nixos/redis: add requirePassFile option
Avoids having the password in the nix store.
This commit is contained in:
parent
5c403726bc
commit
9cfe5a7a54
|
@ -150,10 +150,20 @@ in
|
|||
requirePass = mkOption {
|
||||
type = with types; nullOr str;
|
||||
default = null;
|
||||
description = "Password for database (STORED PLAIN TEXT, WORLD-READABLE IN NIX STORE)";
|
||||
description = ''
|
||||
Password for database (STORED PLAIN TEXT, WORLD-READABLE IN NIX STORE).
|
||||
Use requirePassFile to store it outside of the nix store in a dedicated file.
|
||||
'';
|
||||
example = "letmein!";
|
||||
};
|
||||
|
||||
requirePassFile = mkOption {
|
||||
type = with types; nullOr path;
|
||||
default = null;
|
||||
description = "File with password for the database.";
|
||||
example = "/run/keys/redis-password";
|
||||
};
|
||||
|
||||
appendOnly = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
|
@ -192,6 +202,10 @@ in
|
|||
###### implementation
|
||||
|
||||
config = mkIf config.services.redis.enable {
|
||||
assertions = [{
|
||||
assertion = cfg.requirePass != null -> cfg.requirePassFile == null;
|
||||
message = "You can only set one services.redis.requirePass or services.redis.requirePassFile";
|
||||
}];
|
||||
boot.kernel.sysctl = (mkMerge [
|
||||
{ "vm.nr_hugepages" = "0"; }
|
||||
( mkIf cfg.vmOverCommit { "vm.overcommit_memory" = "1"; } )
|
||||
|
@ -208,21 +222,26 @@ in
|
|||
|
||||
environment.systemPackages = [ cfg.package ];
|
||||
|
||||
systemd.services.redis =
|
||||
{ description = "Redis Server";
|
||||
systemd.services.redis = {
|
||||
description = "Redis Server";
|
||||
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
|
||||
serviceConfig = {
|
||||
ExecStart = "${cfg.package}/bin/redis-server ${redisConfig}";
|
||||
RuntimeDirectory = "redis";
|
||||
StateDirectory = "redis";
|
||||
Type = "notify";
|
||||
User = "redis";
|
||||
};
|
||||
preStart = ''
|
||||
install -m 600 ${redisConfig} /run/redis/redis.conf
|
||||
'' + optionalString (cfg.requirePassFile != null) ''
|
||||
password=$(cat ${escapeShellArg cfg.requirePassFile})
|
||||
echo "requirePass $password" >> /run/redis/redis.conf
|
||||
'';
|
||||
|
||||
serviceConfig = {
|
||||
ExecStart = "${cfg.package}/bin/redis-server /run/redis/redis.conf";
|
||||
RuntimeDirectory = "redis";
|
||||
StateDirectory = "redis";
|
||||
Type = "notify";
|
||||
User = "redis";
|
||||
};
|
||||
|
||||
};
|
||||
};
|
||||
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue