public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/redis: add requirePassFile option

Browse Source 
Avoids having the password in the nix store.
This commit is contained in:
Jörg Thalheim 2020-02-13 15:56:29 +00:00
parent 5c403726bc
commit 9cfe5a7a54
No known key found for this signature in database
GPG Key ID: 003F2096411B5F92
1 changed files with 33 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
nixos/modules/services/databases/redis.nix
View File

@ -150,10 +150,20 @@ in
requirePass = mkOption { requirePass = mkOption {
type = with types; nullOr str; type = with types; nullOr str;
default = null; default = null;
description = "Password for database (STORED PLAIN TEXT, WORLD-READABLE IN NIX STORE)"; description = ''
Password for database (STORED PLAIN TEXT, WORLD-READABLE IN NIX STORE).
Use requirePassFile to store it outside of the nix store in a dedicated file.
'';
example = "letmein!"; example = "letmein!";
}; };
requirePassFile = mkOption {
type = with types; nullOr path;
default = null;
description = "File with password for the database.";
example = "/run/keys/redis-password";
};
appendOnly = mkOption { appendOnly = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
@ -192,6 +202,10 @@ in
###### implementation ###### implementation
config = mkIf config.services.redis.enable { config = mkIf config.services.redis.enable {
assertions = [{
assertion = cfg.requirePass != null -> cfg.requirePassFile == null;
message = "You can only set one services.redis.requirePass or services.redis.requirePassFile";
}];
boot.kernel.sysctl = (mkMerge [ boot.kernel.sysctl = (mkMerge [
{ "vm.nr_hugepages" = "0"; } { "vm.nr_hugepages" = "0"; }
( mkIf cfg.vmOverCommit { "vm.overcommit_memory" = "1"; } ) ( mkIf cfg.vmOverCommit { "vm.overcommit_memory" = "1"; } )
@ -208,21 +222,26 @@ in
environment.systemPackages = [ cfg.package ]; environment.systemPackages = [ cfg.package ];
systemd.services.redis = systemd.services.redis = {
{ description = "Redis Server"; description = "Redis Server";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "network.target" ]; after = [ "network.target" ];
preStart = ''
install -m 600 ${redisConfig} /run/redis/redis.conf
'' + optionalString (cfg.requirePassFile != null) ''
password=$(cat ${escapeShellArg cfg.requirePassFile})
echo "requirePass $password" >> /run/redis/redis.conf
'';
serviceConfig = { serviceConfig = {
ExecStart = "${cfg.package}/bin/redis-server ${redisConfig}"; ExecStart = "${cfg.package}/bin/redis-server /run/redis/redis.conf";
RuntimeDirectory = "redis"; RuntimeDirectory = "redis";
StateDirectory = "redis"; StateDirectory = "redis";
Type = "notify"; Type = "notify";
User = "redis"; User = "redis";
}; };
}; };
}; };
} }