reworked the redmine service

added some security features like database.passwordFile

nixos/modules/services/misc/redmine.nix

@@ -5,100 +5,120 @@ with lib;
 let
   cfg = config.services.redmine;
 
-  databaseYml = ''
+  bundle = "${pkgs.redmine}/share/redmine/bin/bundle";
+
+  databaseYml = pkgs.writeText "database.yml" ''
     production:
-      adapter: mysql2 # postgresql
+      adapter: ${cfg.database.type}
-      database: ${cfg.databaseName}
+      database: ${cfg.database.name}
-      host: ${cfg.databaseHost}
+      host: ${cfg.database.host}
-      password: ${cfg.databasePassword}
+      port: ${toString cfg.database.port}
-      username: ${cfg.databaseUsername}
+      username: ${cfg.database.user}
-      encoding: utf8
+      password: #dbpass#
   '';
 
-  configurationYml = ''
+  configurationYml = pkgs.writeText "configuration.yml" ''
     default:
-      # Absolute path to the directory where attachments are stored.
+      scm_subversion_command: ${pkgs.subversion}/bin/svn
-      # The default is the 'files' directory in your Redmine instance.
+      scm_mercurial_command: ${pkgs.mercurial}/bin/hg
-      # Your Redmine instance needs to have write permission on this
+      scm_git_command: ${pkgs.gitAndTools.git}/bin/git
-      # directory.
+      scm_cvs_command: ${pkgs.cvs}/bin/cvs
-      # Examples:
+      scm_bazaar_command: ${pkgs.bazaar}/bin/bzr
-      # attachments_storage_path: /var/redmine/files
+      scm_darcs_command: ${pkgs.darcs}/bin/darcs
-      # attachments_storage_path: D:/redmine/files
-      attachments_storage_path: ${cfg.stateDir}/files
 
-      # Absolute path to the SCM commands errors (stderr) log file.
+    ${cfg.extraConfig}
-      # The default is to log in the 'log' directory of your Redmine instance.
-      # Example:
-      # scm_stderr_log_file: /var/log/redmine_scm_stderr.log
-      scm_stderr_log_file: ${cfg.stateDir}/log/redmine_scm_stderr.log
-
-      ${cfg.extraConfig}
   '';
 
-in {
+in
 
+{
   options = {
     services.redmine = {
       enable = mkOption {
         type = types.bool;
         default = false;
-        description = ''
+        description = "Enable the Redmine service.";
-          Enable the redmine service.
+      };
-        '';
+
+      user = mkOption {
+        type = types.str;
+        default = "redmine";
+        description = "User under which Redmine is ran.";
+      };
+
+      group = mkOption {
+        type = types.str;
+        default = "redmine";
+        description = "Group under which Redmine is ran.";
       };
 
       stateDir = mkOption {
         type = types.str;
         default = "/var/lib/redmine";
-        description = "The state directory, logs and plugins are stored here";
+        description = "The state directory, logs and plugins are stored here.";
       };
 
       extraConfig = mkOption {
         type = types.lines;
         default = "";
-        description = "Extra configuration in configuration.yml";
+        description = ''
+          Extra configuration in configuration.yml.
+
+          See https://guides.rubyonrails.org/action_mailer_basics.html#action-mailer-configuration
+        '';
       };
 
-      themes = mkOption {
+      database = {
-        type = types.attrsOf types.path;
+        type = mkOption {
-        default = {};
+          type = types.enum [ "mysql2" "postgresql" ];
-        description = "Set of themes";
+          example = "postgresql";
-      };
+          default = "mysql2";
+          description = "Database engine to use.";
+        };
 
-      plugins = mkOption {
+        host = mkOption {
-        type = types.attrsOf types.path;
+          type = types.str;
-        default = {};
+          default = "127.0.0.1";
-        description = "Set of plugins";
+          description = "Database host address.";
-      };
+        };
 
-      #databaseType = mkOption {
+        port = mkOption {
-      #  type = types.str;
+          type = types.int;
-      #  default = "postgresql";
+          default = 3306;
-      #  description = "Type of database";
+          description = "Database host port.";
-      #};
+        };
 
