Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions nixos/doc/manual/redirects.json
Original file line number Diff line number Diff line change
Expand Up @@ -337,6 +337,9 @@
"module-services-crab-hole-upstream-options": [
"index.html#module-services-crab-hole-upstream-options"
],
"module-services-firefox-syncserver-database": [
"index.html#module-services-firefox-syncserver-database"
],
"module-services-firefox-syncserver-clients": [
"index.html#module-services-firefox-syncserver-clients"
],
Expand Down
2 changes: 2 additions & 0 deletions nixos/doc/manual/release-notes/rl-2611.section.md
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,8 @@

- `services.plantuml-server.packages.jetty` now supports `jetty_12`, it no longer supports `jetty_11`.

- [firefox-syncserver.database.type](#opt-services.firefox-syncserver.database.type) no longer defaults to `"mysql"`. You must now explicitly choose between `"mysql"` and `"postgresql"`. New deployments should prefer PostgreSQL.

## Other Notable Changes {#sec-release-26.11-notable-changes}

<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
Expand Down
23 changes: 23 additions & 0 deletions nixos/modules/services/networking/firefox-syncserver.md
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,29 @@ This configuration should never be used in production. It is not encrypted and
stores its secrets in a world-readable location.
:::

## Database backends {#module-services-firefox-syncserver-database}

The sync server supports MySQL/MariaDB (the default) and PostgreSQL as database
backends. Set `database.type` to choose the backend:

```nix
{
services.firefox-syncserver = {
enable = true;
database.type = "postgresql";
secrets = "/run/secrets/firefox-syncserver";
singleNode = {
enable = true;
hostname = "localhost";
url = "http://localhost:5000";
};
};
}
```

When `database.createLocally` is `true` (the default), the module will
automatically enable and configure the corresponding database service.

## More detailed setup {#module-services-firefox-syncserver-configuration}

The `firefox-syncserver` service provides a number of options to make setting up
Expand Down
239 changes: 176 additions & 63 deletions nixos/modules/services/networking/firefox-syncserver.nix
Original file line number Diff line number Diff line change
Expand Up @@ -3,17 +3,42 @@
pkgs,
lib,
options,
utils,
...
}:

let
cfg = config.services.firefox-syncserver;
opt = options.services.firefox-syncserver;
defaultDatabase = "firefox_syncserver";
defaultUser = "firefox-syncserver";

dbIsLocal = cfg.database.host == "localhost";
dbURL = "mysql://${cfg.database.user}@${cfg.database.host}/${cfg.database.name}${lib.optionalString dbIsLocal "?socket=/run/mysqld/mysqld.sock"}";
dbIsMySQL = cfg.database.type == "mysql";
dbIsPostgreSQL = cfg.database.type == "postgresql";

dbIsLocal =
cfg.database.host == (if dbIsMySQL then "/run/mysqld/mysqld.sock" else "/run/postgresql");

dbURL =
if dbIsMySQL then
"mysql://${cfg.database.user}@${cfg.database.host}/${cfg.database.name}${lib.optionalString dbIsLocal "?socket=/run/mysqld/mysqld.sock"}"
else if dbIsLocal then
# Use Unix socket connection with peer authentication by default.
"postgres:///${cfg.database.name}?host=/run/postgresql&user=${cfg.database.user}"
else
"postgres://${cfg.database.user}@${cfg.database.host}/${cfg.database.name}";

# postgresql.target waits for postgresql-setup.service (which runs
# ensureDatabases / ensureUsers) to complete, avoiding race conditions
# where the syncserver starts before its database and role exist.
dbService = if dbIsMySQL then "mysql.service" else "postgresql.target";

syncserver =
if cfg.package != null then
cfg.package
else if dbIsMySQL then
pkgs.syncstorage-rs-mysql
else
pkgs.syncstorage-rs-pgsql;

format = pkgs.formats.toml { };
settings = {
Expand All @@ -22,7 +47,7 @@ let
database_url = dbURL;
};
tokenserver = {
node_type = "mysql";
node_type = if dbIsMySQL then "mysql" else "postgres";
database_url = dbURL;
fxa_email_domain = "api.accounts.firefox.com";
fxa_oauth_server_url = "https://oauth.accounts.firefox.com/v1";
Expand All @@ -41,44 +66,75 @@ let
};
};
configFile = format.generate "syncstorage.toml" (lib.recursiveUpdate settings cfg.settings);
setupScript = pkgs.writeShellScript "firefox-syncserver-setup" ''
set -euo pipefail
shopt -s inherit_errexit

schema_configured() {
mysql ${cfg.database.name} -Ne 'SHOW TABLES' | grep -q services
}

update_config() {
mysql ${cfg.database.name} <<"EOF"
BEGIN;

