nixos/codimd: add option `environmentFile` for injecting secrets

Secrets are injected from the environment into the rendered
configuration before each startup using envsubst.
The test now makes use of this feature for the db password.
This commit is contained in:
WilliButz 2020-09-23 11:47:38 +02:00
parent 5bfe6004e1
commit 403c215bdd
No known key found for this signature in database
GPG Key ID: 92582A10F1179CB2
2 changed files with 47 additions and 2 deletions

View File

@ -877,6 +877,37 @@ in
description = "Configure the SAML integration.";
};
};
environmentFile = mkOption {
type = with types; nullOr path;
default = null;
example = "/var/lib/codimd/codimd.env";
description = ''
Environment file as defined in <citerefentry>
<refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>.
Secrets may be passed to the service without adding them to the world-readable
Nix store, by specifying placeholder variables as the option value in Nix and
setting these variables accordingly in the environment file.
<programlisting>
# snippet of CodiMD-related config
services.codimd.configuration.dbURL = "postgres://codimd:\''${DB_PASSWORD}@db-host:5432/codimddb";
services.codimd.configuration.minio.secretKey = "$MINIO_SECRET_KEY";
</programlisting>
<programlisting>
# content of the environment file
DB_PASSWORD=verysecretdbpassword
MINIO_SECRET_KEY=verysecretminiokey
</programlisting>
Note that this file needs to be available on the host on which
<literal>CodiMD</literal> is running.
'';
};
};
config = mkIf cfg.enable {
@ -900,11 +931,17 @@ in
description = "CodiMD Service";
wantedBy = [ "multi-user.target" ];
after = [ "networking.target" ];
preStart = ''
${pkgs.envsubst}/bin/envsubst \
-o ${cfg.workDir}/config.json \
-i ${prettyJSON cfg.configuration}
'';
serviceConfig = {
WorkingDirectory = cfg.workDir;
ExecStart = "${pkgs.codimd}/bin/codimd";
EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ];
Environment = [
"CMD_CONFIG_FILE=${prettyJSON cfg.configuration}"
"CMD_CONFIG_FILE=${cfg.workDir}/config.json"
"NODE_ENV=production"
];
Restart = "always";

View File

@ -21,7 +21,15 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
services = {
codimd = {
enable = true;
configuration.dbURL = "postgres://codimd:snakeoilpassword@localhost:5432/codimddb";
configuration.dbURL = "postgres://codimd:\${DB_PASSWORD}@localhost:5432/codimddb";
/*
* Do not use pkgs.writeText for secrets as
* they will end up in the world-readable Nix store.
*/
environmentFile = pkgs.writeText "codimd-env" ''
DB_PASSWORD=snakeoilpassword
'';
};
postgresql = {
enable = true;