nixos/gitea: make more secrets persistent (#108676)
Added JWT_SECRET and INTERNAL_TOKEN to be persistent, like SECRET_KEY and LFS_JWT_SECRET do. Also renamed some vars belonging to SECRET_KEY and LFS_JWT_SECRET to get a consistent naming scheme over all secrets.
This commit is contained in:
clerie
GitHub
parent
f3042e3078
commit
10eed48d10
@ -349,7 +349,7 @@ in
|
|||||||
{
|
{
|
||||||
DOMAIN = cfg.domain;
|
DOMAIN = cfg.domain;
|
||||||
STATIC_ROOT_PATH = cfg.staticRootPath;
|
STATIC_ROOT_PATH = cfg.staticRootPath;
|
||||||
LFS_JWT_SECRET = "#jwtsecret#";
|
LFS_JWT_SECRET = "#lfsjwtsecret#";
|
||||||
ROOT_URL = cfg.rootUrl;
|
ROOT_URL = cfg.rootUrl;
|
||||||
}
|
}
|
||||||
(mkIf cfg.enableUnixSocket {
|
(mkIf cfg.enableUnixSocket {
|
||||||
@ -381,6 +381,7 @@ in
|
|||||||
|
|
||||||
security = {
|
security = {
|
||||||
SECRET_KEY = "#secretkey#";
|
SECRET_KEY = "#secretkey#";
|
||||||
|
INTERNAL_TOKEN = "#internaltoken#";
|
||||||
INSTALL_LOCK = true;
|
INSTALL_LOCK = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -396,6 +397,10 @@ in
|
|||||||
mailer = mkIf (cfg.mailerPasswordFile != null) {
|
mailer = mkIf (cfg.mailerPasswordFile != null) {
|
||||||
PASSWD = "#mailerpass#";
|
PASSWD = "#mailerpass#";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
oauth2 = {
|
||||||
|
JWT_SECRET = "#oauth2jwtsecret#";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.postgresql = optionalAttrs (usePostgresql && cfg.database.createDatabase) {
|
services.postgresql = optionalAttrs (usePostgresql && cfg.database.createDatabase) {
|
||||||
@ -455,10 +460,20 @@ in
|
|||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
path = [ gitea pkgs.git ];
|
path = [ gitea pkgs.git ];
