public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #98550 from WilliButz/codimd/environment-secrets

Browse Source 
nixos/codimd: add option `environmentFile` for injecting secrets
This commit is contained in:
Maximilian Bosch 2020-09-23 17:32:40 +02:00 committed by GitHub
commit 8bcc2bae60
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 47 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
nixos/modules/services/web-apps/codimd.nix
View File

@ -877,6 +877,37 @@ in
description = "Configure the SAML integration."; description = "Configure the SAML integration.";
}; };
}; };
environmentFile = mkOption {
type = with types; nullOr path;
default = null;
example = "/var/lib/codimd/codimd.env";
description = ''
Environment file as defined in <citerefentry>
<refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>.
Secrets may be passed to the service without adding them to the world-readable
Nix store, by specifying placeholder variables as the option value in Nix and
setting these variables accordingly in the environment file.
<programlisting>
# snippet of CodiMD-related config
services.codimd.configuration.dbURL = "postgres://codimd:\''${DB_PASSWORD}@db-host:5432/codimddb";
services.codimd.configuration.minio.secretKey = "$MINIO_SECRET_KEY";
</programlisting>
<programlisting>
# content of the environment file
DB_PASSWORD=verysecretdbpassword
MINIO_SECRET_KEY=verysecretminiokey
</programlisting>
Note that this file needs to be available on the host on which
<literal>CodiMD</literal> is running.
'';
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -900,11 +931,17 @@ in
description = "CodiMD Service"; description = "CodiMD Service";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "networking.target" ]; after = [ "networking.target" ];
preStart = ''
${pkgs.envsubst}/bin/envsubst \
-o ${cfg.workDir}/config.json \
-i ${prettyJSON cfg.configuration}
'';
serviceConfig = { serviceConfig = {
WorkingDirectory = cfg.workDir; WorkingDirectory = cfg.workDir;
ExecStart = "${pkgs.codimd}/bin/codimd"; ExecStart = "${pkgs.codimd}/bin/codimd";
EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ];
Environment = [ Environment = [
"CMD_CONFIG_FILE=${prettyJSON cfg.configuration}" "CMD_CONFIG_FILE=${cfg.workDir}/config.json"
"NODE_ENV=production" "NODE_ENV=production"
]; ];
Restart = "always"; Restart = "always";

10
nixos/tests/codimd.nix
View File

@ -21,7 +21,15 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
services = { services = {
codimd = { codimd = {
enable = true; enable = true;
configuration.dbURL = "postgres://codimd:snakeoilpassword@localhost:5432/codimddb"; configuration.dbURL = "postgres://codimd:\${DB_PASSWORD}@localhost:5432/codimddb";
/*
* Do not use pkgs.writeText for secrets as
* they will end up in the world-readable Nix store.
*/
environmentFile = pkgs.writeText "codimd-env" ''
DB_PASSWORD=snakeoilpassword
'';
}; };
postgresql = { postgresql = {
enable = true; enable = true;