From 0c9512d263145800206db5aa49a53bd42a9b8a27 Mon Sep 17 00:00:00 2001 From: Rodney Lorrimar Date: Sat, 22 Apr 2017 16:53:35 +0100 Subject: [PATCH 1/6] gogs service: fix encoding of secret key I was getting a secret key like this: [security] SECRET_KEY = 7X Use coreutils base64 instead to get the full 256 bits of randomness. --- nixos/modules/services/misc/gogs.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/services/misc/gogs.nix b/nixos/modules/services/misc/gogs.nix index ca8fc06e483..ec3aff0678d 100644 --- a/nixos/modules/services/misc/gogs.nix +++ b/nixos/modules/services/misc/gogs.nix @@ -169,7 +169,7 @@ in ${optionalString (cfg.useWizard == false) '' mkdir -p ${cfg.stateDir}/custom/conf cp -f ${configFile} ${cfg.stateDir}/custom/conf/app.ini - KEY=$(head -c 16 /dev/urandom | tr -dc A-Za-z0-9) + KEY=$(head -c 16 /dev/urandom | base64) sed -i "s,#secretkey#,$KEY,g" ${cfg.stateDir}/custom/conf/app.ini ''} From 79d52bc26cda44ea0e7d947cdc032b7eed9ee959 Mon Sep 17 00:00:00 2001 From: Rodney Lorrimar Date: Sat, 22 Apr 2017 17:03:07 +0100 Subject: [PATCH 2/6] gogs service: don't copy database password to nix store Relevant to #24288 --- nixos/modules/services/misc/gogs.nix | 34 +++++++++++++++++++++++++--- 1 file changed, 31 insertions(+), 3 deletions(-) diff --git a/nixos/modules/services/misc/gogs.nix b/nixos/modules/services/misc/gogs.nix index ec3aff0678d..f0aff430305 100644 --- a/nixos/modules/services/misc/gogs.nix +++ b/nixos/modules/services/misc/gogs.nix @@ -14,7 +14,7 @@ let HOST = ${cfg.database.host}:${toString cfg.database.port} NAME = ${cfg.database.name} USER = ${cfg.database.user} - PASSWD = ${cfg.database.password} + PASSWD = #dbpass# PATH = ${cfg.database.path} [repository] @@ -102,7 +102,21 @@ in password = mkOption { type = types.str; default = ""; - description = "Database password."; + description = '' + The password corresponding to . + Warning: this is stored in cleartext in the Nix store! + Use instead. + ''; + }; + + passwordFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/run/keys/gogs-dbpassword"; + description = '' + A file containing the password corresponding to + . + ''; }; path = mkOption { @@ -170,7 +184,10 @@ in mkdir -p ${cfg.stateDir}/custom/conf cp -f ${configFile} ${cfg.stateDir}/custom/conf/app.ini KEY=$(head -c 16 /dev/urandom | base64) - sed -i "s,#secretkey#,$KEY,g" ${cfg.stateDir}/custom/conf/app.ini + DBPASS=$(head -n1 ${cfg.database.passwordFile}) + sed -e "s,#secretkey#,$KEY,g" \ + -e "s,#dbpass#,$DBPASS,g" \ + -i ${cfg.stateDir}/custom/conf/app.ini ''} mkdir -p ${cfg.repositoryRoot} @@ -212,5 +229,16 @@ in }; extraGroups.gogs.gid = config.ids.gids.gogs; }; + + warnings = optional (cfg.database.password != "") + ''config.services.gogs.database.password will be stored as plaintext + in the Nix store. Use database.passwordFile instead.''; + + # Create database passwordFile default when password is configured. + services.gogs.database.passwordFile = mkIf (cfg.database.password != "") + (mkDefault (toString (pkgs.writeTextFile { + name = "gogs-database-password"; + text = cfg.database.password; + }))); }; } From cfa1faa37c808f0a63093b1af8e03b6624b68872 Mon Sep 17 00:00:00 2001 From: Rodney Lorrimar Date: Sat, 22 Apr 2017 17:51:04 +0100 Subject: [PATCH 3/6] gogs service: chmod 440 config file Directory which contains the config file /var/lib/gogs already has mode 700 but users are liable to change these things. --- nixos/modules/services/misc/gogs.nix | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/nixos/modules/services/misc/gogs.nix b/nixos/modules/services/misc/gogs.nix index f0aff430305..76e6254856b 100644 --- a/nixos/modules/services/misc/gogs.nix +++ b/nixos/modules/services/misc/gogs.nix @@ -178,16 +178,19 @@ in wantedBy = [ "multi-user.target" ]; path = [ pkgs.gogs.bin ]; - preStart = '' + preStart = let + runConfig = "${cfg.stateDir}/custom/conf/app.ini"; + in '' # copy custom configuration and generate a random secret key if needed ${optionalString (cfg.useWizard == false) '' mkdir -p ${cfg.stateDir}/custom/conf - cp -f ${configFile} ${cfg.stateDir}/custom/conf/app.ini + cp -f ${configFile} ${runConfig} KEY=$(head -c 16 /dev/urandom | base64) DBPASS=$(head -n1 ${cfg.database.passwordFile}) sed -e "s,#secretkey#,$KEY,g" \ -e "s,#dbpass#,$DBPASS,g" \ - -i ${cfg.stateDir}/custom/conf/app.ini + -i ${runConfig} + chmod 440 ${runConfig} ''} mkdir -p ${cfg.repositoryRoot} From 0e90a05a526be87ecf8c3d8d3849bd42d1cd4539 Mon Sep 17 00:00:00 2001 From: Rodney Lorrimar Date: Sun, 23 Apr 2017 15:02:08 +0100 Subject: [PATCH 4/6] gogs service: generate the secret key only once, then reuse --- nixos/modules/services/misc/gogs.nix | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/nixos/modules/services/misc/gogs.nix b/nixos/modules/services/misc/gogs.nix index 76e6254856b..e966a50b9ec 100644 --- a/nixos/modules/services/misc/gogs.nix +++ b/nixos/modules/services/misc/gogs.nix @@ -180,17 +180,23 @@ in preStart = let runConfig = "${cfg.stateDir}/custom/conf/app.ini"; + secretKey = "${cfg.stateDir}/custom/conf/secret_key"; in '' # copy custom configuration and generate a random secret key if needed ${optionalString (cfg.useWizard == false) '' mkdir -p ${cfg.stateDir}/custom/conf cp -f ${configFile} ${runConfig} - KEY=$(head -c 16 /dev/urandom | base64) + + if [ ! -e ${secretKey} ]; then + head -c 16 /dev/urandom | base64 > ${secretKey} + fi + + KEY=$(head -n1 ${secretKey}) DBPASS=$(head -n1 ${cfg.database.passwordFile}) sed -e "s,#secretkey#,$KEY,g" \ -e "s,#dbpass#,$DBPASS,g" \ -i ${runConfig} - chmod 440 ${runConfig} + chmod 440 ${runConfig} ${secretKey} ''} mkdir -p ${cfg.repositoryRoot} From ced172010ac7ddee063a55c67da4cd6b443d02cb Mon Sep 17 00:00:00 2001 From: Rodney Lorrimar Date: Sun, 23 Apr 2017 16:26:56 +0100 Subject: [PATCH 5/6] gogs service: add option for enabling "secure" cookies --- nixos/modules/services/misc/gogs.nix | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/nixos/modules/services/misc/gogs.nix b/nixos/modules/services/misc/gogs.nix index e966a50b9ec..d42367761ab 100644 --- a/nixos/modules/services/misc/gogs.nix +++ b/nixos/modules/services/misc/gogs.nix @@ -26,6 +26,10 @@ let HTTP_PORT = ${toString cfg.httpPort} ROOT_URL = ${cfg.rootUrl} + [session] + COOKIE_NAME = session + COOKIE_SECURE = ${boolToString cfg.cookieSecure} + [security] SECRET_KEY = #secretkey# INSTALL_LOCK = true @@ -162,6 +166,16 @@ in description = "HTTP listen port."; }; + cookieSecure = mkOption { + type = types.bool; + default = false; + description = '' + Marks session cookies as "secure," which means browsers may + ensure that the cookie is only sent under an HTTPS connection. + It's good to enable this if Gogs is being served over HTTPS. + ''; + }; + extraConfig = mkOption { type = types.str; default = ""; From 036e0f114a83da8b90c620677d14fc8d0e05f64d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Mon, 1 May 2017 11:37:12 +0200 Subject: [PATCH 6/6] gogs: improve cookieSecure documentation --- nixos/modules/services/misc/gogs.nix | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/nixos/modules/services/misc/gogs.nix b/nixos/modules/services/misc/gogs.nix index d42367761ab..ad2e36d04d5 100644 --- a/nixos/modules/services/misc/gogs.nix +++ b/nixos/modules/services/misc/gogs.nix @@ -170,9 +170,8 @@ in type = types.bool; default = false; description = '' - Marks session cookies as "secure," which means browsers may - ensure that the cookie is only sent under an HTTPS connection. - It's good to enable this if Gogs is being served over HTTPS. + Marks session cookies as "secure" as a hint for browsers to only send + them via HTTPS. This option is recommend, if Gogs is being served over HTTPS. ''; };