|
||||||
|
|
||||||
|
# In older versions the secret naming for JWT was kind of confusing.
|
||||||
|
# The file jwt_secret hold the value for LFS_JWT_SECRET and JWT_SECRET
|
||||||
|
# wasn't persistant at all.
|
||||||
|
# To fix that, there is now the file oauth2_jwt_secret containing the
|
||||||
|
# values for JWT_SECRET and the file jwt_secret gets renamed to
|
||||||
|
# lfs_jwt_secret.
|
||||||
|
# We have to consider this to stay compatible with older installations.
|
||||||
preStart = let
|
preStart = let
|
||||||
runConfig = "${cfg.stateDir}/custom/conf/app.ini";
|
runConfig = "${cfg.stateDir}/custom/conf/app.ini";
|
||||||
secretKey = "${cfg.stateDir}/custom/conf/secret_key";
|
secretKey = "${cfg.stateDir}/custom/conf/secret_key";
|
||||||
jwtSecret = "${cfg.stateDir}/custom/conf/jwt_secret";
|
oauth2JwtSecret = "${cfg.stateDir}/custom/conf/oauth2_jwt_secret";
|
||||||
|
oldLfsJwtSecret = "${cfg.stateDir}/custom/conf/jwt_secret"; # old file for LFS_JWT_SECRET
|
||||||
|
lfsJwtSecret = "${cfg.stateDir}/custom/conf/lfs_jwt_secret"; # new file for LFS_JWT_SECRET
|
||||||
|
internalToken = "${cfg.stateDir}/custom/conf/internal_token";
|
||||||
in ''
|
in ''
|
||||||
# copy custom configuration and generate a random secret key if needed
|
# copy custom configuration and generate a random secret key if needed
|
||||||
${optionalString (cfg.useWizard == false) ''
|
${optionalString (cfg.useWizard == false) ''
|
||||||
@ -468,24 +483,41 @@ in
|
|||||||
${gitea}/bin/gitea generate secret SECRET_KEY > ${secretKey}
|
${gitea}/bin/gitea generate secret SECRET_KEY > ${secretKey}
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ ! -e ${jwtSecret} ]; then
|
# Migrate LFS_JWT_SECRET filename
|
||||||
${gitea}/bin/gitea generate secret LFS_JWT_SECRET > ${jwtSecret}
|
if [[ -e ${oldLfsJwtSecret} && ! -e ${lfsJwtSecret} ]]; then
|
||||||
|
mv ${oldLfsJwtSecret} ${lfsJwtSecret}
|
||||||
fi
|
fi
|
||||||
|
|
||||||
KEY="$(head -n1 ${secretKey})"
|
if [ ! -e ${oauth2JwtSecret} ]; then
|
||||||
|
${gitea}/bin/gitea generate secret JWT_SECRET > ${oauth2JwtSecret}
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! -e ${lfsJwtSecret} ]; then
|
||||||
|
${gitea}/bin/gitea generate secret LFS_JWT_SECRET > ${lfsJwtSecret}
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! -e ${internalToken} ]; then
|
||||||
|
${gitea}/bin/gitea generate secret INTERNAL_TOKEN > ${internalToken}
|
||||||
|
fi
|
||||||
|
|
||||||
|
SECRETKEY="$(head -n1 ${secretKey})"
|
||||||
DBPASS="$(head -n1 ${cfg.database.passwordFile})"
|
DBPASS="$(head -n1 ${cfg.database.passwordFile})"
|
||||||
JWTSECRET="$(head -n1 ${jwtSecret})"
|
OAUTH2JWTSECRET="$(head -n1 ${oauth2JwtSecret})"
|
||||||
|
LFSJWTSECRET="$(head -n1 ${lfsJwtSecret})"
|
||||||
|
INTERNALTOKEN="$(head -n1 ${internalToken})"
|
||||||
${if (cfg.mailerPasswordFile == null) then ''
|
${if (cfg.mailerPasswordFile == null) then ''
|
||||||
MAILERPASSWORD="#mailerpass#"
|
MAILERPASSWORD="#mailerpass#"
|
||||||
'' else ''
|
'' else ''
|
||||||
MAILERPASSWORD="$(head -n1 ${cfg.mailerPasswordFile} || :)"
|
MAILERPASSWORD="$(head -n1 ${cfg.mailerPasswordFile} || :)"
|
||||||
''}
|
''}
|
||||||
sed -e "s,#secretkey#,$KEY,g" \
|
sed -e "s,#secretkey#,$SECRETKEY,g" \
|
||||||
-e "s,#dbpass#,$DBPASS,g" \
|
-e "s,#dbpass#,$DBPASS,g" \
|
||||||
-e "s,#jwtsecret#,$JWTSECRET,g" \
|
-e "s,#oauth2jwtsecret#,$OAUTH2JWTSECRET,g" \
|
||||||
|
-e "s,#lfsjwtsecret#,$LFSJWTSECRET,g" \
|
||||||
|
-e "s,#internaltoken#,$INTERNALTOKEN,g" \
|
||||||
-e "s,#mailerpass#,$MAILERPASSWORD,g" \
|
-e "s,#mailerpass#,$MAILERPASSWORD,g" \
|
||||||
-i ${runConfig}
|
-i ${runConfig}
|
||||||
chmod 640 ${runConfig} ${secretKey} ${jwtSecret}
|
chmod 640 ${runConfig} ${secretKey} ${oauth2JwtSecret} ${lfsJwtSecret} ${internalToken}
|
||||||
''}
|
''}
|
||||||
|
|
||||||
# update all hooks' binary paths
|
# update all hooks' binary paths
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user