diff options
author | Guillaume Girol <symphorien+git@xlumurb.eu> | 2022-01-02 12:00:00 +0000 |
---|---|---|
committer | Guillaume Girol <symphorien+git@xlumurb.eu> | 2022-01-31 21:31:28 +0100 |
commit | 1df9e95ed751f9a37e7d5d9db1efc4eff242e043 (patch) | |
tree | 47bc0791eb39ecaa5370f65ec8e116a78615c9f4 | |
parent | d5ddafd0fa4aa37fa5f340d690bb05d2efe68524 (diff) | |
download | nixpkgs-1df9e95ed751f9a37e7d5d9db1efc4eff242e043.tar nixpkgs-1df9e95ed751f9a37e7d5d9db1efc4eff242e043.tar.gz nixpkgs-1df9e95ed751f9a37e7d5d9db1efc4eff242e043.tar.bz2 nixpkgs-1df9e95ed751f9a37e7d5d9db1efc4eff242e043.tar.lz nixpkgs-1df9e95ed751f9a37e7d5d9db1efc4eff242e043.tar.xz nixpkgs-1df9e95ed751f9a37e7d5d9db1efc4eff242e043.tar.zst nixpkgs-1df9e95ed751f9a37e7d5d9db1efc4eff242e043.zip |
nixos/miniflux: no cleartext password in the store
-rw-r--r-- | nixos/doc/manual/from_md/release-notes/rl-2205.section.xml | 7 | ||||
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2205.section.md | 2 | ||||
-rw-r--r-- | nixos/modules/services/web-apps/miniflux.nix | 46 | ||||
-rw-r--r-- | nixos/tests/miniflux.nix | 24 |
4 files changed, 46 insertions, 33 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 2d2eec1763c..33c3059fa1f 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -327,6 +327,13 @@ </listitem> <listitem> <para> + <literal>services.miniflux.adminCredentialFiles</literal> is + now required, instead of defaulting to + <literal>admin</literal> and <literal>password</literal>. + </para> + </listitem> + <listitem> + <para> The <literal>autorestic</literal> package has been upgraded from 1.3.0 to 1.5.0 which introduces breaking changes in config file, check diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 448f302afe6..a3438727d6f 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -109,6 +109,8 @@ In addition to numerous new and upgraded packages, this release has the followin - opensmtpd-extras is no longer build with python2 scripting support due to python2 deprecation in nixpkgs +- `services.miniflux.adminCredentialFiles` is now required, instead of defaulting to `admin` and `password`. + - The `autorestic` package has been upgraded from 1.3.0 to 1.5.0 which introduces breaking changes in config file, check [their migration guide](https://autorestic.vercel.app/migration/1.4_1.5) for more details. - For `pkgs.python3.pkgs.ipython`, its direct dependency `pkgs.python3.pkgs.matplotlib-inline` diff --git a/nixos/modules/services/web-apps/miniflux.nix b/nixos/modules/services/web-apps/miniflux.nix index 14cbfb39540..641c9be85d8 100644 --- a/nixos/modules/services/web-apps/miniflux.nix +++ b/nixos/modules/services/web-apps/miniflux.nix @@ -7,26 +7,12 @@ let defaultAddress = "localhost:8080"; dbUser = "miniflux"; - dbPassword = "miniflux"; - dbHost = "localhost"; dbName = "miniflux"; - defaultCredentials = pkgs.writeText "miniflux-admin-credentials" '' - ADMIN_USERNAME=admin - ADMIN_PASSWORD=password - ''; - pgbin = "${config.services.postgresql.package}/bin"; preStart = pkgs.writeScript "miniflux-pre-start" '' #!