From ecf03368f8b624b8573f97f70387d6d14f7e32fe Mon Sep 17 00:00:00 2001 From: Bas van Dijk Date: Sat, 8 Apr 2017 19:32:19 +0200 Subject: [PATCH] bepasty: add secretKeyFile option This gives users the option to store secrets outside the world-readable Nix store. --- nixos/modules/services/misc/bepasty.nix | 36 ++++++++++++++++++++++--- 1 file changed, 32 insertions(+), 4 deletions(-) diff --git a/nixos/modules/services/misc/bepasty.nix b/nixos/modules/services/misc/bepasty.nix index 52719222db66..4d78cddcb54f 100644 --- a/nixos/modules/services/misc/bepasty.nix +++ b/nixos/modules/services/misc/bepasty.nix @@ -21,7 +21,7 @@ in configure a number of bepasty servers which will be started with gunicorn. ''; - type = with types ; attrsOf (submodule ({ + type = with types ; attrsOf (submodule ({ config, ... } : { options = { @@ -34,7 +34,6 @@ in default = "127.0.0.1:8000"; }; - dataDir = mkOption { type = types.str; description = '' @@ -73,10 +72,28 @@ in type = types.str; description = '' server secret for safe session cookies, must be set. + + Warning: this secret is stored in the WORLD-READABLE Nix store! + + It's recommended to use + which takes precedence over . ''; default = ""; }; + secretKeyFile = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + A file that contains the server secret for safe session cookies, must be set. + + takes precedence over . + + Warning: when is non-empty + defaults to a file in the WORLD-READABLE Nix store containing that secret. + ''; + }; + workDir = mkOption { type = types.str; description = '' @@ -87,11 +104,22 @@ in }; }; + config = { + secretKeyFile = mkDefault ( + if config.secretKey != "" + then toString (pkgs.writeTextFile { + name = "bepasty-secret-key"; + text = config.secretKey; + }) + else null + ); + }; })); }; }; config = mkIf cfg.enable { + environment.systemPackages = [ bepasty ]; # creates gunicorn systemd service for each configured server @@ -115,7 +143,7 @@ in serviceConfig = { Type = "simple"; PrivateTmp = true; - ExecStartPre = assert server.secretKey != ""; pkgs.writeScript "bepasty-server.${name}-init" '' + ExecStartPre = assert !isNull server.secretKeyFile; pkgs.writeScript "bepasty-server.${name}-init" '' #!/bin/sh mkdir -p "${server.workDir}" mkdir -p "${server.dataDir}" @@ -123,7 +151,7 @@ in cat > ${server.workDir}/bepasty-${name}.conf <