public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

wordpress: replace the dbPassword option with dbPasswordFile (#24146)

Browse Source 
We shouldn't force users to store passwords in the world-readable Nix store.
This commit is contained in:
Bas van Dijk 2017-03-28 17:38:16 +02:00 committed by Joachim Schiele
parent 8c28474c02
commit 6f2eca1744
1 changed files with 28 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
nixos/modules/services/web-servers/apache-httpd/wordpress.nix
View File

@ -9,7 +9,7 @@ let
<?php <?php
define('DB_NAME', '${config.dbName}'); define('DB_NAME', '${config.dbName}');
define('DB_USER', '${config.dbUser}'); define('DB_USER', '${config.dbUser}');
define('DB_PASSWORD', '${config.dbPassword}'); define('DB_PASSWORD', file_get_contents('${config.dbPasswordFile}'));
define('DB_HOST', '${config.dbHost}'); define('DB_HOST', '${config.dbHost}');
define('DB_CHARSET', 'utf8'); define('DB_CHARSET', 'utf8');
$table_prefix = '${config.tablePrefix}'; $table_prefix = '${config.tablePrefix}';
@ -137,9 +137,34 @@ in
}; };
dbPassword = mkOption { dbPassword = mkOption {
default = "wordpress"; default = "wordpress";
description = "The mysql password to the respective dbUser."; description = ''
The mysql password to the respective dbUser.
Warning: this password is stored in the world-readable Nix store. It's
recommended to use the $dbPasswordFile option since that gives you control over
the security of the password. $dbPasswordFile also takes precedence over $dbPassword.
'';
example = "wordpress"; example = "wordpress";
}; };
dbPasswordFile = mkOption {
type = types.str;
default = toString (pkgs.writeTextFile {
name = "wordpress-dbpassword";
text = config.dbPassword;
});
example = "/run/keys/wordpress-dbpassword";
description = ''
Path to a file that contains the mysql password to the respective dbUser.
The file should be readable by the user: config.services.httpd.user.
$dbPasswordFile takes precedence over the $dbPassword option.
This defaults to a file in the world-readable Nix store that contains the value
of the $dbPassword option. It's recommended to override this with a path not in
the Nix store. Tip: use nixops key management:
<link xlink:href='https://nixos.org/nixops/manual/#idm140737318306400'/>
'';
};
tablePrefix = mkOption { tablePrefix = mkOption {
default = "wp_"; default = "wp_";
description = '' description = ''
@ -251,7 +276,7 @@ in
sleep 1 sleep 1
done done
${pkgs.mysql}/bin/mysql -e 'CREATE DATABASE ${config.dbName};' ${pkgs.mysql}/bin/mysql -e 'CREATE DATABASE ${config.dbName};'
${pkgs.mysql}/bin/mysql -e 'GRANT ALL ON ${config.dbName}.* TO ${config.dbUser}@localhost IDENTIFIED BY "${config.dbPassword}";' ${pkgs.mysql}/bin/mysql -e "GRANT ALL ON ${config.dbName}.* TO ${config.dbUser}@localhost IDENTIFIED BY \"$(cat ${config.dbPasswordFile})\";"
else else
echo "Good, no need to do anything database related." echo "Good, no need to do anything database related."
fi fi