INSERT INTO `services` (`id`, `service`, `pattern`)
VALUES (1, 'sync-1.5', '{node}/1.5/{uid}')
ON DUPLICATE KEY UPDATE service='sync-1.5', pattern='{node}/1.5/{uid}';
INSERT INTO `nodes` (`id`, `service`, `node`, `available`, `current_load`,
`capacity`, `downed`, `backoff`)
VALUES (1, 1, '${cfg.singleNode.url}', ${toString cfg.singleNode.capacity},
0, ${toString cfg.singleNode.capacity}, 0, 0)
ON DUPLICATE KEY UPDATE node = '${cfg.singleNode.url}', capacity=${toString cfg.singleNode.capacity};

COMMIT;
EOF
}


for (( try = 0; try < 60; try++ )); do
if ! schema_configured; then
sleep 2
else
update_config
exit 0
fi
done

echo "Single-node setup failed"
exit 1
'';
setupScript =
let
dbSpecific =
if dbIsMySQL then
{
listTables = "mysql ${cfg.database.name} -Ne 'SHOW TABLES'";
execSql = "mysql ${cfg.database.name}";
upsertSql = ''
BEGIN;

INSERT INTO `services` (`id`, `service`, `pattern`)
VALUES (1, 'sync-1.5', '{node}/1.5/{uid}')
ON DUPLICATE KEY UPDATE service='sync-1.5', pattern='{node}/1.5/{uid}';
INSERT INTO `nodes` (`id`, `service`, `node`, `available`, `current_load`,
`capacity`, `downed`, `backoff`)
VALUES (1, 1, '${cfg.singleNode.url}', ${toString cfg.singleNode.capacity},
0, ${toString cfg.singleNode.capacity}, 0, 0)
ON DUPLICATE KEY UPDATE node = '${cfg.singleNode.url}', capacity=${toString cfg.singleNode.capacity};

COMMIT;
'';
}
else
{
listTables = "psql -d ${cfg.database.name} -tAc \"SELECT table_name FROM information_schema.tables WHERE table_schema = 'public'\"";
execSql = "psql -d ${cfg.database.name}";
upsertSql = ''
BEGIN;

INSERT INTO services (id, service, pattern)
VALUES (1, 'sync-1.5', '{node}/1.5/{uid}')
ON CONFLICT (id) DO UPDATE SET service = 'sync-1.5', pattern = '{node}/1.5/{uid}';
INSERT INTO nodes (id, service, node, available, current_load,
capacity, downed, backoff)
VALUES (1, 1, '${cfg.singleNode.url}', ${toString cfg.singleNode.capacity},
0, ${toString cfg.singleNode.capacity}, 0, 0)
ON CONFLICT (id) DO UPDATE SET node = '${cfg.singleNode.url}', capacity = ${toString cfg.singleNode.capacity};

COMMIT;
'';
};
in
pkgs.writeShellScript "firefox-syncserver-setup" ''
set -euo pipefail
shopt -s inherit_errexit

schema_configured() {
${dbSpecific.listTables} | grep -q services
}

update_config() {
${dbSpecific.execSql} <<'EOF'
${dbSpecific.upsertSql}
EOF
}

for (( try = 0; try < 60; try++ )); do
if ! schema_configured; then
sleep 2
else
update_config
exit 0
fi
done

echo "Single-node setup failed"
exit 1
'';
in

{
Expand All @@ -88,25 +144,49 @@ in
the Firefox Sync storage service.

Out of the box this will not be very useful unless you also configure at least
one service and one nodes by inserting them into the mysql database manually, e.g.
one service and one nodes by inserting them into the database manually, e.g.
by running

```
INSERT INTO `services` (`id`, `service`, `pattern`) VALUES ('1', 'sync-1.5', '{node}/1.5/{uid}');
INSERT INTO `nodes` (`id`, `service`, `node`, `available`, `current_load`,
`capacity`, `downed`, `backoff`)
VALUES ('1', '1', 'https://mydomain.tld', '1', '0', '10', '0', '0');
INSERT INTO services (id, service, pattern) VALUES (1, 'sync-1.5', '{node}/1.5/{uid}');
INSERT INTO nodes (id, service, node, available, current_load,
capacity, downed, backoff)
VALUES (1, 1, 'https://mydomain.tld', 1, 0, 10, 0, 0);
```

