diff options
| author | Maximilian Bosch <maximilian@mbosch.me> | 2021-03-17 15:40:50 +0100 |
|---|---|---|
| committer | Maximilian Bosch <maximilian@mbosch.me> | 2021-03-31 13:27:30 +0200 |
| commit | 4a4f7dfb77144e9ab594ed9a1a26044031c4d7a9 (patch) | |
| tree | e5f9459a537a581d2bb5dfa936a33c894b0750dd /nixos/modules/services/security/privacyidea.nix | |
| parent | f6092fe869272327a95d539d78ea8ebe15c34610 (diff) | |
| download | nixpkgs-4a4f7dfb77144e9ab594ed9a1a26044031c4d7a9.tar nixpkgs-4a4f7dfb77144e9ab594ed9a1a26044031c4d7a9.tar.gz nixpkgs-4a4f7dfb77144e9ab594ed9a1a26044031c4d7a9.tar.bz2 nixpkgs-4a4f7dfb77144e9ab594ed9a1a26044031c4d7a9.tar.lz nixpkgs-4a4f7dfb77144e9ab594ed9a1a26044031c4d7a9.tar.xz nixpkgs-4a4f7dfb77144e9ab594ed9a1a26044031c4d7a9.tar.zst nixpkgs-4a4f7dfb77144e9ab594ed9a1a26044031c4d7a9.zip | |
nixos/privacyidea: use envsubst to avoid leaking secrets to the store
Diffstat (limited to 'nixos/modules/services/security/privacyidea.nix')
| -rw-r--r-- | nixos/modules/services/security/privacyidea.nix | 27 |
1 files changed, 26 insertions, 1 deletions
diff --git a/nixos/modules/services/security/privacyidea.nix b/nixos/modules/services/security/privacyidea.nix index c2988858e56..f7b40089a93 100644 --- a/nixos/modules/services/security/privacyidea.nix +++ b/nixos/modules/services/security/privacyidea.nix @@ -57,6 +57,26 @@ in services.privacyidea = { enable = mkEnableOption "PrivacyIDEA"; + environmentFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/root/privacyidea.env"; + description = '' + File to load as environment file. Environment variables + from this file will be interpolated into the config file + using <package>envsubst</package> which is helpful for specifying + secrets: + <programlisting> + { <xref linkend="opt-services.privacyidea.secretKey" /> = "$SECRET"; } + </programlisting> + + The environment-file can now specify the actual secret key: + <programlisting> + SECRET=veryverytopsecret + </programlisting> + ''; + }; + stateDir = mkOption { type = types.str; default = "/var/lib/privacyidea"; @@ -206,7 +226,7 @@ in wantedBy = [ "multi-user.target" ]; after = [ "postgresql.service" ]; path = with pkgs; [ openssl ]; - environment.PRIVACYIDEA_CONFIGFILE = piCfgFile; + environment.PRIVACYIDEA_CONFIGFILE = "${cfg.stateDir}/privacyidea.cfg"; preStart = let pi-manage = "${pkgs.sudo}/bin/sudo -u privacyidea -HE ${penv}/bin/pi-manage"; pgsu = config.services.postgresql.superUser; @@ -214,6 +234,10 @@ in in '' mkdir -p ${cfg.stateDir} /run/privacyidea chown ${cfg.user}:${cfg.group} -R ${cfg.stateDir} /run/privacyidea + umask 077 + ${lib.getBin pkgs.envsubst}/bin/envsubst -o ${cfg.stateDir}/privacyidea.cfg \ + -i "${piCfgFile}" + chown ${cfg.user}:${cfg.group} ${cfg.stateDir}/privacyidea.cfg if ! test -e "${cfg.stateDir}/db-created"; then ${pkgs.sudo}/bin/sudo -u ${pgsu} ${psql}/bin/createuser --no-superuser --no-createdb --no-createrole ${cfg.user} ${pkgs.sudo}/bin/sudo -u ${pgsu} ${psql}/bin/createdb --owner ${cfg.user} privacyidea @@ -231,6 +255,7 @@ in Type = "notify"; ExecStart = "${uwsgi}/bin/uwsgi --json ${piuwsgi}"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile; ExecStop = "${pkgs.coreutils}/bin/kill -INT $MAINPID"; NotifyAccess = "main"; KillSignal = "SIGQUIT"; |