diff options
author | Guillaume Girol <symphorien@users.noreply.github.com> | 2022-02-21 21:18:36 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-02-21 21:18:36 +0000 |
commit | 4846d948b402d0142dec6575c9ed1a1f0f2ce88a (patch) | |
tree | afddbe2fad43cc1e9748c7681dc933b79d137e0a /nixos/modules/services/web-apps | |
parent | 0fca9900b18cf8da2584828e46343465a534e392 (diff) | |
parent | 1df9e95ed751f9a37e7d5d9db1efc4eff242e043 (diff) | |
download | nixlib-4846d948b402d0142dec6575c9ed1a1f0f2ce88a.tar nixlib-4846d948b402d0142dec6575c9ed1a1f0f2ce88a.tar.gz nixlib-4846d948b402d0142dec6575c9ed1a1f0f2ce88a.tar.bz2 nixlib-4846d948b402d0142dec6575c9ed1a1f0f2ce88a.tar.lz nixlib-4846d948b402d0142dec6575c9ed1a1f0f2ce88a.tar.xz nixlib-4846d948b402d0142dec6575c9ed1a1f0f2ce88a.tar.zst nixlib-4846d948b402d0142dec6575c9ed1a1f0f2ce88a.zip |
Merge pull request #156601 from symphorien/miniflux-password
nixos/miniflux: no cleartext password in the store
Diffstat (limited to 'nixos/modules/services/web-apps')
-rw-r--r-- | nixos/modules/services/web-apps/miniflux.nix | 46 |
1 files changed, 19 insertions, 27 deletions
diff --git a/nixos/modules/services/web-apps/miniflux.nix b/nixos/modules/services/web-apps/miniflux.nix index 14cbfb395402..641c9be85d8c 100644 --- a/nixos/modules/services/web-apps/miniflux.nix +++ b/nixos/modules/services/web-apps/miniflux.nix @@ -7,26 +7,12 @@ let defaultAddress = "localhost:8080"; dbUser = "miniflux"; - dbPassword = "miniflux"; - dbHost = "localhost"; dbName = "miniflux"; - defaultCredentials = pkgs.writeText "miniflux-admin-credentials" '' - ADMIN_USERNAME=admin - ADMIN_PASSWORD=password - ''; - pgbin = "${config.services.postgresql.package}/bin"; preStart = pkgs.writeScript "miniflux-pre-start" '' #!${pkgs.runtimeShell} - db_exists() { - [ "$(${pgbin}/psql -Atc "select 1 from pg_database where datname='$1'")" == "1" ] - } - if ! db_exists "${dbName}"; then - ${pgbin}/psql postgres -c "CREATE ROLE ${dbUser} WITH LOGIN NOCREATEDB NOCREATEROLE ENCRYPTED PASSWORD '${dbPassword}'" - ${pgbin}/createdb --owner "${dbUser}" "${dbName}" - ${pgbin}/psql "${dbName}" -c "CREATE EXTENSION IF NOT EXISTS hstore" - fi + ${pgbin}/psql "${dbName}" -c "CREATE EXTENSION IF NOT EXISTS hstore" ''; in @@ -54,11 +40,10 @@ in }; adminCredentialsFile = mkOption { - type = types.nullOr types.path; - default = null; + type = types.path; description = '' - File containing the ADMIN_USERNAME, default is "admin", and - ADMIN_PASSWORD (length >= 6), default is "password"; in the format of + File containing the ADMIN_USERNAME and + ADMIN_PASSWORD (length >= 6) in the format of an EnvironmentFile=, as described by systemd.exec(5). ''; example = "/etc/nixos/miniflux-admin-credentials"; @@ -70,16 +55,24 @@ in services.miniflux.config = { LISTEN_ADDR = mkDefault defaultAddress; - DATABASE_URL = "postgresql://${dbUser}:${dbPassword}@${dbHost}/${dbName}?sslmode=disable"; + DATABASE_URL = "user=${dbUser} host=/run/postgresql dbname=${dbName}"; RUN_MIGRATIONS = "1"; CREATE_ADMIN = "1"; }; - services.postgresql.enable = true; + services.postgresql = { + enable = true; + ensureUsers = [ { + name = dbUser; + ensurePermissions = { + "DATABASE ${dbName}" = "ALL PRIVILEGES"; + }; + } ]; + ensureDatabases = [ dbName ]; + }; systemd.services.miniflux-dbsetup = { description = "Miniflux database setup"; - wantedBy = [ "multi-user.target" ]; requires = [ "postgresql.service" ]; after = [ "network.target" "postgresql.service" ]; serviceConfig = { @@ -92,17 +85,16 @@ in systemd.services.miniflux = { description = "Miniflux service"; wantedBy = [ "multi-user.target" ]; - requires = [ "postgresql.service" ]; + requires = [ "miniflux-dbsetup.service" ]; after = [ "network.target" "postgresql.service" "miniflux-dbsetup.service" ]; serviceConfig = { ExecStart = "${pkgs.miniflux}/bin/miniflux"; + User = dbUser; DynamicUser = true; RuntimeDirectory = "miniflux"; RuntimeDirectoryMode = "0700"; - EnvironmentFile = if cfg.adminCredentialsFile == null - then defaultCredentials - else cfg.adminCredentialsFile; + EnvironmentFile = cfg.adminCredentialsFile; # Hardening CapabilityBoundingSet = [ "" ]; DeviceAllow = [ "" ]; @@ -119,7 +111,7 @@ in ProtectKernelModules = true; ProtectKernelTunables = true; ProtectProc = "invisible"; - RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; |