bepasty: add secretKeyFile option

This gives users the option to store secrets outside the world-readable Nix store.
2017-04-08 19:32:19 +02:00 · 2017-04-08 19:32:19 +02:00 · ecf03368f8
commit ecf03368f8
parent 184e3238c7
1 changed files with 32 additions and 4 deletions
--- a/nixos/modules/services/misc/bepasty.nix
+++ b/nixos/modules/services/misc/bepasty.nix
@ -21,7 +21,7 @@ in
        configure a number of bepasty servers which will be started with
        gunicorn.
        '';
-      type = with types ; attrsOf (submodule ({
+      type = with types ; attrsOf (submodule ({ config, ... } : {

        options = {

@ -34,7 +34,6 @@ in
            default = "127.0.0.1:8000";
          };

-
          dataDir = mkOption {
            type = types.str;
            description = ''
@ -73,10 +72,28 @@ in
            type = types.str;
            description = ''
              server secret for safe session cookies, must be set.
+
+              Warning: this secret is stored in the WORLD-READABLE Nix store!
+
+              It's recommended to use <option>secretKeyFile</option>
+              which takes precedence over <option>secretKey</option>.
              '';
            default = "";
          };

+          secretKeyFile = mkOption {
+            type = types.nullOr types.str;
+            default = null;
+            description = ''
+              A file that contains the server secret for safe session cookies, must be set.
+
+              <option>secretKeyFile</option> takes precedence over <option>secretKey</option>.
+
+              Warning: when <option>secretKey</option> is non-empty <option>secretKeyFile</option>
+              defaults to a file in the WORLD-READABLE Nix store containing that secret.
+              '';
+          };
+
          workDir = mkOption {
            type = types.str;
            description = ''
@ -87,11 +104,22 @@ in
          };

        };
+        config = {
+          secretKeyFile = mkDefault (
+            if config.secretKey != ""
+            then toString (pkgs.writeTextFile {
+              name = "bepasty-secret-key";
+              text = config.secretKey;
+            })
+            else null
+          );
+        };
      }));
    };
  };

  config = mkIf cfg.enable {
+
    environment.systemPackages = [ bepasty ];

    # creates gunicorn systemd service for each configured server
@ -115,7 +143,7 @@ in
          serviceConfig = {
            Type = "simple";
            PrivateTmp = true;
-            ExecStartPre = assert server.secretKey != ""; pkgs.writeScript "bepasty-server.${name}-init" ''
+            ExecStartPre = assert !isNull server.secretKeyFile; pkgs.writeScript "bepasty-server.${name}-init" ''
              #!/bin/sh
              mkdir -p "${server.workDir}"
              mkdir -p "${server.dataDir}"
@ -123,7 +151,7 @@ in
              cat > ${server.workDir}/bepasty-${name}.conf <<EOF
              SITENAME="${name}"
              STORAGE_FILESYSTEM_DIRECTORY="${server.dataDir}"
-              SECRET_KEY="${server.secretKey}"
+              SECRET_KEY="$(cat "${server.secretKeyFile}")"
              DEFAULT_PERMISSIONS="${server.defaultPermissions}"
              ${server.extraConfig}
              EOF