From db14ea39261d8f70c2006e9eac021614ecad19df Mon Sep 17 00:00:00 2001 From: Rodney Lorrimar Date: Sun, 26 Mar 2017 22:56:28 +0100 Subject: [PATCH] longview service: don't write passwords to nix store Adds services.longview.{apiKeyFile,mysqlPasswordFile} options as alternatives to apiKey and mysqlPassword, which still work, but are deprecated with a warning message. Related to #24288. --- .../modules/services/monitoring/longview.nix | 110 ++++++++++++------ pkgs/servers/monitoring/longview/default.nix | 7 +- 2 files changed, 82 insertions(+), 35 deletions(-) diff --git a/nixos/modules/services/monitoring/longview.nix b/nixos/modules/services/monitoring/longview.nix index 770d56e60efb..9c38956f9ba8 100644 --- a/nixos/modules/services/monitoring/longview.nix +++ b/nixos/modules/services/monitoring/longview.nix @@ -5,22 +5,10 @@ with lib; let cfg = config.services.longview; - pidFile = "/run/longview.pid"; + runDir = "/run/longview"; + configsDir = "${runDir}/longview.d"; - apacheConf = optionalString (cfg.apacheStatusUrl != "") '' - location ${cfg.apacheStatusUrl}?auto - ''; - mysqlConf = optionalString (cfg.mysqlUser != "") '' - username ${cfg.mysqlUser} - password ${cfg.mysqlPassword} - ''; - nginxConf = optionalString (cfg.nginxStatusUrl != "") '' - location ${cfg.nginxStatusUrl} - ''; - -in - -{ +in { options = { services.longview = { @@ -35,10 +23,27 @@ in apiKey = mkOption { type = types.str; + default = ""; example = "01234567-89AB-CDEF-0123456789ABCDEF"; description = '' Longview API key. To get this, look in Longview settings which are found at https://manager.linode.com/longview/. + + Warning: this secret is stored in the world-readable Nix store! + Use instead. + ''; + }; + + apiKeyFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/run/keys/longview-api-key"; + description = '' + A file containing the Longview API key. + To get this, look in Longview settings which + are found at https://manager.linode.com/longview/. + + takes precedence over . ''; }; @@ -77,11 +82,23 @@ in mysqlPassword = mkOption { type = types.str; + default = ""; description = '' - The password corresponding to mysqlUser. Warning: this is - stored in cleartext in the Nix store! + The password corresponding to . + Warning: this is stored in cleartext in the Nix store! + Use instead. ''; }; + + mysqlPasswordFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/run/keys/dbpassword"; + description = '' + A file containing the password corresponding to . + ''; + }; + }; }; @@ -94,25 +111,50 @@ in serviceConfig.Type = "forking"; serviceConfig.ExecStop = "-${pkgs.coreutils}/bin/kill -TERM $MAINPID"; serviceConfig.ExecReload = "-${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - serviceConfig.PIDFile = pidFile; + serviceConfig.PIDFile = "${runDir}/longview.pid"; serviceConfig.ExecStart = "${pkgs.longview}/bin/longview"; + preStart = '' + umask 077 + mkdir -p ${configsDir} + '' + (optionalString (cfg.apiKeyFile != null) '' + cp --no-preserve=all "${cfg.apiKeyFile}" ${runDir}/longview.key + '') + (optionalString (cfg.apacheStatusUrl != "") '' + cat > ${configsDir}/Apache.conf < ${configsDir}/MySQL.conf < ${configsDir}/Nginx.conf <