public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

bepasty: add secretKeyFile option

Browse Source 
This gives users the option to store secrets outside the
world-readable Nix store.
This commit is contained in:
Bas van Dijk 2017-04-08 19:32:19 +02:00
parent 184e3238c7
commit ecf03368f8
1 changed files with 32 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
nixos/modules/services/misc/bepasty.nix
View File

@ -21,7 +21,7 @@ in
configure a number of bepasty servers which will be started with configure a number of bepasty servers which will be started with
gunicorn. gunicorn.
''; '';
type = with types ; attrsOf (submodule ({ type = with types ; attrsOf (submodule ({ config, ... } : {
options = { options = {
@ -34,7 +34,6 @@ in
default = "127.0.0.1:8000"; default = "127.0.0.1:8000";
}; };
dataDir = mkOption { dataDir = mkOption {
type = types.str; type = types.str;
description = '' description = ''
@ -73,10 +72,28 @@ in
type = types.str; type = types.str;
description = '' description = ''
server secret for safe session cookies, must be set. server secret for safe session cookies, must be set.
Warning: this secret is stored in the WORLD-READABLE Nix store!
It's recommended to use <option>secretKeyFile</option>
which takes precedence over <option>secretKey</option>.
''; '';
default = ""; default = "";
}; };
secretKeyFile = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
A file that contains the server secret for safe session cookies, must be set.
<option>secretKeyFile</option> takes precedence over <option>secretKey</option>.
Warning: when <option>secretKey</option> is non-empty <option>secretKeyFile</option>
defaults to a file in the WORLD-READABLE Nix store containing that secret.
'';
};
workDir = mkOption { workDir = mkOption {
type = types.str; type = types.str;
description = '' description = ''
@ -87,11 +104,22 @@ in
}; };
}; };
config = {
secretKeyFile = mkDefault (
if config.secretKey != ""
then toString (pkgs.writeTextFile {
name = "bepasty-secret-key";
text = config.secretKey;
})
else null
);
};
})); }));
}; };
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
environment.systemPackages = [ bepasty ]; environment.systemPackages = [ bepasty ];
# creates gunicorn systemd service for each configured server # creates gunicorn systemd service for each configured server
@ -115,7 +143,7 @@ in
serviceConfig = { serviceConfig = {
Type = "simple"; Type = "simple";
PrivateTmp = true; PrivateTmp = true;
ExecStartPre = assert server.secretKey != ""; pkgs.writeScript "bepasty-server.${name}-init" '' ExecStartPre = assert !isNull server.secretKeyFile; pkgs.writeScript "bepasty-server.${name}-init" ''
#!/bin/sh #!/bin/sh
mkdir -p "${server.workDir}" mkdir -p "${server.workDir}"
mkdir -p "${server.dataDir}" mkdir -p "${server.dataDir}"
@ -123,7 +151,7 @@ in
cat > ${server.workDir}/bepasty-${name}.conf <<EOF cat > ${server.workDir}/bepasty-${name}.conf <<EOF
SITENAME="${name}" SITENAME="${name}"
STORAGE_FILESYSTEM_DIRECTORY="${server.dataDir}" STORAGE_FILESYSTEM_DIRECTORY="${server.dataDir}"
SECRET_KEY="${server.secretKey}" SECRET_KEY="$(cat "${server.secretKeyFile}")"
DEFAULT_PERMISSIONS="${server.defaultPermissions}" DEFAULT_PERMISSIONS="${server.defaultPermissions}"
${server.extraConfig} ${server.extraConfig}
EOF EOF