diff options
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2405.section.md | 7 | ||||
-rw-r--r-- | nixos/modules/services/networking/aria2.nix | 15 |
2 files changed, 17 insertions, 5 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md index c034abf28174..e2c8b3abab41 100644 --- a/nixos/doc/manual/release-notes/rl-2405.section.md +++ b/nixos/doc/manual/release-notes/rl-2405.section.md @@ -85,6 +85,13 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - `nitter` requires a `guest_accounts.jsonl` to be provided as a path or loaded into the default location at `/var/lib/nitter/guest_accounts.jsonl`. See [Guest Account Branch Deployment](https://github.com/zedeus/nitter/wiki/Guest-Account-Branch-Deployment) for details. +- `services.aria2.rpcSecret` has been replaced with `services.aria2.rpcSecretFile`. + This was done so that secrets aren't stored in the world-readable nix store. + To migrate, you will have create a file with the same exact string, and change + your module options to point to that file. For example, `services.aria2.rpcSecret = + "mysecret"` becomes `services.aria2.rpcSecretFile = "/path/to/secret_file"` + where the file `secret_file` contains the string `mysecret`. + - Invidious has changed its default database username from `kemal` to `invidious`. Setups involving an externally provisioned database (i.e. `services.invidious.database.createLocally == false`) should adjust their configuration accordingly. The old `kemal` user will not be removed automatically even when the database is provisioned automatically.(https://github.com/NixOS/nixpkgs/pull/265857) - `inetutils` now has a lower priority to avoid shadowing the commonly used `util-linux`. If one wishes to restore the default priority, simply use `lib.setPrio 5 inetutils` or override with `meta.priority = 5`. diff --git a/nixos/modules/services/networking/aria2.nix b/nixos/modules/services/networking/aria2.nix index e848869cc0ac..1fb55b836798 100644 --- a/nixos/modules/services/networking/aria2.nix +++ b/nixos/modules/services/networking/aria2.nix @@ -18,11 +18,14 @@ let dir=${cfg.downloadDir} listen-port=${concatStringsSep "," (rangesToStringList cfg.listenPortRange)} rpc-listen-port=${toString cfg.rpcListenPort} - rpc-secret=${cfg.rpcSecret} ''; in { + imports = [ + (mkRemovedOptionModule [ "services" "aria2" "rpcSecret" ] "Use services.aria2.rpcSecretFile instead") + ]; + options = { services.aria2 = { enable = mkOption { @@ -65,11 +68,11 @@ in default = 6800; description = lib.mdDoc "Specify a port number for JSON-RPC/XML-RPC server to listen to. Possible Values: 1024-65535"; }; - rpcSecret = mkOption { - type = types.str; - default = "aria2rpc"; + rpcSecretFile = mkOption { + type = types.path; + example = "/run/secrets/aria2-rpc-token.txt"; description = lib.mdDoc '' - Set RPC secret authorization token. + A file containing the RPC secret authorization token. Read https://aria2.github.io/manual/en/html/aria2c.html#rpc-auth to know how this option value is used. ''; }; @@ -117,6 +120,7 @@ in touch "${sessionFile}" fi cp -f "${settingsFile}" "${settingsDir}/aria2.conf" + echo "rpc-secret=$(cat "$CREDENTIALS_DIRECTORY/rpcSecretFile")" >> "${settingsDir}/aria2.conf" ''; serviceConfig = { @@ -125,6 +129,7 @@ in ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; User = "aria2"; Group = "aria2"; + LoadCredential="rpcSecretFile:${cfg.rpcSecretFile}"; }; }; }; |