nixos/sourcehut: metasrht-api cannot open pgp-privkey

[McSinyx]

Describe the bug

metasrht-api.service fails to open PGP private key:

# journalctl -u metasrht-api.service
...
Jun 12 16:33:53 brno systemd[1]: Started sourcehut metasrht-api service.
Jun 12 16:33:53 brno metasrht-api[576331]: panic: open /var/lib/sourcehut/private.pgp: no such file or directory
Jun 12 16:33:53 brno metasrht-api[576331]: goroutine 1 [running]:
Jun 12 16:33:53 brno metasrht-api[576331]: git.sr.ht/~sircmpwn/core-go/email.NewQueue(0xc12f00)
Jun 12 16:33:53 brno metasrht-api[576331]:         git.sr.ht/~sircmpwn/core-go@v0.0.0-20220530120843-d0bf1153ada4/email/worker.go:192 +0x3e8
Jun 12 16:33:53 brno metasrht-api[576331]: git.sr.ht/~sircmpwn/core-go/server.(*Server).WithDefaultMiddleware(0xc000306a10)
Jun 12 16:33:53 brno metasrht-api[576331]:         git.sr.ht/~sircmpwn/core-go@v0.0.0-20220530120843-d0bf1153ada4/server/server.go:174 +0x30c
Jun 12 16:33:53 brno metasrht-api[576331]: main.main()
Jun 12 16:33:53 brno metasrht-api[576331]:         git.sr.ht/~sircmpwn/meta.sr.ht/api/server.go:40 +0x3ac

Steps To Reproduce

Steps to reproduce the behavior:

1. Generate PGP key pair and put them in /var/lib/sourcehut/{private,public}.pgp
2. Set up services.sourcehut using the key pair like so: https://git.sr.ht/~cnx/loang-nixos/commit/36e2a7b1c07d
3. Rebuild the derivation

Expected behavior

metasrht-api.service open the private key without any error

Additional context

Problem remains when /var/lib/sourcehut/private.pgp has mode 644 (parent directories 755).

Notify maintainers

@ju1m and @tomberek

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

• system: "x86_64-linux"
• host os: Linux 5.10.98.23-livepatched, NixOS, 22.11 (Raccoon), 22.11pre384739.90cd5459a1f
• multi-user?: yes
• sandbox: yes
• version: nix-env (Nix) 2.9.1
• channels(root): "nixos"
• nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos

[ju1m]

@McSinyx that's because /var/lib/sourcehut is not bound into the chroot, this can be checked with:

# systemctl cat metasrht | grep -e '^Bind' -e '^StateDirectory='
BindReadOnlyPaths=/nix/store
BindReadOnlyPaths=/etc
BindReadOnlyPaths=/run/booted-system
BindReadOnlyPaths=/run/current-system
BindReadOnlyPaths=/run/systemd
BindReadOnlyPaths=/run/postgresql
BindReadOnlyPaths=/run/redis-sourcehut-metasrht
StateDirectory=sourcehut/metasrht

Or directly with:

