix commit signing (`gpg`) core dump Gitea spawns `gpg` processes for commit signing related actions. Those `gpg` processes need `mlock` (probably to prevent secrets in the memory to swap). Blocking it (as part of the `@memlock` preset) causes any commit signing related actions to error out as http/500 --- nixos/modules/services/misc/gitea.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index 14bf6aebb681..13198872c08f 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -597,7 +597,7 @@ in PrivateMounts = true; # System Call Filtering SystemCallArchitectures = "native"; - SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @setuid @swap"; + SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap"; }; environment = {