From 4f2da6c9c17d75ba43fbe85d5243a57735a5e4eb Mon Sep 17 00:00:00 2001
From: euxane <euxane.trangirard@pacien.net>
Date: Sat, 6 Jul 2024 01:49:10 +0200
Subject: [PATCH] nixos/fcgiwrap: add option migration instruction errors

This adds migration instructions for the removed global shared instance
configuration of fcgiwrap.

Adding those explicit messages to the previous options requires moving
the newly defined options from `services.fcgiwrap.*` to
`services.fcgiwrap.instances.*` due to an option namespace clash.

`mkRenamedOptionModule` was not used because the previous options do
not directly map to the new ones. In particular, `user` and `group`
were described as setting the socket's permission, but were actually
setting the process' running user.

Co-authored-by: Minijackson <minijackson@riseup.net>
---
 .../manual/release-notes/rl-2411.section.md   |  2 +-
 nixos/modules/services/misc/zoneminder.nix    |  4 ++--
 nixos/modules/services/networking/cgit.nix    |  4 ++--
 .../modules/services/networking/smokeping.nix |  4 ++--
 .../modules/services/web-servers/fcgiwrap.nix | 22 +++++++++++++++----
 nixos/tests/gitolite-fcgiwrap.nix             |  4 ++--
 6 files changed, 27 insertions(+), 13 deletions(-)

diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md
index 368e4a459bfa..3ad57cbe3f17 100644
--- a/nixos/doc/manual/release-notes/rl-2411.section.md
+++ b/nixos/doc/manual/release-notes/rl-2411.section.md
@@ -107,7 +107,7 @@
   The option `services.fgciwrap` now takes an attribute set of the
   configuration of each individual instance.
   This requires migrating any previous configuration keys from
-  `services.fcgiwrap.*` to `services.fcgiwrap.some-instance.*`.
+  `services.fcgiwrap.*` to `services.fcgiwrap.instances.some-instance.*`.
   The ownership and mode of the UNIX sockets created by this service are now
   configurable and private by default.
   Processes also now run as a dynamically allocated user by default instead of
diff --git a/nixos/modules/services/misc/zoneminder.nix b/nixos/modules/services/misc/zoneminder.nix
index 3167be0bbd46..42f322e00066 100644
--- a/nixos/modules/services/misc/zoneminder.nix
+++ b/nixos/modules/services/misc/zoneminder.nix
@@ -202,7 +202,7 @@ in {
     ];
 
     services = {
-      fcgiwrap.zoneminder = lib.mkIf useNginx {
+      fcgiwrap.instances.zoneminder = lib.mkIf useNginx {
         process.prefork = cfg.cameras;
         process.user = user;
         process.group = group;
@@ -255,7 +255,7 @@ in {
                   fastcgi_param HTTP_PROXY "";
                   fastcgi_intercept_errors on;
 
-                  fastcgi_pass unix:${config.services.fcgiwrap.zoneminder.socket.address};
+                  fastcgi_pass unix:${config.services.fcgiwrap.instances.zoneminder.socket.address};
                 }
 
                 location /cache/ {
diff --git a/nixos/modules/services/networking/cgit.nix b/nixos/modules/services/networking/cgit.nix
index de8128ed5a59..cdd316dd99d2 100644
--- a/nixos/modules/services/networking/cgit.nix
+++ b/nixos/modules/services/networking/cgit.nix
@@ -32,7 +32,7 @@ let
       fastcgi_split_path_info ^(${regexLocation cfg})(/.+)$;
       fastcgi_param PATH_INFO $fastcgi_path_info;
     ''
-    }fastcgi_pass unix:${config.services.fcgiwrap."cgit-${name}".socket.address};
+    }fastcgi_pass unix:${config.services.fcgiwrap.instances."cgit-${name}".socket.address};
   '';
 
   cgitrcLine = name: value: "${name}=${
@@ -171,7 +171,7 @@ in
       groups.${cfg.group} = { };
     }));
 
