diff options
| author | Taeer Bar-Yam <taeer@bar-yam.me> | 2022-02-16 00:49:51 -0500 |
|---|---|---|
| committer | Taeer Bar-Yam <taeer@bar-yam.me> | 2022-02-23 10:41:27 -0500 |
| commit | 75fe105a3d080bc91db9f79d80c56d24e6631592 (patch) | |
| tree | 4f15e716b3b02cba0c1a89d7d935a8e6f2bc40e7 /nixos/modules/services/development | |
| parent | aac7f85483b7ab70adf62f6217bedb5a0b41d9d0 (diff) | |
| download | nixlib-75fe105a3d080bc91db9f79d80c56d24e6631592.tar nixlib-75fe105a3d080bc91db9f79d80c56d24e6631592.tar.gz nixlib-75fe105a3d080bc91db9f79d80c56d24e6631592.tar.bz2 nixlib-75fe105a3d080bc91db9f79d80c56d24e6631592.tar.lz nixlib-75fe105a3d080bc91db9f79d80c56d24e6631592.tar.xz nixlib-75fe105a3d080bc91db9f79d80c56d24e6631592.tar.zst nixlib-75fe105a3d080bc91db9f79d80c56d24e6631592.zip | |
Zammad: more fixes
Diffstat (limited to 'nixos/modules/services/development')
| -rw-r--r-- | nixos/modules/services/development/zammad.nix | 47 |
1 files changed, 35 insertions, 12 deletions
diff --git a/nixos/modules/services/development/zammad.nix b/nixos/modules/services/development/zammad.nix index 119e8fc961e5..17f78acdfa36 100644 --- a/nixos/modules/services/development/zammad.nix +++ b/nixos/modules/services/development/zammad.nix @@ -5,6 +5,7 @@ with lib; let cfg = config.services.zammad; settingsFormat = pkgs.formats.yaml { }; + filterNull = filterAttrs (_: v: v != null); serviceConfig = { Type = "simple"; Restart = "always"; @@ -14,8 +15,6 @@ let PrivateTmp = true; StateDirectory = "zammad"; WorkingDirectory = cfg.dataDir; - - EnvironmentFile = cfg.secretsFile; }; environment = { RAILS_ENV = "production"; @@ -139,26 +138,36 @@ in { }; }; - secretsFile = mkOption { + secretKeyBaseFile = mkOption { type = types.nullOr types.path; default = null; + example = "/run/keys/secret_key_base"; description = '' - Path of a file containing secrets the format of EnvironmentFile as - described by systemd.exec(5). You must to define: - - PGPASSWORD - - SECRET_KEY_BASE - SECRET_KEY_BASE can be generated using: - ruby -e "require 'securerandom'; puts SecureRandom.hex(64)" + The path to a file containing the + <literal>secret_key_base</literal> secret. + + Zammad uses <literal>secret_key_base</literal> to encrypt + the cookie store, which contains session data, and to digest + user auth tokens. + + Needs to be a 64 byte long string of hexadecimal + characters. You can generate one by running + + <screen> + <prompt>$ </prompt>openssl rand -hex 64 >/path/to/secret_key_base_file + </screen> + + This should be a string, not a nix path, since nix paths are + copied into the world-readable nix store. ''; }; }; - }; config = mkIf cfg.enable { services.zammad.database.settings = { - production = (mapAttrs (_: v: mkDefault v) { + production = mapAttrs (_: v: mkDefault v) (filterNull { adapter = { PostgreSQL = "postgresql"; MySQL = "mysql2"; @@ -169,7 +178,7 @@ in { encoding = "utf8"; username = cfg.database.user; host = cfg.database.host; - port = lib.mkIf (cfg.database.port != null) cfg.database.port + port = cfg.database.port; }); }; @@ -242,6 +251,20 @@ in { chmod -R u+w . # config file cp ${databaseConfig} ./config/database.yml + chmod -R u+w . + ${optionalString (cfg.database.passwordFile != null) '' + { + echo -n " password: " + cat ${cfg.database.passwordFile} + } >> ./config/database.yml + ''} + ${optionalString (cfg.secretKeyBaseFile != null) '' + { + echo "production: " + echo -n " secret_key_base: " + cat ${cfg.secretKeyBaseFile} + } > ./config/secrets.yml + ''} if [ `${config.services.postgresql.package}/bin/psql \ --host ${cfg.database.host} \ ${optionalString |