nixos/codimd: add option `environmentFile` for injecting secrets
Secrets are injected from the environment into the rendered configuration before each startup using envsubst. The test now makes use of this feature for the db password.
This commit is contained in:
parent
5bfe6004e1
commit
403c215bdd
|
@ -877,6 +877,37 @@ in
|
|||
description = "Configure the SAML integration.";
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
environmentFile = mkOption {
|
||||
type = with types; nullOr path;
|
||||
default = null;
|
||||
example = "/var/lib/codimd/codimd.env";
|
||||
description = ''
|
||||
Environment file as defined in <citerefentry>
|
||||
<refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum>
|
||||
</citerefentry>.
|
||||
|
||||
Secrets may be passed to the service without adding them to the world-readable
|
||||
Nix store, by specifying placeholder variables as the option value in Nix and
|
||||
setting these variables accordingly in the environment file.
|
||||
|
||||
<programlisting>
|
||||
# snippet of CodiMD-related config
|
||||
services.codimd.configuration.dbURL = "postgres://codimd:\''${DB_PASSWORD}@db-host:5432/codimddb";
|
||||
services.codimd.configuration.minio.secretKey = "$MINIO_SECRET_KEY";
|
||||
</programlisting>
|
||||
|
||||
<programlisting>
|
||||
# content of the environment file
|
||||
DB_PASSWORD=verysecretdbpassword
|
||||
MINIO_SECRET_KEY=verysecretminiokey
|
||||
</programlisting>
|
||||
|
||||
Note that this file needs to be available on the host on which
|
||||
<literal>CodiMD</literal> is running.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
@ -900,11 +931,17 @@ in
|
|||
description = "CodiMD Service";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "networking.target" ];
|
||||
preStart = ''
|
||||
${pkgs.envsubst}/bin/envsubst \
|
||||
-o ${cfg.workDir}/config.json \
|
||||
-i ${prettyJSON cfg.configuration}
|
||||
'';
|
||||
serviceConfig = {
|
||||
WorkingDirectory = cfg.workDir;
|
||||
ExecStart = "${pkgs.codimd}/bin/codimd";
|
||||
EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ];
|
||||
Environment = [
|
||||
"CMD_CONFIG_FILE=${prettyJSON cfg.configuration}"
|
||||
"CMD_CONFIG_FILE=${cfg.workDir}/config.json"
|
||||
"NODE_ENV=production"
|
||||
];
|
||||
Restart = "always";
|
||||
|
|
|
@ -21,7 +21,15 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
|
|||
services = {
|
||||
codimd = {
|
||||
enable = true;
|
||||
configuration.dbURL = "postgres://codimd:snakeoilpassword@localhost:5432/codimddb";
|
||||
configuration.dbURL = "postgres://codimd:\${DB_PASSWORD}@localhost:5432/codimddb";
|
||||
|
||||
/*
|
||||
* Do not use pkgs.writeText for secrets as
|
||||
* they will end up in the world-readable Nix store.
|
||||
*/
|
||||
environmentFile = pkgs.writeText "codimd-env" ''
|
||||
DB_PASSWORD=snakeoilpassword
|
||||
'';
|
||||
};
|
||||
postgresql = {
|
||||
enable = true;
|
||||
|
|
Loading…
Reference in New Issue