diff options
author | Robert Hensing <robert@roberthensing.nl> | 2024-02-04 21:41:29 +0100 |
---|---|---|
committer | Robert Hensing <robert@roberthensing.nl> | 2024-02-04 21:41:29 +0100 |
commit | 676139408304ecaa85c7fba7e6e07346f46cc353 (patch) | |
tree | 83af1efb1fbb3eeacc643c93ca517cf4f6c4f058 /nixos/modules | |
parent | 4c9b5cb310f4896f016f34083662ee665a0ef8ea (diff) | |
download | nixlib-676139408304ecaa85c7fba7e6e07346f46cc353.tar nixlib-676139408304ecaa85c7fba7e6e07346f46cc353.tar.gz nixlib-676139408304ecaa85c7fba7e6e07346f46cc353.tar.bz2 nixlib-676139408304ecaa85c7fba7e6e07346f46cc353.tar.lz nixlib-676139408304ecaa85c7fba7e6e07346f46cc353.tar.xz nixlib-676139408304ecaa85c7fba7e6e07346f46cc353.tar.zst nixlib-676139408304ecaa85c7fba7e6e07346f46cc353.zip |
nixos/rabbitmq: Rename cookie -> unsafeCookie
Not a mkRenamedOptionModule, because user intervention is required to determine whether they have a problem. mkRenamed* does not let us explain anything to the user.
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/services/amqp/rabbitmq.nix | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/nixos/modules/services/amqp/rabbitmq.nix b/nixos/modules/services/amqp/rabbitmq.nix index 0105f2e31333..f2dee07c91ab 100644 --- a/nixos/modules/services/amqp/rabbitmq.nix +++ b/nixos/modules/services/amqp/rabbitmq.nix @@ -14,6 +14,15 @@ let in { + + imports = [ + (mkRemovedOptionModule [ "services" "rabbitmq" "cookie" ] '' + This option wrote the Erlang cookie to the store, while it should be kept secret. + Please remove it from your NixOS configuration and deploy a cookie securely instead. + The renamed `unsafeCookie` must ONLY be used in isolated non-production environments such as NixOS VM tests. + '') + ]; + ###### interface options = { services.rabbitmq = { @@ -62,13 +71,18 @@ in ''; }; - cookie = mkOption { + unsafeCookie = mkOption { default = ""; type = types.str; description = lib.mdDoc '' Erlang cookie is a string of arbitrary length which must be the same for several nodes to be allowed to communicate. Leave empty to generate automatically. + + Setting the cookie via this option exposes the cookie to the store, which + is not recommended for security reasons. + Only use this option in an isolated non-production environment such as + NixOS VM tests. ''; }; @@ -209,8 +223,8 @@ in }; preStart = '' - ${optionalString (cfg.cookie != "") '' - install -m 600 <(echo -n ${cfg.cookie}) ${cfg.dataDir}/.erlang.cookie + ${optionalString (cfg.unsafeCookie != "") '' + install -m 600 <(echo -n ${cfg.unsafeCookie}) ${cfg.dataDir}/.erlang.cookie ''} ''; }; |