diff options
| author | Bas van Dijk <v.dijk.bas@gmail.com> | 2017-03-28 17:38:16 +0200 |
|---|---|---|
| committer | Joachim Schiele <js@lastlog.de> | 2017-03-28 17:38:16 +0200 |
| commit | 6f2eca1744b4ca74f456f77a1aa6e5b4ce937793 (patch) | |
| tree | a848d346b427bdc571b2b438df7288de23295673 /nixos/modules/services/web-servers/apache-httpd | |
| parent | 8c28474c02f3f94c5847863b5d3caf85ed742650 (diff) | |
| download | nixlib-6f2eca1744b4ca74f456f77a1aa6e5b4ce937793.tar nixlib-6f2eca1744b4ca74f456f77a1aa6e5b4ce937793.tar.gz nixlib-6f2eca1744b4ca74f456f77a1aa6e5b4ce937793.tar.bz2 nixlib-6f2eca1744b4ca74f456f77a1aa6e5b4ce937793.tar.lz nixlib-6f2eca1744b4ca74f456f77a1aa6e5b4ce937793.tar.xz nixlib-6f2eca1744b4ca74f456f77a1aa6e5b4ce937793.tar.zst nixlib-6f2eca1744b4ca74f456f77a1aa6e5b4ce937793.zip | |
wordpress: replace the dbPassword option with dbPasswordFile (#24146)
We shouldn't force users to store passwords in the world-readable Nix store.
Diffstat (limited to 'nixos/modules/services/web-servers/apache-httpd')
| -rw-r--r-- | nixos/modules/services/web-servers/apache-httpd/wordpress.nix | 31 |
1 files changed, 28 insertions, 3 deletions
diff --git a/nixos/modules/services/web-servers/apache-httpd/wordpress.nix b/nixos/modules/services/web-servers/apache-httpd/wordpress.nix index b94ec14308be..c6f4bcd0f666 100644 --- a/nixos/modules/services/web-servers/apache-httpd/wordpress.nix +++ b/nixos/modules/services/web-servers/apache-httpd/wordpress.nix @@ -9,7 +9,7 @@ let <?php define('DB_NAME', '${config.dbName}'); define('DB_USER', '${config.dbUser}'); - define('DB_PASSWORD', '${config.dbPassword}'); + define('DB_PASSWORD', file_get_contents('${config.dbPasswordFile}')); define('DB_HOST', '${config.dbHost}'); define('DB_CHARSET', 'utf8'); $table_prefix = '${config.tablePrefix}'; @@ -137,9 +137,34 @@ in }; dbPassword = mkOption { default = "wordpress"; - description = "The mysql password to the respective dbUser."; + description = '' + The mysql password to the respective dbUser. + + Warning: this password is stored in the world-readable Nix store. It's + recommended to use the $dbPasswordFile option since that gives you control over + the security of the password. $dbPasswordFile also takes precedence over $dbPassword. + ''; example = "wordpress"; }; + dbPasswordFile = mkOption { + type = types.str; + default = toString (pkgs.writeTextFile { + name = "wordpress-dbpassword"; + text = config.dbPassword; + }); + example = "/run/keys/wordpress-dbpassword"; + description = '' + Path to a file that contains the mysql password to the respective dbUser. + The file should be readable by the user: config.services.httpd.user. + + $dbPasswordFile takes precedence over the $dbPassword option. + + This defaults to a file in the world-readable Nix store that contains the value + of the $dbPassword option. It's recommended to override this with a path not in + the Nix store. Tip: use nixops key management: + <link xlink:href='https://nixos.org/nixops/manual/#idm140737318306400'/> + ''; + }; tablePrefix = mkOption { default = "wp_"; description = '' @@ -251,7 +276,7 @@ in sleep 1 done ${pkgs.mysql}/bin/mysql -e 'CREATE DATABASE ${config.dbName};' - ${pkgs.mysql}/bin/mysql -e 'GRANT ALL ON ${config.dbName}.* TO ${config.dbUser}@localhost IDENTIFIED BY "${config.dbPassword}";' + ${pkgs.mysql}/bin/mysql -e "GRANT ALL ON ${config.dbName}.* TO ${config.dbUser}@localhost IDENTIFIED BY \"$(cat ${config.dbPasswordFile})\";" else echo "Good, no need to do anything database related." fi |