${pkgs.runtimeShell} - db_exists() { - [ "$(${pgbin}/psql -Atc "select 1 from pg_database where datname='$1'")" == "1" ] - } - if ! db_exists "${dbName}"; then - ${pgbin}/psql postgres -c "CREATE ROLE ${dbUser} WITH LOGIN NOCREATEDB NOCREATEROLE ENCRYPTED PASSWORD '${dbPassword}'" - ${pgbin}/createdb --owner "${dbUser}" "${dbName}" - ${pgbin}/psql "${dbName}" -c "CREATE EXTENSION IF NOT EXISTS hstore" - fi + ${pgbin}/psql "${dbName}" -c "CREATE EXTENSION IF NOT EXISTS hstore" ''; in @@ -54,11 +40,10 @@ in }; adminCredentialsFile = mkOption { - type = types.nullOr types.path; - default = null; + type = types.path; description = '' - File containing the ADMIN_USERNAME, default is "admin", and - ADMIN_PASSWORD (length >= 6), default is "password"; in the format of + File containing the ADMIN_USERNAME and + ADMIN_PASSWORD (length >= 6) in the format of an EnvironmentFile=, as described by systemd.exec(5). ''; example = "/etc/nixos/miniflux-admin-credentials"; @@ -70,16 +55,24 @@ in services.miniflux.config = { LISTEN_ADDR = mkDefault defaultAddress; - DATABASE_URL = "postgresql://${dbUser}:${dbPassword}@${dbHost}/${dbName}?sslmode=disable"; + DATABASE_URL = "user=${dbUser} host=/run/postgresql dbname=${dbName}"; RUN_MIGRATIONS = "1"; CREATE_ADMIN = "1"; }; - services.postgresql.enable = true; + services.postgresql = { + enable = true; + ensureUsers = [ { + name = dbUser; + ensurePermissions = { + "DATABASE ${dbName}" = "ALL PRIVILEGES"; + }; + } ]; + ensureDatabases = [ dbName ]; + }; systemd.services.miniflux-dbsetup = { description = "Miniflux database setup"; - wantedBy = [ "multi-user.target" ]; requires = [ "postgresql.service" ]; after = [ "network.target" "postgresql.service" ]; serviceConfig = { @@ -92,17 +85,16 @@ in systemd.services.miniflux = { description = "Miniflux service"; wantedBy = [ "multi-user.target" ]; - requires = [ "postgresql.service" ]; + requires = [ "miniflux-dbsetup.service" ]; after = [ "network.target" "postgresql.service" "miniflux-dbsetup.service" ]; serviceConfig = { ExecStart = "${pkgs.miniflux}/bin/miniflux"; + User = dbUser; DynamicUser = true; RuntimeDirectory = "miniflux"; RuntimeDirectoryMode = "0700"; - EnvironmentFile = if cfg.adminCredentialsFile == null - then defaultCredentials - else cfg.adminCredentialsFile; + EnvironmentFile = cfg.adminCredentialsFile; # Hardening CapabilityBoundingSet = [ "" ]; DeviceAllow = [ "" ]; @@ -119,7 +111,7 @@ in ProtectKernelModules = true; ProtectKernelTunables = true; ProtectProc = "invisible"; - RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; diff --git a/nixos/tests/miniflux.nix b/nixos/tests/miniflux.nix index 1015550fa8c..d905aea048a 100644 --- a/nixos/tests/miniflux.nix +++ b/nixos/tests/miniflux.nix @@ -7,6 +7,15 @@ let defaultPort = 8080; defaultUsername = "admin"; defaultPassword = "password"; + adminCredentialsFile = pkgs.writeText "admin-credentials" '' + ADMIN_USERNAME=${defaultUsername} + ADMIN_PASSWORD=${defaultPassword} + ''; + customAdminCredentialsFile = pkgs.writeText "admin-credentials" '' + ADMIN_USERNAME=${username} + ADMIN_PASSWORD=${password} + ''; + in with lib; { @@ -17,13 +26,19 @@ with lib; default = { ... }: { - services.miniflux.enable = true; + services.miniflux = { + enable = true; + inherit adminCredentialsFile; + }; }; withoutSudo = { ... }: { - services.miniflux.enable = true; + services.miniflux = { + enable = true; + inherit adminCredentialsFile; + }; security.sudo.enable = false; }; @@ -36,10 +51,7 @@ with lib; CLEANUP_FREQUENCY = "48"; LISTEN_ADDR = "localhost:${toString port}"; }; - adminCredentialsFile = pkgs.writeText "admin-credentials" '' - ADMIN_USERNAME=${username} - ADMIN_PASSWORD=${password} - ''; + adminCredentialsFile = customAdminCredentialsFile; }; }; }; |