-      databaseHost = mkOption {
+        name = mkOption {
-        type = types.str;
+          type = types.str;
-        default = "127.0.0.1";
+          default = "redmine";
-        description = "Database hostname";
+          description = "Database name.";
-      };
+        };
 
-      databasePassword = mkOption {
+        user = mkOption {
-        type = types.str;
+          type = types.str;
-        default = "";
+          default = "redmine";
-        description = "Database user password";
+          description = "Database user.";
-      };
+        };
 
-      databaseName = mkOption {
+        password = mkOption {
-        type = types.str;
+          type = types.str;
-        default = "redmine";
+          default = "";
-        description = "Database name";
+          description = ''
-      };
+            The password corresponding to <option>database.user</option>.
+            Warning: this is stored in cleartext in the Nix store!
+            Use <option>database.passwordFile</option> instead.
+          '';
+        };
 
-      databaseUsername = mkOption {
+        passwordFile = mkOption {
-        type = types.str;
+          type = types.nullOr types.path;
-        default = "redmine";
+          default = null;
-        description = "Database user";
+          example = "/run/keys/redmine-dbpassword";
+          description = ''
+            A file containing the password corresponding to
+            <option>database.user</option>.
+          '';
+        };
       };
     };
   };
@@ -106,83 +126,106 @@ in {
   config = mkIf cfg.enable {
 
     assertions = [
-      { assertion = cfg.databasePassword != "";
+      { assertion = cfg.database.passwordFile != null || cfg.database.password != "";
-        message = "services.redmine.databasePassword must be set";
+        message = "either services.redmine.database.passwordFile or services.redmine.database.password must be set";
       }
     ];
 
-    users.users = [
+    environment.systemPackages = [ pkgs.redmine ];
-      { name = "redmine";
-        group = "redmine";
-        uid = config.ids.uids.redmine;
-      } ];
-
-    users.groups = [
-      { name = "redmine";
-        gid = config.ids.gids.redmine;
-      } ];
 
     systemd.services.redmine = {
-      after = [ "network.target" "mysql.service" ]; # postgresql.service
+      after = [ "network.target" (if cfg.database.type == "mysql2" then "mysql.service" else "postgresql.service") ];
       wantedBy = [ "multi-user.target" ];
+      environment.HOME = "${pkgs.redmine}/share/redmine";
       environment.RAILS_ENV = "production";
       environment.RAILS_CACHE = "${cfg.stateDir}/cache";
-      environment.SCHEMA = "${cfg.stateDir}/cache/schema.db";
-      environment.HOME = "${pkgs.redmine}/share/redmine";
       environment.REDMINE_LANG = "en";
+      environment.SCHEMA = "${cfg.stateDir}/cache/schema.db";
       path = with pkgs; [
         imagemagickBig
-        subversion
-        mercurial
-        cvs
-        # config.services.postgresql.package
-        libmysql
         bazaar
-        gitAndTools.git
+        cvs
         darcs
+        gitAndTools.git
+        mercurial
+        subversion
       ];
       preStart = ''
+        # start with a fresh config directory every time
         rm -rf ${cfg.stateDir}/config
+        cp -r ${pkgs.redmine}/share/redmine/config.dist ${cfg.stateDir}/config
 
-        mkdir -p ${cfg.stateDir}/cache
+        # create the basic state directory layout pkgs.redmine expects
-        mkdir -p ${cfg.stateDir}/config
-        mkdir -p ${cfg.stateDir}/files
-        mkdir -p ${cfg.stateDir}/log
-        mkdir -p ${cfg.stateDir}/plugins
-        mkdir -p ${cfg.stateDir}/tmp
-
         mkdir -p /run/redmine
-        ln -fs ${cfg.stateDir}/files /run/redmine/files
-        ln -fs ${cfg.stateDir}/log /run/redmine/log
-        ln -fs ${cfg.stateDir}/plugins /run/redmine/plugins
-        ln -fs ${cfg.stateDir}/tmp /run/redmine/tmp
 
-        cp -r ${pkgs.redmine}/share/redmine/config.dist/* ${cfg.stateDir}/config/
+        for i in config files log plugins tmp; do
-        ln -fs ${cfg.stateDir}/config /run/redmine/config
+          mkdir -p ${cfg.stateDir}/$i
+          ln -fs ${cfg.stateDir}/$i /run/redmine/$i
+        done
 
