bepasty: add secretKeyFile option

This gives users the option to store secrets outside the
world-readable Nix store.
This commit is contained in:
Bas van Dijk 2017-04-08 19:32:19 +02:00
parent 184e3238c7
commit ecf03368f8

View file

@ -21,7 +21,7 @@ in
configure a number of bepasty servers which will be started with
gunicorn.
'';
type = with types ; attrsOf (submodule ({
type = with types ; attrsOf (submodule ({ config, ... } : {
options = {
@ -34,7 +34,6 @@ in
default = "127.0.0.1:8000";
};
dataDir = mkOption {
type = types.str;
description = ''
@ -73,10 +72,28 @@ in
type = types.str;
description = ''
server secret for safe session cookies, must be set.
Warning: this secret is stored in the WORLD-READABLE Nix store!
It's recommended to use <option>secretKeyFile</option>
which takes precedence over <option>secretKey</option>.
'';
default = "";
};
secretKeyFile = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
A file that contains the server secret for safe session cookies, must be set.
<option>secretKeyFile</option> takes precedence over <option>secretKey</option>.
Warning: when <option>secretKey</option> is non-empty <option>secretKeyFile</option>
defaults to a file in the WORLD-READABLE Nix store containing that secret.
'';
};
workDir = mkOption {
type = types.str;
description = ''
@ -87,11 +104,22 @@ in
};
};
config = {
secretKeyFile = mkDefault (
if config.secretKey != ""
then toString (pkgs.writeTextFile {
name = "bepasty-secret-key";
text = config.secretKey;
})
else null
);
};
}));
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ bepasty ];
# creates gunicorn systemd service for each configured server
@ -115,7 +143,7 @@ in
serviceConfig = {
Type = "simple";
PrivateTmp = true;
ExecStartPre = assert server.secretKey != ""; pkgs.writeScript "bepasty-server.${name}-init" ''
ExecStartPre = assert !isNull server.secretKeyFile; pkgs.writeScript "bepasty-server.${name}-init" ''
#!/bin/sh
mkdir -p "${server.workDir}"
mkdir -p "${server.dataDir}"
@ -123,7 +151,7 @@ in
cat > ${server.workDir}/bepasty-${name}.conf <<EOF
SITENAME="${name}"
STORAGE_FILESYSTEM_DIRECTORY="${server.dataDir}"
SECRET_KEY="${server.secretKey}"
SECRET_KEY="$(cat "${server.secretKeyFile}")"
DEFAULT_PERMISSIONS="${server.defaultPermissions}"
${server.extraConfig}
EOF