Packaging `rnsd` and `lxmd` on NixOS
Started by p1ld7a 8279b6a997b08071... ·
Hello,
I have been contributing to the NixOS/nixpkgs project as a maintainer for several years.
Although I only started exploring Reticulum properly about 2 weeks ago (spoiler: I love it!), contributing support for the rnsd and lxmd services to NixOS project felt like an obvious next step.
However, I have reached a roadblock, and I have not been able to find a clear answer in the documentation.
My intention is to run rnsd and lxmd as 2 fully independent systemd services, each with DynamicUser=true.
Running rnsd this way is straightforward, and I have encountered no issues with it. However, I am unsure how lxmd should be configured so that it can communicate with the existing rnsd daemon.
What is the minimal lxmd configuration required to connect to and use an already-running rnsd instance?
I noticed that we could use a shared instance, using socket or TCP. In that case, what is the minimal configuration of lxmd to use to connect using socket or TCP ?
Find my PR at https://github.com/NixOS/nixpkgs/pull/530406
Thank you in advance for your help !
from my understanding:
--rnsconfig flag exists for the existing rns season or rnsd deamon
--config flag exists for additional programs that should connect to the session
session* no season
Thanks for the link. Using an additional BackboneInterface is indeed a neat idea!
When hardening services with systemd using DynamicUser and StateDirectory, each daemon runs under its own dynamically allocated, unprivileged user and owns its dedicated state directory, typically /var/lib/<service>.
As a result, the user running rnsd cannot access the state directory owned by lxmd, and vice versa. Therefore, having lxmd use --rnsconfig <path> to access the configuration or state of the rnsd service is not really a viable option.
This is why I would like to understand precisely how lxmd can be configured to use an existing, shared rnsd instance while keeping both services properly isolated.
The more details I can gather about the expected communication mechanism and minimal configuration, the better I can design the corresponding NixOS services instead of relying on an ad hoc setup.
Cool although I'm not a NixOs user would be awesome for other distros (like arch) too...
Can't you use a shared directory like /etc/?
BindPaths or BindReadOnlyPaths seem to be interesting in that regard. You can configure it to only be allowed to read in the shared directory
But I think you're more knowledgeable in that regard.
Can't you use a shared directory like /etc/?
I have been trying, sadly rnsd and lxmd need to have write access to that directory, so this is not a viable option.
I have to admit that I don't really like the idea of "sharing" a directory between 2 services. If there's a better alternative, I will definitely use that.
When everything will be done, running rnsd and lxmd services will boil down to adding:
{
services.rnsd = {
enable = true;
settings = {
reticulum = {
enable_transport = true;
share_instance = true;
instance_name = "default";
shared_instance_type = "unix";
};
interfaces = {
auto = {
type = "AutoInterface";
enabled = true;
};
};
};
transportIdentityFile = "<path-to-transport-identify-file>";
extraGroups = [ "dialout" ];
};
services.lxmd = {
enable = true;
settings = {
propagation-node = {
autopeer = true;
};
};
rnsd = {
settings = {
reticulum = {
is_shared_instance = true;
enable_transport = true;
instance_name = "default";
shared_instance_type = "unix";
};
interfaces = {
auto = {
type = "AutoInterface";
enabled = true;
};
};
};
transportIdentifyFile = "<path-to-transport-identity-file>";
};
identityFile = "<path-to-identity-file>";
};
networking.firewall.allowedTCPPorts = [
4242
];
}
This snippet is what I am already using on my server successfully so far... and you can see that the only way to get lxmd use the shared rnsd instance is to use the same rnsd config file in both services.
I am pretty sure there's a better way to do that.
I added some help on how to setup the services: https://github.com/NixOS/nixpkgs/pull/530406
Rendered views:
- rnsd: https://github.com/drupol/nixpkgs/blob/push-mntwnvrylymq/nixos/modules/services/networking/rnsd.md
- lxmd: https://github.com/drupol/nixpkgs/blob/push-mntwnvrylymq/nixos/modules/services/networking/lxmd.md
Comments and feedback are more than welcome.