diff options
| author | Rodney Lorrimar <dev@rodney.id.au> | 2017-04-22 17:03:07 +0100 |
|---|---|---|
| committer | Rodney Lorrimar <dev@rodney.id.au> | 2017-04-22 17:07:21 +0100 |
| commit | 79d52bc26cda44ea0e7d947cdc032b7eed9ee959 (patch) | |
| tree | 26c629d3ea32edaabfbd0688285dab5c7a3ec01f /nixos/modules/services/misc/gogs.nix | |
| parent | 0c9512d263145800206db5aa49a53bd42a9b8a27 (diff) | |
| download | nixlib-79d52bc26cda44ea0e7d947cdc032b7eed9ee959.tar nixlib-79d52bc26cda44ea0e7d947cdc032b7eed9ee959.tar.gz nixlib-79d52bc26cda44ea0e7d947cdc032b7eed9ee959.tar.bz2 nixlib-79d52bc26cda44ea0e7d947cdc032b7eed9ee959.tar.lz nixlib-79d52bc26cda44ea0e7d947cdc032b7eed9ee959.tar.xz nixlib-79d52bc26cda44ea0e7d947cdc032b7eed9ee959.tar.zst nixlib-79d52bc26cda44ea0e7d947cdc032b7eed9ee959.zip | |
gogs service: don't copy database password to nix store
Relevant to #24288
Diffstat (limited to 'nixos/modules/services/misc/gogs.nix')
| -rw-r--r-- | nixos/modules/services/misc/gogs.nix | 34 |
1 files changed, 31 insertions, 3 deletions
diff --git a/nixos/modules/services/misc/gogs.nix b/nixos/modules/services/misc/gogs.nix index ec3aff0678d3..f0aff4303054 100644 --- a/nixos/modules/services/misc/gogs.nix +++ b/nixos/modules/services/misc/gogs.nix @@ -14,7 +14,7 @@ let HOST = ${cfg.database.host}:${toString cfg.database.port} NAME = ${cfg.database.name} USER = ${cfg.database.user} - PASSWD = ${cfg.database.password} + PASSWD = #dbpass# PATH = ${cfg.database.path} [repository] @@ -102,7 +102,21 @@ in password = mkOption { type = types.str; default = ""; - description = "Database password."; + description = '' + The password corresponding to <option>database.user</option>. + Warning: this is stored in cleartext in the Nix store! + Use <option>database.passwordFile</option> instead. + ''; + }; + + passwordFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/run/keys/gogs-dbpassword"; + description = '' + A file containing the password corresponding to + <option>database.user</option>. + ''; }; path = mkOption { @@ -170,7 +184,10 @@ in mkdir -p ${cfg.stateDir}/custom/conf cp -f ${configFile} ${cfg.stateDir}/custom/conf/app.ini KEY=$(head -c 16 /dev/urandom | base64) - sed -i "s,#secretkey#,$KEY,g" ${cfg.stateDir}/custom/conf/app.ini + DBPASS=$(head -n1 ${cfg.database.passwordFile}) + sed -e "s,#secretkey#,$KEY,g" \ + -e "s,#dbpass#,$DBPASS,g" \ + -i ${cfg.stateDir}/custom/conf/app.ini ''} mkdir -p ${cfg.repositoryRoot} @@ -212,5 +229,16 @@ in }; extraGroups.gogs.gid = config.ids.gids.gogs; }; + + warnings = optional (cfg.database.password != "") + ''config.services.gogs.database.password will be stored as plaintext + in the Nix store. Use database.passwordFile instead.''; + + # Create database passwordFile default when password is configured. + services.gogs.database.passwordFile = mkIf (cfg.database.password != "") + (mkDefault (toString (pkgs.writeTextFile { + name = "gogs-database-password"; + text = cfg.database.password; + }))); }; } |