nixos/wordpress: generate secrets locally

Use /dev/urandom to generate keys and salts instead of downloading them from https://api.wordpress.org/secret-key/1.1/salt/
2019-09-22 13:29:03 +02:00 · 2019-09-22 13:29:03 +02:00 · 2adb03fdae
parent 6a42202beb
commit 2adb03fdae
2 changed files with 19 additions and 14 deletions
--- a/nixos/modules/services/web-apps/wordpress.nix
+++ b/nixos/modules/services/web-apps/wordpress.nix
@ -61,6 +61,19 @@ let
    ?>
  '';

+  secretsVars = [ "AUTH_KEY" "SECURE_AUTH_KEY" "LOOGGED_IN_KEY" "NONCE_KEY" "AUTH_SALT" "SECURE_AUTH_SALT" "LOGGED_IN_SALT" "NONCE_SALT" ];
+  secretsScript = hostStateDir: ''
+    if ! test -e "${hostStateDir}/secret-keys.php"; then
+      umask 0177
+      echo "<?php" >> "${hostStateDir}/secret-keys.php"
+      ${concatMapStringsSep "\n" (var: ''
+        echo "define('${var}', '`tr -dc a-zA-Z0-9 </dev/urandom | head -c 64`');" >> "${hostStateDir}/secret-keys.php"
+      '') secretsVars}
+      echo "?>" >> "${hostStateDir}/secret-keys.php"
+      chmod 440 "${hostStateDir}/secret-keys.php"
+    fi
+  '';
+
  siteOpts = { lib, name, ... }:
    {
      options = {
@ -340,14 +353,7 @@ in
          wantedBy = [ "multi-user.target" ];
          before = [ "phpfpm-wordpress-${hostName}.service" ];
          after = optional cfg.database.createLocally "mysql.service";
-          script = ''
-            if ! test -e "${stateDir hostName}/secret-keys.php"; then
-              echo "<?php" >> "${stateDir hostName}/secret-keys.php"
-              ${pkgs.curl}/bin/curl -s https://api.wordpress.org/secret-key/1.1/salt/ >> "${stateDir hostName}/secret-keys.php"
-              echo "?>" >> "${stateDir hostName}/secret-keys.php"
-              chmod 440 "${stateDir hostName}/secret-keys.php"
-            fi
-          '';
+          script = secretsScript (stateDir hostName);

          serviceConfig = {
            Type = "oneshot";
--- a/nixos/tests/wordpress.nix
+++ b/nixos/tests/wordpress.nix
@ -20,12 +20,6 @@ import ./make-test.nix ({ pkgs, ... }:
      };

      networking.hosts."127.0.0.1" = [ "site1.local" "site2.local" ];
-
-      # required for wordpress-init.service to succeed
-      systemd.tmpfiles.rules = [
-        "F /var/lib/wordpress/site1.local/secret-keys.php 0440 wordpress wwwrun - -"
-        "F /var/lib/wordpress/site2.local/secret-keys.php 0440 wordpress wwwrun - -"
-      ];
    };

  testScript = ''
@ -37,6 +31,11 @@ import ./make-test.nix ({ pkgs, ... }:

    $machine->succeed("curl -L site1.local | grep 'Welcome to the famous'");
    $machine->succeed("curl -L site2.local | grep 'Welcome to the famous'");
+
+    $machine->succeed("systemctl --no-pager show wordpress-init-site1.local.service | grep 'ExecStart=.*status=0'");
+    $machine->succeed("systemctl --no-pager show wordpress-init-site2.local.service | grep 'ExecStart=.*status=0'");
+    $machine->succeed("grep -E '^define.*NONCE_SALT.{64,};\$' /var/lib/wordpress/site1.local/secret-keys.php");
+    $machine->succeed("grep -E '^define.*NONCE_SALT.{64,};\$' /var/lib/wordpress/site2.local/secret-keys.php");
  '';

 })