nixos/hledger-web: fix access control options

2024-03-31 12:50:08 +08:00 · 2024-03-31 12:50:08 +08:00 · 484c1c1ff8
commit 484c1c1ff8
parent 38baa03829
3 changed files with 25 additions and 29 deletions
--- a/nixos/doc/manual/release-notes/rl-2405.section.md
+++ b/nixos/doc/manual/release-notes/rl-2405.section.md
@ -271,6 +271,13 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m

 - `services.resolved.fallbackDns` can now be used to disable the upstream fallback servers entirely by setting it to an empty list. To get the previous behaviour of the upstream defaults set it to null, the new default, instead.

+- `services.hledger-web.capabilities` options has been replaced by a new option `services.hledger-web.allow`.
+
+  - `allow = "view"` means `capabilities = { view = true; }`;
+  - `allow = "add"` means `capabilities = { view = true; add = true; }`;
+  - `allow = "edit"` means `capabilities = { view = true; add = true; edit = true }`;
+  - `allow = "sandstorm"` reads permissions from the `X-Sandstorm-Permissions` request header.
+
 - `xxd` has been moved from `vim` default output to its own output to reduce closure size. The canonical way to reference it across all platforms is `unixtools.xxd`.

 - The `stalwart-mail` package has been updated to v0.5.3, which includes [breaking changes](https://github.com/stalwartlabs/mail-server/blob/v0.5.3/UPGRADING.md).
--- a/nixos/modules/services/web-apps/hledger-web.nix
+++ b/nixos/modules/services/web-apps/hledger-web.nix
@ -26,28 +26,17 @@ in {
      '';
    };

-    capabilities = {
-      view = mkOption {
-        type = types.bool;
-        default = true;
-        description = lib.mdDoc ''
-          Enable the view capability.
-        '';
-      };
-      add = mkOption {
-        type = types.bool;
-        default = false;
-        description = lib.mdDoc ''
-          Enable the add capability.
-        '';
-      };
-      manage = mkOption {
-        type = types.bool;
-        default = false;
-        description = lib.mdDoc ''
-          Enable the manage capability.
-        '';
-      };
+    allow = mkOption {
+      type = types.enum [ "view" "add" "edit" "sandstorm" ];
+      default = "view";
+      description = lib.mdDoc ''
+        User's access level for changing data.
+
+        * view: view only permission.
+        * add: view and add permissions.
+        * edit: view, add, and edit permissions.
+        * sandstorm: permissions from the `X-Sandstorm-Permissions` request header.
+      '';
    };

    stateDir = mkOption {
@ -89,6 +78,11 @@ in {

  };

+  imports = [
+    (mkRemovedOptionModule [ "services" "hledger-web" "capabilities" ]
+      "This option has been replaced by new option `services.hledger-web.allow`.")
+  ];
+
  config = mkIf cfg.enable {

    users.users.hledger = {
@ -102,16 +96,11 @@ in {
    users.groups.hledger = {};

    systemd.services.hledger-web = let
-      capabilityString = with cfg.capabilities; concatStringsSep "," (
-        (optional view "view")
-        ++ (optional add "add")
-        ++ (optional manage "manage")
-      );
      serverArgs = with cfg; escapeShellArgs ([
        "--serve"
        "--host=${host}"
        "--port=${toString port}"
-        "--capabilities=${capabilityString}"
+        "--allow=${allow}"
        (optionalString (cfg.baseUrl != null) "--base-url=${cfg.baseUrl}")
        (optionalString (cfg.serveApi) "--serve-api")
      ] ++ (map (f: "--file=${stateDir}/${f}") cfg.journalFiles)
--- a/nixos/tests/hledger-web.nix
+++ b/nixos/tests/hledger-web.nix
@ -19,7 +19,7 @@ rec {
        host = "127.0.0.1";
        port = 5000;
        enable = true;
-        capabilities.manage = true;
+        allow = "edit";
      };
      networking.firewall.allowedTCPPorts = [ config.services.hledger-web.port ];
      systemd.services.hledger-web.preStart = ''