diff options
author | github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | 2024-02-06 00:02:21 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-02-06 00:02:21 +0000 |
commit | 8e7913be95516be703f51bd81323d1a04d858935 (patch) | |
tree | 1ec91af05c67b3f3f2da929de6dba6882553fee3 /nixos | |
parent | 2579984b855b4ca3abf97f5b023d783195ef06e3 (diff) | |
parent | 7aeb86c1fab782a971d7ed2d15ff026fc2dadb42 (diff) | |
download | nixlib-8e7913be95516be703f51bd81323d1a04d858935.tar nixlib-8e7913be95516be703f51bd81323d1a04d858935.tar.gz nixlib-8e7913be95516be703f51bd81323d1a04d858935.tar.bz2 nixlib-8e7913be95516be703f51bd81323d1a04d858935.tar.lz nixlib-8e7913be95516be703f51bd81323d1a04d858935.tar.xz nixlib-8e7913be95516be703f51bd81323d1a04d858935.tar.zst nixlib-8e7913be95516be703f51bd81323d1a04d858935.zip |
Merge master into staging-next
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/amqp/rabbitmq.nix | 21 |
1 files changed, 17 insertions, 4 deletions
diff --git a/nixos/modules/services/amqp/rabbitmq.nix b/nixos/modules/services/amqp/rabbitmq.nix index 7dce9d242916..f2dee07c91ab 100644 --- a/nixos/modules/services/amqp/rabbitmq.nix +++ b/nixos/modules/services/amqp/rabbitmq.nix @@ -14,6 +14,15 @@ let in { + + imports = [ + (mkRemovedOptionModule [ "services" "rabbitmq" "cookie" ] '' + This option wrote the Erlang cookie to the store, while it should be kept secret. + Please remove it from your NixOS configuration and deploy a cookie securely instead. + The renamed `unsafeCookie` must ONLY be used in isolated non-production environments such as NixOS VM tests. + '') + ]; + ###### interface options = { services.rabbitmq = { @@ -62,13 +71,18 @@ in ''; }; - cookie = mkOption { + unsafeCookie = mkOption { default = ""; type = types.str; description = lib.mdDoc '' Erlang cookie is a string of arbitrary length which must be the same for several nodes to be allowed to communicate. Leave empty to generate automatically. + + Setting the cookie via this option exposes the cookie to the store, which + is not recommended for security reasons. + Only use this option in an isolated non-production environment such as + NixOS VM tests. ''; }; @@ -209,9 +223,8 @@ in }; preStart = '' - ${optionalString (cfg.cookie != "") '' - echo -n ${cfg.cookie} > ${cfg.dataDir}/.erlang.cookie - chmod 600 ${cfg.dataDir}/.erlang.cookie + ${optionalString (cfg.unsafeCookie != "") '' + install -m 600 <(echo -n ${cfg.unsafeCookie}) ${cfg.dataDir}/.erlang.cookie ''} ''; }; |