diff options
| author | Nicolas B. Pierron <nicolas.b.pierron@gmail.com> | 2014-12-12 22:14:21 +0100 |
|---|---|---|
| committer | Nicolas B. Pierron <nicolas.b.pierron@gmail.com> | 2014-12-12 22:14:38 +0100 |
| commit | 1a1fc17957516956949f019292b994aebfda6779 (patch) | |
| tree | 4a5827c1ff76122045738c5e727152d9baf5390f /nixos/modules/services/networking/firefox/sync-server.nix | |
| parent | a0154145d52c27416c65d7c2289f3fae61182181 (diff) | |
| download | nixlib-1a1fc17957516956949f019292b994aebfda6779.tar nixlib-1a1fc17957516956949f019292b994aebfda6779.tar.gz nixlib-1a1fc17957516956949f019292b994aebfda6779.tar.bz2 nixlib-1a1fc17957516956949f019292b994aebfda6779.tar.lz nixlib-1a1fc17957516956949f019292b994aebfda6779.tar.xz nixlib-1a1fc17957516956949f019292b994aebfda6779.tar.zst nixlib-1a1fc17957516956949f019292b994aebfda6779.zip | |
Firefox Sync Server: Create the private config file as non-world readable.
Diffstat (limited to 'nixos/modules/services/networking/firefox/sync-server.nix')
| -rw-r--r-- | nixos/modules/services/networking/firefox/sync-server.nix | 20 |
1 files changed, 11 insertions, 9 deletions
diff --git a/nixos/modules/services/networking/firefox/sync-server.nix b/nixos/modules/services/networking/firefox/sync-server.nix index 0d2306c69949..b357eac98b91 100644 --- a/nixos/modules/services/networking/firefox/sync-server.nix +++ b/nixos/modules/services/networking/firefox/sync-server.nix @@ -4,10 +4,9 @@ with lib; let cfg = config.services.firefox.syncserver; - syncServerSecretFile = "/etc/firefox/syncserver-secret.ini"; syncServerIni = pkgs.writeText "syncserver.ini" '' [DEFAULT] - overrides = ${cfg.privateConfig} ${syncServerSecretFile} + overrides = ${cfg.privateConfig} [server:main] use = egg:Paste#http @@ -100,12 +99,14 @@ in }; privateConfig = mkOption { - type = types.separatedString " "; - default = ""; + type = types.str; + default = "/etc/firefox/syncserver-secret.ini"; description = '' If defined, this file would be used to set all fields which were omitted in the generated ini files used for configuring the syncserver. This file is useful - for storing secrets, such as the syncserver.secret or the syncserver.sqluri + for storing secrets, such as the syncserver.secret or the syncserver.sqluri. + + If this file does not exists, it would be created with a unique secret. ''; }; }; @@ -120,10 +121,11 @@ in path = [ pkgs.pythonPackages.pasteScript pkgs.coreutils ]; environment.PYTHONPATH = "${pkgs.pythonPackages.syncserver}/lib/${pkgs.pythonPackages.python.libPrefix}/site-packages"; preStart = '' - if ! test -e ${syncServerSecretFile}; then - mkdir -p $(dirname ${syncServerSecretFile}) - echo > ${syncServerSecretFile} '[syncserver]' - echo >> ${syncServerSecretFile} "secret = $(head -c 20 /dev/urandom | sha1sum | tr -d ' -')" + if ! test -e ${cfg.privateConfig}; then + umask u=rwx,g=x,o=x + mkdir -p $(dirname ${cfg.privateConfig}) + echo > ${cfg.privateConfig} '[syncserver]' + echo >> ${cfg.privateConfig} "secret = $(head -c 20 /dev/urandom | sha1sum | tr -d ' -')" fi ''; serviceConfig.ExecStart = "paster serve ${syncServerIni}"; |