nixos/hledger-web: fix access control options

This commit is contained in:
Lin Yinfeng 2024-03-31 12:50:08 +08:00
parent 38baa03829
commit 484c1c1ff8
No known key found for this signature in database
GPG Key ID: 46947CB61521FC42
3 changed files with 25 additions and 29 deletions

View File

@ -271,6 +271,13 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
- `services.resolved.fallbackDns` can now be used to disable the upstream fallback servers entirely by setting it to an empty list. To get the previous behaviour of the upstream defaults set it to null, the new default, instead.
- `services.hledger-web.capabilities` options has been replaced by a new option `services.hledger-web.allow`.
- `allow = "view"` means `capabilities = { view = true; }`;
- `allow = "add"` means `capabilities = { view = true; add = true; }`;
- `allow = "edit"` means `capabilities = { view = true; add = true; edit = true }`;
- `allow = "sandstorm"` reads permissions from the `X-Sandstorm-Permissions` request header.
- `xxd` has been moved from `vim` default output to its own output to reduce closure size. The canonical way to reference it across all platforms is `unixtools.xxd`.
- The `stalwart-mail` package has been updated to v0.5.3, which includes [breaking changes](https://github.com/stalwartlabs/mail-server/blob/v0.5.3/UPGRADING.md).

View File

@ -26,28 +26,17 @@ in {
'';
};
capabilities = {
view = mkOption {
type = types.bool;
default = true;
description = lib.mdDoc ''
Enable the view capability.
'';
};
add = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
Enable the add capability.
'';
};
manage = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
Enable the manage capability.
'';
};
allow = mkOption {
type = types.enum [ "view" "add" "edit" "sandstorm" ];
default = "view";
description = lib.mdDoc ''
User's access level for changing data.
* view: view only permission.
* add: view and add permissions.
* edit: view, add, and edit permissions.
* sandstorm: permissions from the `X-Sandstorm-Permissions` request header.
'';
};
stateDir = mkOption {
@ -89,6 +78,11 @@ in {
};
imports = [
(mkRemovedOptionModule [ "services" "hledger-web" "capabilities" ]
"This option has been replaced by new option `services.hledger-web.allow`.")
];
config = mkIf cfg.enable {
users.users.hledger = {
@ -102,16 +96,11 @@ in {
users.groups.hledger = {};
systemd.services.hledger-web = let
capabilityString = with cfg.capabilities; concatStringsSep "," (
(optional view "view")
++ (optional add "add")
++ (optional manage "manage")
);
serverArgs = with cfg; escapeShellArgs ([
"--serve"
"--host=${host}"
"--port=${toString port}"
"--capabilities=${capabilityString}"
"--allow=${allow}"
(optionalString (cfg.baseUrl != null) "--base-url=${cfg.baseUrl}")
(optionalString (cfg.serveApi) "--serve-api")
] ++ (map (f: "--file=${stateDir}/${f}") cfg.journalFiles)

View File

@ -19,7 +19,7 @@ rec {
host = "127.0.0.1";
port = 5000;
enable = true;
capabilities.manage = true;
allow = "edit";
};
networking.firewall.allowedTCPPorts = [ config.services.hledger-web.port ];
systemd.services.hledger-web.preStart = ''