diff options
| author | Jörg Thalheim <joerg@thalheim.io> | 2020-02-13 15:56:29 +0000 |
|---|---|---|
| committer | Jörg Thalheim <joerg@thalheim.io> | 2020-02-13 17:06:35 +0000 |
| commit | 9cfe5a7a541052cffa78c94af5f04883125424c8 (patch) | |
| tree | 3fc80693c0e910483b4043ba09b46d7aeff91419 /nixos/modules/services/databases/redis.nix | |
| parent | 5c403726bc0b81a09491b1ef1b23785dbdfa62bb (diff) | |
| download | nixpkgs-9cfe5a7a541052cffa78c94af5f04883125424c8.tar nixpkgs-9cfe5a7a541052cffa78c94af5f04883125424c8.tar.gz nixpkgs-9cfe5a7a541052cffa78c94af5f04883125424c8.tar.bz2 nixpkgs-9cfe5a7a541052cffa78c94af5f04883125424c8.tar.lz nixpkgs-9cfe5a7a541052cffa78c94af5f04883125424c8.tar.xz nixpkgs-9cfe5a7a541052cffa78c94af5f04883125424c8.tar.zst nixpkgs-9cfe5a7a541052cffa78c94af5f04883125424c8.zip | |
nixos/redis: add requirePassFile option
Avoids having the password in the nix store.
Diffstat (limited to 'nixos/modules/services/databases/redis.nix')
| -rw-r--r-- | nixos/modules/services/databases/redis.nix | 47 |
1 files changed, 33 insertions, 14 deletions
diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix index 70895fa53e4..5c817422aae 100644 --- a/nixos/modules/services/databases/redis.nix +++ b/nixos/modules/services/databases/redis.nix @@ -150,10 +150,20 @@ in requirePass = mkOption { type = with types; nullOr str; default = null; - description = "Password for database (STORED PLAIN TEXT, WORLD-READABLE IN NIX STORE)"; + description = '' + Password for database (STORED PLAIN TEXT, WORLD-READABLE IN NIX STORE). + Use requirePassFile to store it outside of the nix store in a dedicated file. + ''; example = "letmein!"; }; + requirePassFile = mkOption { + type = with types; nullOr path; + default = null; + description = "File with password for the database."; + example = "/run/keys/redis-password"; + }; + appendOnly = mkOption { type = types.bool; default = false; @@ -192,6 +202,10 @@ in ###### implementation config = mkIf config.services.redis.enable { + assertions = [{ + assertion = cfg.requirePass != null -> cfg.requirePassFile == null; + message = "You can only set one services.redis.requirePass or services.redis.requirePassFile"; + }]; boot.kernel.sysctl = (mkMerge [ { "vm.nr_hugepages" = "0"; } ( mkIf cfg.vmOverCommit { "vm.overcommit_memory" = "1"; } ) @@ -208,21 +222,26 @@ in environment.systemPackages = [ cfg.package ]; - systemd.services.redis = - { description = "Redis Server"; + systemd.services.redis = { + description = "Redis Server"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; - serviceConfig = { - ExecStart = "${cfg.package}/bin/redis-server ${redisConfig}"; - RuntimeDirectory = "redis"; - StateDirectory = "redis"; - Type = "notify"; - User = "redis"; - }; - }; + preStart = '' + install -m 600 ${redisConfig} /run/redis/redis.conf + '' + optionalString (cfg.requirePassFile != null) '' + password=$(cat ${escapeShellArg cfg.requirePassFile}) + echo "requirePass $password" >> /run/redis/redis.conf + ''; + serviceConfig = { + ExecStart = "${cfg.package}/bin/redis-server /run/redis/redis.conf"; + RuntimeDirectory = "redis"; + StateDirectory = "redis"; + Type = "notify"; + User = "redis"; + }; + }; }; - } |