summary refs log tree commit diff
path: root/nixos/modules/services/misc/bepasty.nix
diff options
context:
space:
mode:
authorBas van Dijk <v.dijk.bas@gmail.com>2017-04-08 19:32:19 +0200
committerBas van Dijk <v.dijk.bas@gmail.com>2017-04-08 19:32:19 +0200
commitecf03368f8b624b8573f97f70387d6d14f7e32fe (patch)
tree85389e283de6b19bb95dd065dccead61c5135196 /nixos/modules/services/misc/bepasty.nix
parent184e3238c7b65f18187d14a0388bacdee3829487 (diff)
downloadnixpkgs-ecf03368f8b624b8573f97f70387d6d14f7e32fe.tar
nixpkgs-ecf03368f8b624b8573f97f70387d6d14f7e32fe.tar.gz
nixpkgs-ecf03368f8b624b8573f97f70387d6d14f7e32fe.tar.bz2
nixpkgs-ecf03368f8b624b8573f97f70387d6d14f7e32fe.tar.lz
nixpkgs-ecf03368f8b624b8573f97f70387d6d14f7e32fe.tar.xz
nixpkgs-ecf03368f8b624b8573f97f70387d6d14f7e32fe.tar.zst
nixpkgs-ecf03368f8b624b8573f97f70387d6d14f7e32fe.zip
bepasty: add secretKeyFile option
This gives users the option to store secrets outside the
world-readable Nix store.
Diffstat (limited to 'nixos/modules/services/misc/bepasty.nix')
-rw-r--r--nixos/modules/services/misc/bepasty.nix36
1 files changed, 32 insertions, 4 deletions
diff --git a/nixos/modules/services/misc/bepasty.nix b/nixos/modules/services/misc/bepasty.nix
index 52719222db6..4d78cddcb54 100644
--- a/nixos/modules/services/misc/bepasty.nix
+++ b/nixos/modules/services/misc/bepasty.nix
@@ -21,7 +21,7 @@ in
         configure a number of bepasty servers which will be started with
         gunicorn.
         '';
-      type = with types ; attrsOf (submodule ({
+      type = with types ; attrsOf (submodule ({ config, ... } : {
 
         options = {
 
@@ -34,7 +34,6 @@ in
             default = "127.0.0.1:8000";
           };
 
-
           dataDir = mkOption {
             type = types.str;
             description = ''
@@ -73,10 +72,28 @@ in
             type = types.str;
             description = ''
               server secret for safe session cookies, must be set.
+
+              Warning: this secret is stored in the WORLD-READABLE Nix store!
+
+              It's recommended to use <option>secretKeyFile</option>
+              which takes precedence over <option>secretKey</option>.
               '';
             default = "";
           };
 
+          secretKeyFile = mkOption {
+            type = types.nullOr types.str;
+            default = null;
+            description = ''
+              A file that contains the server secret for safe session cookies, must be set.
+
+              <option>secretKeyFile</option> takes precedence over <option>secretKey</option>.
+
+              Warning: when <option>secretKey</option> is non-empty <option>secretKeyFile</option>
+              defaults to a file in the WORLD-READABLE Nix store containing that secret.
+              '';
+          };
+
           workDir = mkOption {
             type = types.str;
             description = ''
@@ -87,11 +104,22 @@ in
           };
 
         };
+        config = {
+          secretKeyFile = mkDefault (
+            if config.secretKey != ""
+            then toString (pkgs.writeTextFile {
+              name = "bepasty-secret-key";
+              text = config.secretKey;
+            })
+            else null
+          );
+        };
       }));
     };
   };
 
   config = mkIf cfg.enable {
+
     environment.systemPackages = [ bepasty ];
 
     # creates gunicorn systemd service for each configured server
@@ -115,7 +143,7 @@ in
           serviceConfig = {
             Type = "simple";
             PrivateTmp = true;
-            ExecStartPre = assert server.secretKey != ""; pkgs.writeScript "bepasty-server.${name}-init" ''
+            ExecStartPre = assert !isNull server.secretKeyFile; pkgs.writeScript "bepasty-server.${name}-init" ''
               #!/bin/sh
               mkdir -p "${server.workDir}"
               mkdir -p "${server.dataDir}"
@@ -123,7 +151,7 @@ in
               cat > ${server.workDir}/bepasty-${name}.conf <<EOF
               SITENAME="${name}"
               STORAGE_FILESYSTEM_DIRECTORY="${server.dataDir}"
-              SECRET_KEY="${server.secretKey}"
+              SECRET_KEY="$(cat "${server.secretKeyFile}")"
               DEFAULT_PERMISSIONS="${server.defaultPermissions}"
               ${server.extraConfig}
               EOF
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-14 19:34:45 +0000