nixos/transmission: improvements #350085
nixos/transmission: improvements #350085
Conversation
github-actions
bot
added
6.topic: nixos
ofborg
bot
added
10.rebuild-darwin: 0
diniamo
force-pushed
the
fix-transmission
branch
from
beb5ec1 to
99add84
Compare
github-actions
bot
added
8.has: documentation
diniamo
changed the title
settings.umask to be of type str
|
@ju1m could you help with this PR? |
|
Does that mean I should remove the release note entry? |
|
@diniamo , sorry I did not notice you had already done all that work, what you did is better, thanks! |
ju1m
added
needs_merger
|
@ju1m just to make sure: I changed serviceConfig.StateDirectoryMode to cfg.downloadDirPermissions as well. It's needed because other things can't access any subdirectories, if they can't access the parent directory. Alternatively, do you have a better solution? |
wegank
added
the
12.approvals: 1
Right, no I would not change Besides, if |
| @@ -358,7 +356,7 @@ in | |||
| "transmission/${downloadsDir}" | |||
| "transmission/${watchDir}" | |||
| ]; | |||
| StateDirectoryMode = mkDefault 750; | |||
| StateDirectoryMode = cfg.downloadDirPermissions; | |||
There was a problem hiding this comment.
Please keep 750 and let users add themselves to the transmission group.
|
How do I add a user to multiple groups declaratively though? Edit: seems like removing the downloadDirPermissions option worked. Although what happens if you set it to null is not documented. |
users.users."diniamo".extraGroups = [ config.transmission.group ];Or: users.groups.${config.transmission.group}.members = [ "diniamo" ]; |
|
And do you know why setting downloadDirPermissions to null makes it 755? I'll add a note about that to the description. |
Yes, I explained it in my previous message. But please do not use |
diniamo
force-pushed
the
fix-transmission
branch
from
b0b6952 to
283ce8d
Compare
|
How is this? |
| @@ -191,6 +189,10 @@ in | |||
| and [](#opt-services.transmission.settings.watch-dir). | |||
| Note that you may also want to change | |||
| [](#opt-services.transmission.settings.umask). | |||
|
|
|||
| If `null`, the home and the download directories become | |||
There was a problem hiding this comment.
Hmm, I think you've misunderstood what I tried to say previously, when I wrote:
Besides, if cfg.downloadDirPermissions is null (the default) then StateDirectoryMode= would default to 755 instead of the current 750 which would open transmission's state folder read-only to every users.
I was describing what would happen if we were to use StateDirectoryMode = cfg.downloadDirPermissions; but that's no longer the case, so downloadDirPermissions == null remains a no-op.
Indeed, the description only documents the If not null, case, but adding users to config.transmission.group is unrelated to that option being null or not, it's related to StateDirectoryMode == "750".
There was a problem hiding this comment.
Then that option is very misleading. If I set it to 755, then I expect other users to be able to read the download directories, which is not the case. This is very unintuitive, and the option descriptions don't mention this anywhere. It took a long while before I figured out what was going on.
It would be nice if we could avoid wasting others' time. What do you suggest?
There was a problem hiding this comment.
IMHO, downloadDirPermissions is a quirk that should not even exist in the first place, since adding users to services.transmission.group is both more secure and more idiomatic.
Yet this option lingers and we have to deal with it, I would suggest to improve its description by explaining the two main ways to give access to the directories that I explained previously:
- the better way security-wise is to add users to
services.transmission.group,- or to set cfg.settings.download-dir & co. to some path where intended users have access to them [and use
settings.umask = "002"anddownloadDirPermissions = "755"]
diniamo
force-pushed
the
fix-transmission
branch
from
283ce8d to
f7cdf7b
Compare
|
How is this? I did some minimal testing in a VM, and it seems to be working fine. |
wegank
added
the
12.approvals: 1
|
We have to wait until after NixOS 24.11 as this is a breaking change and not a trivial fix. |
|
I don't get it. Why do we have to wait for 24.11? |
|
Because breaking changes are blocked in this period to prepare for the next release. See #339153 |
Aleksanaa
added
the
2.status: wait for branch‐off
wegank
removed
the
12.approved-by: package-maintainer
|
@ju1m it looks like I didn't do enough research: transmission 3 (which is the default for the module) still uses the old way of configuring umask (decimal number), while transmission 4 uses the new way (octal number as a string). Should I update the default package as well, or? |
|
@diniamo should probably be using EDIT: maybe adjusting the |
|
I was thinking of something like that as well. Thnaks for that suggestion, I'll implement it. |
@diniamo, chances are that nixpkgs/nixos/doc/manual/release-notes/rl-2411.section.md Lines 210 to 212 in b166978 But that would have to be discussed with people involved in #258058 |
nixos/transmission: improve code
- Remove `with lib;`
- Use `{ name = { ... }; }` instead of `{ name.foo = ...; name.bar =
...; }`
diniamo
force-pushed
the
fix-transmission
branch
from
66ce4b0 to
94a4001
Compare
github-actions
bot
removed
8.has: documentation
diniamo
force-pushed
the
fix-transmission
branch
from
94a4001 to
66115dd
Compare
diniamo
force-pushed
the
fix-transmission
branch
from
66115dd to
38bc6ac
Compare
|
In that case, I'll leave updating the default to them, and this should be fine. |
|
@Aleksanaa this is no longer a breaking change. |
|
@l0b0 is there anything else to do? |
Not as far as I'm concerned - I already accepted. I don't have merge rights though. |
|
Oh huh, I thought you did. |
|
Thanks! |
As per Transmission's documentation, the umask option should be a string.
Things done
nix.conf? (See Nix manual)sandbox = relaxedsandbox = truenix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)Add a 👍 reaction to pull requests you find important.