-        ln -fs ${pkgs.writeText "configuration.yml" configurationYml} ${cfg.stateDir}/config/configuration.yml
+        # ensure cache directory exists for db:migrate command
-        ln -fs ${pkgs.writeText "database.yml" databaseYml} ${cfg.stateDir}/config/database.yml
+        mkdir -p ${cfg.stateDir}/cache
+
+        # link in the application configuration
+        ln -fs ${configurationYml} ${cfg.stateDir}/config/configuration.yml
 
-        chown -R redmine:redmine ${cfg.stateDir}
         chmod -R ug+rwX,o-rwx+x ${cfg.stateDir}/
 
-        ${pkgs.redmine}/share/redmine/bin/bundle exec rake generate_secret_token
+        # handle database.passwordFile
-        ${pkgs.redmine}/share/redmine/bin/bundle exec rake db:migrate
+        DBPASS=$(head -n1 ${cfg.database.passwordFile})
-        ${pkgs.redmine}/share/redmine/bin/bundle exec rake redmine:load_default_data
+        cp -f ${databaseYml} ${cfg.stateDir}/config/database.yml
+        sed -e "s,#dbpass#,$DBPASS,g" -i ${cfg.stateDir}/config/database.yml
+        chmod 440 ${cfg.stateDir}/config/database.yml
+
+        # generate a secret token if required
+        if ! test -e "${cfg.stateDir}/config/initializers/secret_token.rb"; then
+          ${bundle} exec rake generate_secret_token
+          chmod 440 ${cfg.stateDir}/config/initializers/secret_token.rb
+        fi
+
+        # ensure everything is owned by ${cfg.user}
+        chown -R ${cfg.user}:${cfg.group} ${cfg.stateDir}
+
+        ${bundle} exec rake db:migrate
+        ${bundle} exec rake redmine:load_default_data
       '';
 
       serviceConfig = {
         PermissionsStartOnly = true; # preStart must be run as root
         Type = "simple";
-        User = "redmine";
+        User = cfg.user;
-        Group = "redmine";
+        Group = cfg.group;
         TimeoutSec = "300";
         WorkingDirectory = "${pkgs.redmine}/share/redmine";
-        ExecStart="${pkgs.redmine}/share/redmine/bin/bundle exec rails server webrick -e production -P ${cfg.stateDir}/redmine.pid --binding=0.0.0.0";
+        ExecStart="${bundle} exec rails server webrick -e production -P ${cfg.stateDir}/redmine.pid --binding=0.0.0.0";
       };
 
     };
 
+    users.extraUsers = optionalAttrs (cfg.user == "redmine") (singleton
+      { name = "redmine";
+        group = cfg.group;
+        home = cfg.stateDir;
+        createHome = true;
+        uid = config.ids.uids.redmine;
+      });
+
+    users.extraGroups = optionalAttrs (cfg.group == "redmine") (singleton
+      { name = "redmine";
+        gid = config.ids.gids.redmine;
+      });
+
+    warnings = optional (cfg.database.password != "")
+      ''config.services.redmine.database.password will be stored as plaintext
+      in the Nix store. Use database.passwordFile instead.'';
+
+    # Create database passwordFile default when password is configured.
+    services.redmine.database.passwordFile =
+      (mkDefault (toString (pkgs.writeTextFile {
+        name = "redmine-database-password";
+        text = cfg.database.password;
+      })));
+
   };
 
 }

pkgs/applications/version-management/redmine/default.nix

@@ -1,4 +1,3 @@
-
 { stdenv, fetchurl, bundlerEnv, ruby }:
 
 let
@@ -28,9 +27,9 @@ in
       mkdir -p $out/share
       cp -r . $out/share/redmine
 
-      for i in config files log plugins tmp; do # TODO: add 'public' to this list?
+      for i in config files log plugins tmp; do
         rm -rf $out/share/redmine/$i
-        ln -sf /run/redmine/$i $out/share/redmine/
+        ln -fs /run/redmine/$i $out/share/redmine/
       done
     '';