nixos/openldap: make rootpw option optional

This allows to store passwords in external files outside of the world-readable nix store.
2019-04-23 15:13:45 +01:00 · 2019-04-23 15:13:45 +01:00 · d43dc68db3
commit d43dc68db3
parent 9d127f2450
1 changed files with 28 additions and 5 deletions
--- a/nixos/modules/services/databases/openldap.nix
+++ b/nixos/modules/services/databases/openldap.nix
@ -18,7 +18,11 @@ let
    database ${cfg.database}
    suffix ${cfg.suffix}
    rootdn ${cfg.rootdn}
-    rootpw ${cfg.rootpw}
+    ${if (cfg.rootpw != null) then ''
+      rootpw ${cfg.rootpw}
+    '' else ''
+      include ${cfg.rootpwFile}
+    ''}
    directory ${cfg.dataDir}
    ${cfg.extraDatabaseConfig}
  '');
@ -106,10 +110,23 @@ in
      };

      rootpw = mkOption {
-        type = types.str;
+        type = types.nullOr types.str;
+        default = null;
        description = ''
          Password for the root user.
          This setting will be ignored if configDir is set.
+          Using this option will store the root password in plain text in the
+          world-readable nix store. To avoid this the <literal>rootpwFile</literal> can be used.
+        '';
+      };
+
+      rootpwFile = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = ''
+          Password file for the root user.
+          The file should contain the string <literal>rootpw</literal> followed by the password.
+          e.g.: <literal>rootpw mysecurepassword</literal>
        '';
      };

@ -140,9 +157,9 @@ in
            include ${pkgs.openldap.out}/etc/schema/inetorgperson.schema
            include ${pkgs.openldap.out}/etc/schema/nis.schema

-            database bdb 
-            suffix dc=example,dc=org 
-            rootdn cn=admin,dc=example,dc=org 
+            database bdb
+            suffix dc=example,dc=org
+            rootdn cn=admin,dc=example,dc=org
            # NOTE: change after first start
            rootpw secret
            directory /var/db/openldap
@ -218,6 +235,12 @@ in
  ###### implementation

  config = mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = cfg.rootpwFile != null || cfg.rootpw != null;
+        message = "Either services.openldap.rootpw or services.openldap.rootpwFile must be set";
+      }
+    ];

    environment.systemPackages = [ openldap ];