diff options
author | Bas van Dijk <v.dijk.bas@gmail.com> | 2017-04-08 19:32:19 +0200 |
---|---|---|
committer | Bas van Dijk <v.dijk.bas@gmail.com> | 2017-04-08 19:32:19 +0200 |
commit | ecf03368f8b624b8573f97f70387d6d14f7e32fe (patch) | |
tree | 85389e283de6b19bb95dd065dccead61c5135196 /nixos/modules/services/misc/bepasty.nix | |
parent | 184e3238c7b65f18187d14a0388bacdee3829487 (diff) | |
download | nixlib-ecf03368f8b624b8573f97f70387d6d14f7e32fe.tar nixlib-ecf03368f8b624b8573f97f70387d6d14f7e32fe.tar.gz nixlib-ecf03368f8b624b8573f97f70387d6d14f7e32fe.tar.bz2 nixlib-ecf03368f8b624b8573f97f70387d6d14f7e32fe.tar.lz nixlib-ecf03368f8b624b8573f97f70387d6d14f7e32fe.tar.xz nixlib-ecf03368f8b624b8573f97f70387d6d14f7e32fe.tar.zst nixlib-ecf03368f8b624b8573f97f70387d6d14f7e32fe.zip |
bepasty: add secretKeyFile option
This gives users the option to store secrets outside the world-readable Nix store.
Diffstat (limited to 'nixos/modules/services/misc/bepasty.nix')
-rw-r--r-- | nixos/modules/services/misc/bepasty.nix | 36 |
1 files changed, 32 insertions, 4 deletions
diff --git a/nixos/modules/services/misc/bepasty.nix b/nixos/modules/services/misc/bepasty.nix index 52719222db66..4d78cddcb54f 100644 --- a/nixos/modules/services/misc/bepasty.nix +++ b/nixos/modules/services/misc/bepasty.nix @@ -21,7 +21,7 @@ in configure a number of bepasty servers which will be started with gunicorn. ''; - type = with types ; attrsOf (submodule ({ + type = with types ; attrsOf (submodule ({ config, ... } : { options = { @@ -34,7 +34,6 @@ in default = "127.0.0.1:8000"; }; - dataDir = mkOption { type = types.str; description = '' @@ -73,10 +72,28 @@ in type = types.str; description = '' server secret for safe session cookies, must be set. + + Warning: this secret is stored in the WORLD-READABLE Nix store! + + It's recommended to use <option>secretKeyFile</option> + which takes precedence over <option>secretKey</option>. ''; default = ""; }; + secretKeyFile = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + A file that contains the server secret for safe session cookies, must be set. + + <option>secretKeyFile</option> takes precedence over <option>secretKey</option>. + + Warning: when <option>secretKey</option> is non-empty <option>secretKeyFile</option> + defaults to a file in the WORLD-READABLE Nix store containing that secret. + ''; + }; + workDir = mkOption { type = types.str; description = '' @@ -87,11 +104,22 @@ in }; }; + config = { + secretKeyFile = mkDefault ( + if config.secretKey != "" + then toString (pkgs.writeTextFile { + name = "bepasty-secret-key"; + text = config.secretKey; + }) + else null + ); + }; })); }; }; config = mkIf cfg.enable { + environment.systemPackages = [ bepasty ]; # creates gunicorn systemd service for each configured server @@ -115,7 +143,7 @@ in serviceConfig = { Type = "simple"; PrivateTmp = true; - ExecStartPre = assert server.secretKey != ""; pkgs.writeScript "bepasty-server.${name}-init" '' + ExecStartPre = assert !isNull server.secretKeyFile; pkgs.writeScript "bepasty-server.${name}-init" '' #!/bin/sh mkdir -p "${server.workDir}" mkdir -p "${server.dataDir}" @@ -123,7 +151,7 @@ in cat > ${server.workDir}/bepasty-${name}.conf <<EOF SITENAME="${name}" STORAGE_FILESYSTEM_DIRECTORY="${server.dataDir}" - SECRET_KEY="${server.secretKey}" + SECRET_KEY="$(cat "${server.secretKeyFile}")" DEFAULT_PERMISSIONS="${server.defaultPermissions}" ${server.extraConfig} EOF |