bepasty: add secretKeyFile option
This gives users the option to store secrets outside the world-readable Nix store.
This commit is contained in:
parent
184e3238c7
commit
ecf03368f8
1 changed files with 32 additions and 4 deletions
|
@ -21,7 +21,7 @@ in
|
|||
configure a number of bepasty servers which will be started with
|
||||
gunicorn.
|
||||
'';
|
||||
type = with types ; attrsOf (submodule ({
|
||||
type = with types ; attrsOf (submodule ({ config, ... } : {
|
||||
|
||||
options = {
|
||||
|
||||
|
@ -34,7 +34,6 @@ in
|
|||
default = "127.0.0.1:8000";
|
||||
};
|
||||
|
||||
|
||||
dataDir = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
|
@ -73,10 +72,28 @@ in
|
|||
type = types.str;
|
||||
description = ''
|
||||
server secret for safe session cookies, must be set.
|
||||
|
||||
Warning: this secret is stored in the WORLD-READABLE Nix store!
|
||||
|
||||
It's recommended to use <option>secretKeyFile</option>
|
||||
which takes precedence over <option>secretKey</option>.
|
||||
'';
|
||||
default = "";
|
||||
};
|
||||
|
||||
secretKeyFile = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
description = ''
|
||||
A file that contains the server secret for safe session cookies, must be set.
|
||||
|
||||
<option>secretKeyFile</option> takes precedence over <option>secretKey</option>.
|
||||
|
||||
Warning: when <option>secretKey</option> is non-empty <option>secretKeyFile</option>
|
||||
defaults to a file in the WORLD-READABLE Nix store containing that secret.
|
||||
'';
|
||||
};
|
||||
|
||||
workDir = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
|
@ -87,11 +104,22 @@ in
|
|||
};
|
||||
|
||||
};
|
||||
config = {
|
||||
secretKeyFile = mkDefault (
|
||||
if config.secretKey != ""
|
||||
then toString (pkgs.writeTextFile {
|
||||
name = "bepasty-secret-key";
|
||||
text = config.secretKey;
|
||||
})
|
||||
else null
|
||||
);
|
||||
};
|
||||
}));
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
environment.systemPackages = [ bepasty ];
|
||||
|
||||
# creates gunicorn systemd service for each configured server
|
||||
|
@ -115,7 +143,7 @@ in
|
|||
serviceConfig = {
|
||||
Type = "simple";
|
||||
PrivateTmp = true;
|
||||
ExecStartPre = assert server.secretKey != ""; pkgs.writeScript "bepasty-server.${name}-init" ''
|
||||
ExecStartPre = assert !isNull server.secretKeyFile; pkgs.writeScript "bepasty-server.${name}-init" ''
|
||||
#!/bin/sh
|
||||
mkdir -p "${server.workDir}"
|
||||
mkdir -p "${server.dataDir}"
|
||||
|
@ -123,7 +151,7 @@ in
|
|||
cat > ${server.workDir}/bepasty-${name}.conf <<EOF
|
||||
SITENAME="${name}"
|
||||
STORAGE_FILESYSTEM_DIRECTORY="${server.dataDir}"
|
||||
SECRET_KEY="${server.secretKey}"
|
||||
SECRET_KEY="$(cat "${server.secretKeyFile}")"
|
||||
DEFAULT_PERMISSIONS="${server.defaultPermissions}"
|
||||
${server.extraConfig}
|
||||
EOF
|
||||
|
|
Loading…
Reference in a new issue