BoomMicrophone/nixpkgs-suyu
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

nixos/murmur: add option environmentFile for injecting secrets

Browse source 
Secrets are injected from the environment into the rendered
configuration before each startup using envsubst.
The test now makes use of this feature for the server password.
This commit is contained in:
elseym 2020-10-07 11:27:05 +02:00
parent c7f33a55b0
commit 533560de5b
No known key found for this signature in database
GPG key ID: 8696D1F9E5C020D2
2 changed files with 58 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

46
nixos/modules/services/networking/murmur.nix
View file

@ -241,6 +241,34 @@ in
default = "";
description = "Extra configuration to put into murmur.ini.";
};
environmentFile = mkOption {
type = types.nullOr types.path;
default = null;
example = "/var/lib/murmur/murmurd.env";
description = ''
Environment file as defined in <citerefentry>
<refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>.
Secrets may be passed to the service without adding them to the world-readable
Nix store, by specifying placeholder variables as the option value in Nix and
setting these variables accordingly in the environment file.
<programlisting>
# snippet of murmur-related config
services.murmur.password = "$MURMURD_PASSWORD";
</programlisting>
<programlisting>
# content of the environment file
MURMURD_PASSWORD=verysecretpassword
</programlisting>
Note that this file needs to be available on the host on which
<literal>murmur</literal> is running.
'';
};
};
};
@ -256,14 +284,22 @@ in
description = "Murmur Chat Service";
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target "];
preStart = ''
${pkgs.envsubst}/bin/envsubst \
-o /run/murmur/murmurd.ini \
-i ${configFile}
'';
serviceConfig = {
# murmurd doesn't fork when logging to the console.
Type = if forking then "forking" else "simple";
PIDFile = mkIf forking "/run/murmur/murmurd.pid";
RuntimeDirectory = mkIf forking "murmur";
User = "murmur";
ExecStart = "${pkgs.murmur}/bin/murmurd -ini ${configFile}";
Type = if forking then "forking" else "simple";
PIDFile = mkIf forking "/run/murmur/murmurd.pid";
EnvironmentFile = mkIf (cfg.environmentFile != null) cfg.environmentFile;
ExecStart = "${pkgs.murmur}/bin/murmurd -ini /run/murmur/murmurd.ini";
Restart = "always";
RuntimeDirectory = "murmur";
RuntimeDirectoryMode = "0700";
User = "murmur";
};
};
};

22
nixos/tests/mumble.nix
View file

@ -5,6 +5,12 @@ let
imports = [ ./common/x11.nix ];
environment.systemPackages = [ pkgs.mumble ];
};
# outside of tests, this file should obviously not come from the nix store
envFile = pkgs.writeText "nixos-test-mumble-murmurd.env" ''
MURMURD_PASSWORD=testpassword
'';
in
{
name = "mumble";
@ -14,8 +20,10 @@ in
nodes = {
server = { config, ... }: {
services.murmur.enable = true;
services.murmur.enable = true;
services.murmur.registerName = "NixOS tests";
services.murmur.password = "$MURMURD_PASSWORD";
services.murmur.environmentFile = envFile;
networking.firewall.allowedTCPPorts = [ config.services.murmur.port ];
};
@ -30,8 +38,8 @@ in
client1.wait_for_x()
client2.wait_for_x()
client1.execute("mumble mumble://client1\@server/test &")
client2.execute("mumble mumble://client2\@server/test &")
client1.execute("mumble mumble://client1:testpassword\@server/test &")
client2.execute("mumble mumble://client2:testpassword\@server/test &")
# cancel client audio configuration
client1.wait_for_window(r"Audio Tuning Wizard")
@ -63,8 +71,12 @@ in
client2.send_chars("y")
# Find clients in logs
server.wait_until_succeeds("journalctl -eu murmur -o cat | grep -q client1")
server.wait_until_succeeds("journalctl -eu murmur -o cat | grep -q client2")
server.wait_until_succeeds(
"journalctl -eu murmur -o cat | grep -q 'client1.\+Authenticated'"
)
server.wait_until_succeeds(
"journalctl -eu murmur -o cat | grep -q 'client2.\+Authenticated'"
)
server.sleep(5) # wait to get screenshot
client1.screenshot("screen1")