diff options
author | Robert Hensing <roberth@users.noreply.github.com> | 2024-02-05 19:29:19 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-02-05 19:29:19 +0100 |
commit | 274ae6a45438b04787173308f99752fd628c6c4b (patch) | |
tree | e1e90a13c444a40e1c183115e553cedb3ac798a7 /nixos | |
parent | 322adeb76562ade3e983de3d43c6961ba9c44ef1 (diff) | |
parent | 676139408304ecaa85c7fba7e6e07346f46cc353 (diff) | |
download | nixlib-274ae6a45438b04787173308f99752fd628c6c4b.tar nixlib-274ae6a45438b04787173308f99752fd628c6c4b.tar.gz nixlib-274ae6a45438b04787173308f99752fd628c6c4b.tar.bz2 nixlib-274ae6a45438b04787173308f99752fd628c6c4b.tar.lz nixlib-274ae6a45438b04787173308f99752fd628c6c4b.tar.xz nixlib-274ae6a45438b04787173308f99752fd628c6c4b.tar.zst nixlib-274ae6a45438b04787173308f99752fd628c6c4b.zip |
Merge pull request #284117 from Stunkymonkey/amqp-write-secret
nixos/rabbitmq: prefer 'install' over 'mkdir/chmod/chown'
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/amqp/rabbitmq.nix | 21 |
1 files changed, 17 insertions, 4 deletions
diff --git a/nixos/modules/services/amqp/rabbitmq.nix b/nixos/modules/services/amqp/rabbitmq.nix index 7dce9d242916..f2dee07c91ab 100644 --- a/nixos/modules/services/amqp/rabbitmq.nix +++ b/nixos/modules/services/amqp/rabbitmq.nix @@ -14,6 +14,15 @@ let in { + + imports = [ + (mkRemovedOptionModule [ "services" "rabbitmq" "cookie" ] '' + This option wrote the Erlang cookie to the store, while it should be kept secret. + Please remove it from your NixOS configuration and deploy a cookie securely instead. + The renamed `unsafeCookie` must ONLY be used in isolated non-production environments such as NixOS VM tests. + '') + ]; + ###### interface options = { services.rabbitmq = { @@ -62,13 +71,18 @@ in ''; }; - cookie = mkOption { + unsafeCookie = mkOption { default = ""; type = types.str; description = lib.mdDoc '' Erlang cookie is a string of arbitrary length which must be the same for several nodes to be allowed to communicate. Leave empty to generate automatically. + + Setting the cookie via this option exposes the cookie to the store, which + is not recommended for security reasons. + Only use this option in an isolated non-production environment such as + NixOS VM tests. ''; }; @@ -209,9 +223,8 @@ in }; preStart = '' - ${optionalString (cfg.cookie != "") '' - echo -n ${cfg.cookie} > ${cfg.dataDir}/.erlang.cookie - chmod 600 ${cfg.dataDir}/.erlang.cookie + ${optionalString (cfg.unsafeCookie != "") '' + install -m 600 <(echo -n ${cfg.unsafeCookie}) ${cfg.dataDir}/.erlang.cookie ''} ''; }; |