From f844239e4b1ec0bab979669c2838bed585b7f2b5 Mon Sep 17 00:00:00 2001
From: Henri Menke <henri@henrimenke.de>
Date: Thu, 21 Jan 2021 21:30:57 +0100
Subject: [PATCH] nixos/attestation-server: fix boot failure #80

As already noted previously, using the service name as the user and
group name in conjunction with DynamicUser sporadically fails.  There is
a better way to provision secrets for services with upcoming systemd
247, but for now we use a SupplementaryGroup to install the secret.
---
 nixos/attestation-server/module.nix | 11 +++++------
 nixos/attestation-server/test.nix   | 11 +++++------
 2 files changed, 10 insertions(+), 12 deletions(-)

diff --git a/nixos/attestation-server/module.nix b/nixos/attestation-server/module.nix
index fe7e55f5..2cb96179 100644
--- a/nixos/attestation-server/module.nix
+++ b/nixos/attestation-server/module.nix
@@ -118,16 +118,15 @@ in
             "('emailLocal', '${if local then "1" else "0"}')"
           ];
         in optionals (passwordFile != null) [
-          # Note the leading + on the second command. The passwordFile could be
+          # Note the leading + on the first command. The passwordFile could be
           # anywhere in the file system, so it has to be copied as root and
-          # permissions fixed to be accessible by the service.  However, if the
-          # first command is run as root the allocation of uid and gid for the
-          # service seems to be delayed, so we just run something else first.
-          "${pkgs.coreutils}/bin/touch %S/attestation/emailPassword"
-          "+${pkgs.coreutils}/bin/install -m 0600 -o %N -g %N ${passwordFile} %S/attestation/emailPassword"
+          # permissions fixed to be accessible by the service.
+          "+${pkgs.coreutils}/bin/install -m 0640 -g keys ${passwordFile} %S/attestation/emailPassword"
+          ''${pkgs.sqlite}/bin/sqlite3 %S/attestation/attestation.db "CREATE TABLE IF NOT EXISTS Configuration (key TEXT PRIMARY KEY NOT NULL, value NOT NULL)"''
           ''${pkgs.sqlite}/bin/sqlite3 %S/attestation/attestation.db "INSERT OR REPLACE INTO Configuration VALUES ${values}"''
           "${pkgs.coreutils}/bin/rm -f %S/attestation/emailPassword"
         ];
+        SupplementaryGroups = [ "keys" ];
 
         # When sending TERM, e.g. for restart, AttestationServer fails with
         # this exit code.
diff --git a/nixos/attestation-server/test.nix b/nixos/attestation-server/test.nix
index 99e59999..932625e3 100644
--- a/nixos/attestation-server/test.nix
+++ b/nixos/attestation-server/test.nix
@@ -12,12 +12,11 @@ import "${pkgs.path}/nixos/tests/make-test-python.nix" ({ pkgs, ... }: {
       device = "crosshatch";
       signatureFingerprint = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
       avbFingerprint = "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB";
-      # TODO: Uncomment when https://github.com/danielfullmer/robotnix/issues/80 is resolved
-      # email = {
-      #   host = "example.com";
-      #   username = "test";
-      #   passwordFile = "${pkgs.writeText "fake-password" "testing123"}"; # NOTE: Don't use writeText like this with a real password!
-      # };
+      email = {
+        host = "example.com";
+        username = "test";
+        passwordFile = "${pkgs.writeText "fake-password" "testing123"}"; # NOTE: Don't use writeText like this with a real password!
+      };
       nginx.enable = false;
     };
   };