{option}`${opt.singleNode.enable}` does this automatically when enabled
'';

package = lib.mkPackageOption pkgs "syncstorage-rs" { };
package = lib.mkOption {
type = lib.types.nullOr lib.types.package;
default = null;
defaultText = lib.literalExpression ''
if config.${opt.database.type} == "mysql" then
pkgs.syncstorage-rs-mysql
else
pkgs.syncstorage-rs-pgsql
'';
description = ''
Syncstorage server package to use. When `null`, the package is
selected automatically based on {option}`${opt.database.type}`.
'';
};

database.type = lib.mkOption {
type = lib.types.enum [
"mysql"
"postgresql"
];
description = ''
Which database backend to use for storage.
::: {.note}
`"postgresql"` is recommended for new deployments. `"mysql"` is the
backend used by legacy installations.
:::
'';
};

database.name = lib.mkOption {
# the mysql module does not allow `-quoting without resorting to shell
# escaping, so we restrict db names for forward compaitiblity should this
# behavior ever change.
type = lib.types.strMatching "[a-z_][a-z0-9_]*";
default = defaultDatabase;
description = ''
Expand All @@ -117,9 +197,15 @@ in

database.user = lib.mkOption {
type = lib.types.str;
default = defaultUser;
default = if dbIsPostgreSQL then defaultDatabase else defaultUser;
defaultText = lib.literalExpression ''
if database.type == "postgresql" then "${defaultDatabase}" else "${defaultUser}"
'';
description = ''
Username for database connections.
Username for database connections. When using PostgreSQL with
`createLocally`, this defaults to the database name so that
`ensureDBOwnership` works (it requires user and database names
to match).
'';
};

Expand All @@ -137,7 +223,8 @@ in
default = true;
description = ''
Whether to create database and user on the local machine if they do not exist.
This includes enabling unix domain socket authentication for the configured user.
This includes enabling the configured database service and setting up
authentication for the configured user.
'';
};

Expand Down Expand Up @@ -237,7 +324,7 @@ in
};

config = lib.mkIf cfg.enable {
services.mysql = lib.mkIf cfg.database.createLocally {
services.mysql = lib.mkIf (cfg.database.createLocally && dbIsMySQL) {
enable = true;
ensureDatabases = [ cfg.database.name ];
ensureUsers = [
Expand All @@ -250,16 +337,31 @@ in
];
};

services.postgresql = lib.mkIf (cfg.database.createLocally && dbIsPostgreSQL) {
enable = true;
ensureDatabases = [ cfg.database.name ];
ensureUsers = [
{
name = cfg.database.user;
ensureDBOwnership = true;
}
];
};

systemd.services.firefox-syncserver = {
wantedBy = [ "multi-user.target" ];
requires = lib.mkIf dbIsLocal [ "mysql.service" ];
after = lib.mkIf dbIsLocal [ "mysql.service" ];
requires = lib.mkIf dbIsLocal [ dbService ];
after = lib.mkIf dbIsLocal [ dbService ];
restartTriggers = lib.optional cfg.singleNode.enable setupScript;
environment.RUST_LOG = cfg.logLevel;
serviceConfig = {
User = defaultUser;
Group = defaultUser;
ExecStart = "${cfg.package}/bin/syncserver --config ${configFile}";
ExecStart = utils.escapeSystemdExecArgs [
(lib.getExe syncserver)
"--config"
configFile
];
User = cfg.database.user;
Group = cfg.database.user;
EnvironmentFile = lib.mkIf (cfg.secrets != null) "${cfg.secrets}";

# hardening
Expand Down Expand Up @@ -303,10 +405,21 @@ in

systemd.services.firefox-syncserver-setup = lib.mkIf cfg.singleNode.enable {
wantedBy = [ "firefox-syncserver.service" ];
requires = [ "firefox-syncserver.service" ] ++ lib.optional dbIsLocal "mysql.service";
after = [ "firefox-syncserver.service" ] ++ lib.optional dbIsLocal "mysql.service";
path = [ config.services.mysql.package ];
serviceConfig.ExecStart = [ "${setupScript}" ];
requires = [ "firefox-syncserver.service" ] ++ lib.optional dbIsLocal dbService;
after = [ "firefox-syncserver.service" ] ++ lib.optional dbIsLocal dbService;
path =
if dbIsMySQL then [ config.services.mysql.package ] else [ config.services.postgresql.package ];
serviceConfig = {
ExecStart = [ "${setupScript}" ];
}
// lib.optionalAttrs dbIsPostgreSQL {
# Peer authentication maps the system user to the database role of the
# same name, which owns the database (ensureDBOwnership), so no
# superuser access is required.
User = cfg.database.user;
Group = cfg.database.user;
DynamicUser = true;
};
};
Comment thread
Titaniumtown marked this conversation as resolved.

services.nginx.virtualHosts = lib.mkIf cfg.singleNode.enableNginx {
Expand Down
2 changes: 1 addition & 1 deletion nixos/tests/all-tests.nix
Original file line number Diff line number Diff line change
Expand Up @@ -602,7 +602,7 @@ in
imports = [ ./firefox.nix ];
_module.args.firefoxPackage = pkgs.firefox-esr-140;
};
firefox-syncserver = runTest ./firefox-syncserver.nix;
firefox-syncserver = discoverTests (import ./firefox-syncserver.nix);
firefox_decrypt = runTest ./firefox_decrypt.nix;
firefoxpwa = runTest ./firefoxpwa.nix;
firejail = runTest ./firejail.nix;
Expand Down
Loading
Loading