-    services.fcgiwrap = flip mapAttrs' cfgs (name: cfg:
+    services.fcgiwrap.instances = flip mapAttrs' cfgs (name: cfg:
       nameValuePair "cgit-${name}" {
         process = { inherit (cfg) user group; };
         socket = { inherit (config.services.nginx) user group; };
diff --git a/nixos/modules/services/networking/smokeping.nix b/nixos/modules/services/networking/smokeping.nix
index a07cde847cf6..2e572a3d071a 100644
--- a/nixos/modules/services/networking/smokeping.nix
+++ b/nixos/modules/services/networking/smokeping.nix
@@ -337,7 +337,7 @@ in
     };
 
     # use nginx to serve the smokeping web service
-    services.fcgiwrap.smokeping = mkIf cfg.webService {
+    services.fcgiwrap.instances.smokeping = mkIf cfg.webService {
       process.user = cfg.user;
       process.group = cfg.user;
       socket = { inherit (config.services.nginx) user group; };
@@ -353,7 +353,7 @@ in
         locations."/smokeping.fcgi" = {
           extraConfig = ''
             include ${config.services.nginx.package}/conf/fastcgi_params;
-            fastcgi_pass unix:${config.services.fcgiwrap.smokeping.socket.address};
+            fastcgi_pass unix:${config.services.fcgiwrap.instances.smokeping.socket.address};
             fastcgi_param SCRIPT_FILENAME ${smokepingHome}/smokeping.fcgi;
             fastcgi_param DOCUMENT_ROOT ${smokepingHome};
           '';
diff --git a/nixos/modules/services/web-servers/fcgiwrap.nix b/nixos/modules/services/web-servers/fcgiwrap.nix
index 29ddd39942c6..d352f4fdd2b4 100644
--- a/nixos/modules/services/web-servers/fcgiwrap.nix
+++ b/nixos/modules/services/web-servers/fcgiwrap.nix
@@ -3,12 +3,26 @@
 with lib;
 
 let
-  forEachInstance = f: flip mapAttrs' config.services.fcgiwrap (name: cfg:
-    nameValuePair "fcgiwrap-${name}" (f cfg)
+  forEachInstance = f: flip mapAttrs' config.services.fcgiwrap.instances (
+    name: cfg: nameValuePair "fcgiwrap-${name}" (f cfg)
   );
 
 in {
-  options.services.fcgiwrap = mkOption {
+  imports = forEach [
+    "enable"
+    "user"
+    "group"
+    "socketType"
+    "socketAddress"
+    "preforkProcesses"
+  ] (attr: mkRemovedOptionModule [ "services" "fcgiwrap" attr ] ''
+      The global shared fcgiwrap instance is no longer supported due to
+      security issues.
+      Isolated instances should instead be configured through
+      `services.fcgiwrap.instances.*'.
+  '');
+
+  options.services.fcgiwrap.instances = mkOption {
     description = "Configuration for fcgiwrap instances.";
     default = { };
     type = types.attrsOf (types.submodule ({ config, ... }: { options = {
@@ -95,7 +109,7 @@ in {
         assertion = cfg.socket.mode != null -> cfg.socket.type == "unix";
         message = "Socket mode can only be set for the UNIX socket type.";
       }
-    ]) config.services.fcgiwrap);
+    ]) config.services.fcgiwrap.instances);
 
     systemd.services = forEachInstance (cfg: {
       after = [ "nss-user-lookup.target" ];
diff --git a/nixos/tests/gitolite-fcgiwrap.nix b/nixos/tests/gitolite-fcgiwrap.nix
index 6e8dae6f72d7..43d65faebbee 100644
--- a/nixos/tests/gitolite-fcgiwrap.nix
+++ b/nixos/tests/gitolite-fcgiwrap.nix
@@ -24,7 +24,7 @@ import ./make-test-python.nix (
               {
                 networking.firewall.allowedTCPPorts = [ 80 ];
 
-                services.fcgiwrap.gitolite = {
+                services.fcgiwrap.instances.gitolite = {
                   process.user = "gitolite";
                   process.group = "gitolite";
                   socket = { inherit (config.services.nginx) user group; };
@@ -64,7 +64,7 @@ import ./make-test-python.nix (
                     fastcgi_param SCRIPT_FILENAME ${pkgs.gitolite}/bin/gitolite-shell;
 
                     # use Unix domain socket or inet socket
-                    fastcgi_pass unix:${config.services.fcgiwrap.gitolite.socket.address};
+                    fastcgi_pass unix:${config.services.fcgiwrap.instances.gitolite.socket.address};
                   '';
                 };