movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-14 06:00:33 +03:00
Code Activity

gogs service: don't copy database password to nix store

Browse source 
Relevant to #24288
This commit is contained in:
Rodney Lorrimar 2017-04-22 17:03:07 +01:00
parent 0c9512d263
commit 79d52bc26c
1 changed files with 31 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

34
nixos/modules/services/misc/gogs.nix
View file

@ -14,7 +14,7 @@ let
HOST = ${cfg.database.host}:${toString cfg.database.port} HOST = ${cfg.database.host}:${toString cfg.database.port}
NAME = ${cfg.database.name} NAME = ${cfg.database.name}
USER = ${cfg.database.user} USER = ${cfg.database.user}
PASSWD = ${cfg.database.password} PASSWD = #dbpass#
PATH = ${cfg.database.path} PATH = ${cfg.database.path}
[repository] [repository]
@ -102,7 +102,21 @@ in
password = mkOption { password = mkOption {
type = types.str; type = types.str;
default = ""; default = "";
description = "Database password."; description = ''
The password corresponding to <option>database.user</option>.
Warning: this is stored in cleartext in the Nix store!
Use <option>database.passwordFile</option> instead.
'';
};
passwordFile = mkOption {
type = types.nullOr types.path;
default = null;
example = "/run/keys/gogs-dbpassword";
description = ''
A file containing the password corresponding to
<option>database.user</option>.
'';
}; };
path = mkOption { path = mkOption {
@ -170,7 +184,10 @@ in
mkdir -p ${cfg.stateDir}/custom/conf mkdir -p ${cfg.stateDir}/custom/conf
cp -f ${configFile} ${cfg.stateDir}/custom/conf/app.ini cp -f ${configFile} ${cfg.stateDir}/custom/conf/app.ini
KEY=$(head -c 16 /dev/urandom | base64) KEY=$(head -c 16 /dev/urandom | base64)
sed -i "s,#secretkey#,$KEY,g" ${cfg.stateDir}/custom/conf/app.ini DBPASS=$(head -n1 ${cfg.database.passwordFile})
sed -e "s,#secretkey#,$KEY,g" \
-e "s,#dbpass#,$DBPASS,g" \
-i ${cfg.stateDir}/custom/conf/app.ini
''} ''}
mkdir -p ${cfg.repositoryRoot} mkdir -p ${cfg.repositoryRoot}
@ -212,5 +229,16 @@ in
}; };
extraGroups.gogs.gid = config.ids.gids.gogs; extraGroups.gogs.gid = config.ids.gids.gogs;
}; };
warnings = optional (cfg.database.password != "")
''config.services.gogs.database.password will be stored as plaintext
in the Nix store. Use database.passwordFile instead.'';
# Create database passwordFile default when password is configured.
services.gogs.database.passwordFile = mkIf (cfg.database.password != "")
(mkDefault (toString (pkgs.writeTextFile {
name = "gogs-database-password";
text = cfg.database.password;
})));
}; };
} }