diff options
| author | Benno Fünfstück <benno.fuenfstueck@gmail.com> | 2017-04-22 00:07:04 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-04-22 00:07:04 +0200 |
| commit | 855155083a653a97c4dd17099187d3c178a6083d (patch) | |
| tree | d8bd7d54c76b14e8045b781b23099f290cec747c /nixos | |
| parent | a0e60af06750c541a1b28ddbd965ff1aa1699978 (diff) | |
| parent | ecf03368f8b624b8573f97f70387d6d14f7e32fe (diff) | |
| download | nixpkgs-855155083a653a97c4dd17099187d3c178a6083d.tar nixpkgs-855155083a653a97c4dd17099187d3c178a6083d.tar.gz nixpkgs-855155083a653a97c4dd17099187d3c178a6083d.tar.bz2 nixpkgs-855155083a653a97c4dd17099187d3c178a6083d.tar.lz nixpkgs-855155083a653a97c4dd17099187d3c178a6083d.tar.xz nixpkgs-855155083a653a97c4dd17099187d3c178a6083d.tar.zst nixpkgs-855155083a653a97c4dd17099187d3c178a6083d.zip | |
Merge pull request #24755 from LumiGuide/bepasty-secretKeyFile
bepasty: add secretKeyFile option
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/misc/bepasty.nix | 36 |
1 files changed, 32 insertions, 4 deletions
diff --git a/nixos/modules/services/misc/bepasty.nix b/nixos/modules/services/misc/bepasty.nix index 52719222db6..4d78cddcb54 100644 --- a/nixos/modules/services/misc/bepasty.nix +++ b/nixos/modules/services/misc/bepasty.nix @@ -21,7 +21,7 @@ in configure a number of bepasty servers which will be started with gunicorn. ''; - type = with types ; attrsOf (submodule ({ + type = with types ; attrsOf (submodule ({ config, ... } : { options = { @@ -34,7 +34,6 @@ in default = "127.0.0.1:8000"; }; - dataDir = mkOption { type = types.str; description = '' @@ -73,10 +72,28 @@ in type = types.str; description = '' server secret for safe session cookies, must be set. + + Warning: this secret is stored in the WORLD-READABLE Nix store! + + It's recommended to use <option>secretKeyFile</option> + which takes precedence over <option>secretKey</option>. ''; default = ""; }; + secretKeyFile = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + A file that contains the server secret for safe session cookies, must be set. + + <option>secretKeyFile</option> takes precedence over <option>secretKey</option>. + + Warning: when <option>secretKey</option> is non-empty <option>secretKeyFile</option> + defaults to a file in the WORLD-READABLE Nix store containing that secret. + ''; + }; + workDir = mkOption { type = types.str; description = '' @@ -87,11 +104,22 @@ in }; }; + config = { + secretKeyFile = mkDefault ( + if config.secretKey != "" + then toString (pkgs.writeTextFile { + name = "bepasty-secret-key"; + text = config.secretKey; + }) + else null + ); + }; })); }; }; config = mkIf cfg.enable { + environment.systemPackages = [ bepasty ]; # creates gunicorn systemd service for each configured server @@ -115,7 +143,7 @@ in serviceConfig = { Type = "simple"; PrivateTmp = true; - ExecStartPre = assert server.secretKey != ""; pkgs.writeScript "bepasty-server.${name}-init" '' + ExecStartPre = assert !isNull server.secretKeyFile; pkgs.writeScript "bepasty-server.${name}-init" '' #!/bin/sh mkdir -p "${server.workDir}" mkdir -p "${server.dataDir}" @@ -123,7 +151,7 @@ in cat > ${server.workDir}/bepasty-${name}.conf <<EOF SITENAME="${name}" STORAGE_FILESYSTEM_DIRECTORY="${server.dataDir}" - SECRET_KEY="${server.secretKey}" + SECRET_KEY="$(cat "${server.secretKeyFile}")" DEFAULT_PERMISSIONS="${server.defaultPermissions}" ${server.extraConfig} EOF |