# nsenter -a -t "$(systemctl show --property MainPID --value metasrht)" findmnt
TARGET                               SOURCE                                                                                       FSTYPE     OPTIONS
/                                    tmpfs[/sourcehut/chroots/metasrht]                                                           tmpfs      ro,nosuid,nodev,size=1003180k,mode=755
├─/dev                               tmpfs                                                                                        tmpfs      ro,nosuid,noexec,size=4096k,nr_inodes=1048576,mode=755
│ ├─/dev/pts                         devpts                                                                                       devpts     rw,nosuid,noexec,relatime,gid=3,mode=620,ptmxmode=666
│ ├─/dev/shm                         tmpfs                                                                                        tmpfs      rw,nosuid,nodev,size=2006356k
│ ├─/dev/mqueue                      mqueue                                                                                       mqueue     rw,nosuid,nodev,noexec,relatime
│ └─/dev/hugepages                   hugetlbfs                                                                                    hugetlbfs  rw,nosuid,relatime,pagesize=2M
├─/etc                               rpool/root[/etc]                                                                             zfs        ro,nosuid,relatime,xattr,posixacl
├─/nix/store                         rpool/nix[/store]                                                                            zfs        ro,nosuid,relatime,xattr,posixacl
├─/proc                              proc                                                                                         proc       rw,nosuid,nodev,noexec,relatime,hidepid=invisible,subset=pid
├─/root                              tmpfs[/systemd/inaccessible/dir]                                                             tmpfs      ro,nosuid,nodev,noexec,size=1003180k,mode=755
├─/run                               tmpfs                                                                                        tmpfs      rw,nosuid,relatime
│ ├─/run/booted-system               rpool/nix[/store/s72z4c7akfx8bqjp8r8lc3f36c4b1bm2-nixos-system-mermet-22.05.20211207.dirty]  zfs        ro,nosuid,relatime,xattr,posixacl
│ ├─/run/current-system              rpool/nix[/store/rlijlpvsjp8iz55q6sn3bkf8mpl9bwvh-nixos-system-mermet-22.05.20220505.dirty]  zfs        ro,nosuid,relatime,xattr,posixacl
│ ├─/run/postgresql                  tmpfs[/postgresql]                                                                           tmpfs      ro,nosuid,nodev,size=1003180k,mode=755
│ ├─/run/redis-sourcehut-metasrht    tmpfs[/redis-sourcehut-metasrht]                                                             tmpfs      ro,nosuid,nodev,size=1003180k,mode=755
│ ├─/run/sourcehut/metasrht          tmpfs[/sourcehut/metasrht]                                                                   tmpfs      rw,nosuid,nodev,size=1003180k,mode=755
│ │ └─/run/sourcehut/metasrht/subdir tmpfs[/sourcehut/metasrht/subdir]                                                            tmpfs      rw,nosuid,nodev,size=1003180k,mode=755
│ └─/run/systemd                     tmpfs[/systemd]                                                                              tmpfs      ro,nosuid,nodev,size=1003180k,mode=755
│   └─/run/systemd/incoming          tmpfs[/systemd/propagate/metasrht.service]                                                   tmpfs      ro,nosuid,nodev,size=1003180k,mode=755
├─/sys                               sysfs                                                                                        sysfs      ro,nosuid,nodev,noexec,relatime
│ ├─/sys/kernel/security             securityfs                                                                                   securityfs ro,nosuid,nodev,noexec,relatime
│ ├─/sys/fs/cgroup                   cgroup2                                                                                      cgroup2    ro,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot
│ ├─/sys/fs/bpf                      none                                                                                         bpf        ro,nosuid,nodev,noexec,relatime,mode=700
│ ├─/sys/fs/pstore                   pstore                                                                                       pstore     ro,nosuid,nodev,noexec,relatime
│ ├─/sys/kernel/config               configfs                                                                                     configfs   ro,nosuid,nodev,noexec,relatime
│ ├─/sys/fs/fuse/connections         fusectl                                                                                      fusectl    ro,nosuid,nodev,noexec,relatime
│ └─/sys/kernel/tracing              sysfs[/kernel/tracing]                                                                       sysfs      ro,nosuid,nodev,noexec,relatime
├─/tmp                               tmpfs[/systemd-private-d4c401d68b5e423abb5b5aeeff4d68aa-metasrht.service-7WgMi5/tmp]         tmpfs      rw,nosuid,nodev,size=2006356k
├─/var/lib/sourcehut/metasrht        rpool/var/sourcehut[/metasrht]                                                               zfs        rw,nosuid,relatime,xattr,posixacl
└─/var/tmp                           rpool/var/tmp[/systemd-private-d4c401d68b5e423abb5b5aeeff4d68aa-metasrht.service-PGfvAG/tmp] zfs        rw,nosuid,relatime,xattr,posixacl

So you should be able to workaround that by putting your key inside /var/lib/sourcehut/metasrht, and maybe other directories of other services.

But we should rather use LoadCredential= or LoadCredentialEncrypted=, and substituting $CREDENTIALS_DIRECTORY when generating the config of the service.

[McSinyx]

Thanks for the quick response, putting it in /var/lib/sourcehut/metasrht still didn't work but in /etc/sr.ht did.