piwik & piwik service: init at 3.0.4

[florianjacob]

Motivation for this change

Piwik is an open analytics application. Resolves #25266.

Things done

• Tested by @Alphor
• Tested using sandboxing
  (nix.useSandbox on NixOS,
  or option build-use-sandbox in nix.conf
  on non-NixOS)
• Built on platform(s)
  • NixOS
  • macOS
  • Linux
• Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Fits CONTRIBUTING.md.

---

[mention-bot]

@florianjacob, thanks for your PR! By analyzing the history of the files in this pull request, we identified @edolstra, @joachifm and @offlinehacker to be potential reviewers.

[joachifm]

Why is a static uid required?

[florianjacob]

My initial thought was so that the whole dataDir folder /var/lib/piwik can be easily restored from a backup, e.g. after a failure that needed a reinstall or on another machine.

In the meantime I learned that actually only a single file, /var/lib/piwik/config/config.ini.php needs to be backed up. It's probably easy enough to fix uid+gid for a single file manually on restores, so I guess it's not that required anymore. Nothing in the code depends on it, I could simply remove the static assignment again.

This is my first nixpkg package, could you tell me more about in which cases and for what purposes it's considered good pratice to use static ids, and in which it isn't?

[joachifm]

The most clear-cut use for static uids is if you need to refer to a user before the user/uid mapping is established. Otherwise, you need to make a judgement about the kind of data the daemon generates, whether you'd transfer the data between hosts, whether ownership can be easily fixed up, what the privacy or security implications would be if the data ended up being owned (however transiently) by another user etc.

Relying on static uids to maintain ownership invariants is fragile imo (it won't help if you transfer data to a non-NixOS host, for example). Better to have code that enforces invariants you care about directly.

Now, I don't mean to say you should overthink this but there should be a reason for doing it :)

[florianjacob]

Thanks alot for that explanation, that was very helpful. :)

I decided to remove the static ids and added a small chown+chmod script in the systemd unit that is executed as root and enforces the right ownership and permissions on startup instead. I figured that's much more beneficial to what I wanted to achieve, keeping things private while allowing an occasional but easy restore/move.

[joachifm]

Sounds good to me. If it turns out that a static uid makes more sense, it can always be added later (the other way 'round is a little harder).

[florianjacob]

@joachifm thanks for taking a look! 😄

[joachifm]

Added some nitpicks for you to consider. None of them blockers.

[joachifm]

I think users.extraGroups.${user} = {} would work as well.

[florianjacob]

Much more elegant. 😃

[joachifm]

Note that "${foo}" could be simplified to foo.

[joachifm]

Group is strictly redundant, it defaults to the primary group of User.

[joachifm]

Please consider disabling problematic phases instead of listing phases; this is a known source of bugs.

[florianjacob]

Could just throw this out completely, did learn that all default phases don't do anything like the buildPhase doesn't do anything if there is no Makefile.

[joachifm]

Can go innativeBuildInputs.

[joachifm]

Consider postPatch; at least in general its nice to allow applying arbitrary patches via override. Specifying a custom patch phase prevents that.

[joachifm]

Nit: examples for booleans are usually skipped, it's self-evident.

[joachifm]

Note that long-form descriptions may not render very well. You can generate the nixos manual to check whether it'll look okay. You can farm out longer documentation fragments to the manual.

[florianjacob]

You are right, it renders quite bad.

So it would be ok to include a new manual section like II.Configuration > 22. piwik for that longer part? I was struggeling to find a good place for this, but now I see this long description isn't one.

[joachifm]

Note that this will cause install hooks to be skipped (you can run e..g, the post phase hook manually with runHook postInstall).

[florianjacob]

I understand. I added runHook call for preInstall / postInstall as first / last commands of my installPhase, mirroring the default implementation I found in pkgs/stdenv/generic/setup.sh. From that file I assume there's no better way to overwrite / have a custom installPhase without having to call the hooks by hand, right?

[joachifm]

Pretty much. At some point I think it's possible hooks may become implicit, making this a bit more natural.

[joachifm]

If you wish, you could add yourself to the list of maintainers.

[florianjacob]

I thought you had to be part of the NixOS github organization to be a maintainer. 😅

[joachifm]

Not at all. It basically means you care about the package, lets other's know to ping you if there are questions or whatever.

[florianjacob]

Added some nitpicks for you to consider. None of them blockers.

I can feel the packaging quality is increasing…✨ 😄

[joachifm]

I don't have much more to add, so let me know when you're ready to integrate.

[ajarara]

Might want to revert this line :D

[florianjacob]

It was actually intentional, as it is a web application for web analytics, but I admit it sounds really weird in english, adds nothing much and probably irritates the reader more than clarifies stuff. 😆 Thanks!

[ajarara]

Yeah, I could see that.

[florianjacob]

@joachifm / @Alphor I've aded a NixOS manual chapter for piwik now, and I think it's good not to try to cram it all into the description. 😄 If you don't have any other suggestions for the manual, I'd be ready to integrate now.

The manual also contains a paragraph on this sendmail issue, I'd remove it later if the issue is resolved, but it seems to be nothing trivial: #26611

@Alphor can I get back on your offer to test other stuff? In case you have some kind of sendmail via nullmailer, postfix or something else, could you hit the „forgot password“ on piwik's login and try to reset it? This should result in an error displayed in the browser, and a journald log error like I posted it in the issue.

[ajarara]

@florianjacob
I've never used sendmail/procmail for email. Do I just need an MTA to test this?

[florianjacob]

@Alphor yes, an MTA would be enough, it just needs to provide the sendmail command somehow. Does not even need to work and be able to send mails to the outer world, as it'll most likely fail instantly on invoking sendmail. For postfix and nullmailer (did not look at any other MTAs for NixOS so far), just enabling them without any further configuration is enough. (For real operation, at least the fully-qualified domain name needs to be provided if it's not already in your hostname)

[joachifm]

Thank you