dont store passwords in /nix/store anymore

2024-06-26 11:56:07 +02:00
parent 2ddc2856f9
commit a4128e9603
2 changed files with 50 additions and 43 deletions
--- a/ep3-bs.nix
+++ b/ep3-bs.nix
@@ -28,6 +28,13 @@ let

    };

+  dbInitScript = pkgs.writeText "ep3bsnixInitScript.sql" ''
+    CREATE USER '${cfg.database.user}'@localhost IDENTIFIED BY '%%PASSWORD_DB%%';
+    CREATE DATABASE ${cfg.database.name};
+    GRANT ALL PRIVILEGES ON *.* TO '${cfg.database.user}'@localhost IDENTIFIED BY '%%PASSWORD_DB%%';
+    FLUSH PRIVILEGES;
+  '';
+
  configFile = pkgs.writeText "local.php" ''
    <?php
    /**
@@ -91,6 +98,15 @@ let
    rm ${cfg.stateDir}/config/autoload/local.php.dist
    rm ${cfg.stateDir}/data/cache/*

+    cp -f ${dbInitScript} ${cfg.stateDir}/dbInitScript.sql
+    sed -i s/%%PASSWORD_DB%%/$(cat ${cfg.database.passwordFile})/ ${cfg.stateDir}/dbInitScript.sql
+
+    cat ${cfg.stateDir}/dbInitScript.sql | ${config.services.mysql.package}/bin/mysql -u root -N
+    rm ${cfg.stateDir}/dbInitScript.sql
+
+    chmod -R 0770 ${cfg.stateDir}
+    chown -R ${cfg.user} ${cfg.stateDir}
+
    touch "${cfg.stateDir}/.is_initialized"
  '';

@@ -105,8 +121,10 @@ let
    cp -f ${configFile} ${cfg.stateDir}/config/autoload/local.php

    sed -i s/%%PASSWORD_DB%%/$(cat ${cfg.database.passwordFile})/ ${cfg.stateDir}/config/autoload/local.php
-    sed -i s/%%PASSWORD_MAIL%%/$(cat ${cfg.mail.passwordFile})/ ${cfg.stateDir}/config/autoload/local.php

+    if test -e ${cfg.mail.passwordFile}; then
+      sed -i s/%%PASSWORD_MAIL%%/$(cat ${cfg.mail.passwordFile})/ ${cfg.stateDir}/config/autoload/local.php
+    fi

    if "${if cfg.in_production == true then "true" else "false"}"
    then
@@ -226,18 +244,13 @@ in
              default = "?";
            };

-            password = mkOption {
-              type = types.str;
-              default = "?";
-            };
-
            passwordFile = mkOption {
-              type = types.nullOr types.path;
-              default = null;
+              type = types.str;
+              default = "";
              example = "/run/keys/mail-passwd";
              description = lib.mdDoc ''
                A file containing the password corresponding to
-                {option}`database.user`.
+                {option}`mail.user`.
              '';
            };

@@ -274,16 +287,6 @@ in
          description = lib.mdDoc "Database user.";
        };

-        #password = mkOption {
-        #  type = types.str;
-        #  default = "";
-        #  description = lib.mdDoc ''
-        #    The password corresponding to {option}`database.user`.
-        #    Warning: this is stored in cleartext in the Nix store!
-        #    Use {option}`database.passwordFile` instead.
-        #  '';
-        #};
-
        passwordFile = mkOption {
          type = types.nullOr types.path;
          default = null;
@@ -336,7 +339,7 @@ in
        '';
      }
      {
-        assertion = if useSmtp then cfg.mail.password != "?" else true; 
+        assertion = if useSmtp then cfg.mail.passwordFile != "" else true; 
        message = ''
          You need to specify mail.password when using mail.type "smtp" or "smtp-tls".
        '';
@@ -370,25 +373,11 @@ in
    services.mysql = mkIf (cfg.database.createDatabase == true) {
      enable = mkDefault true;
      package = mkDefault pkgs.mariadb;
-
-      initialScript = pkgs.writeText "mysqlInitScript" ''
-        CREATE USER '${cfg.database.user}'@localhost IDENTIFIED BY 'PW FOO';
-        CREATE DATABASE ${cfg.database.name};
-        GRANT ALL PRIVILEGES ON *.* TO '${cfg.database.user}'@localhost IDENTIFIED BY 'PW FOO';
-        FLUSH PRIVILEGES;
-      '';
-
-      ensureDatabases = [ cfg.database.name ];
-      ensureUsers = [
-        { name = cfg.database.user;
-          ensurePermissions = { "${cfg.database.name}.*" = "ALL PRIVILEGES"; };
-        }
-      ];
    };

    systemd.services.ep3-bs-init = {
      description = "Initialize ep3-bs Data Directory";
-      after = [ "network.target" ];
+      after = [ "network.target" "mysql.service" ];
      wantedBy = [ "multi-user.target" ];

      preStart = ''
@@ -400,7 +389,7 @@ in

      serviceConfig = {
        Type = "oneshot";
-        User = cfg.user;
+        User = "root";
        Group = cfg.group;
        PermissionsStartOnly = true;
        PrivateNetwork = false;
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
  "nodes": {
    "nixpkgs": {
      "locked": {
-        "lastModified": 1679319606,
-        "narHash": "sha256-wyEMIZB6BnsmJWInEgDZu66hXVMGJEZFl5uDsn27f9M=",
+        "lastModified": 1694948089,
+        "narHash": "sha256-d2B282GmQ9o8klc22/Rbbbj6r99EnELQpOQjWMyv0rU=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "8bc6945b1224a1cfa679d6801580b1054dba1a5c",
+        "rev": "5148520bfab61f99fd25fb9ff7bfbb50dad3c9db",
        "type": "github"
      },
      "original": {
@@ -20,13 +20,31 @@
        "utils": "utils"
      }
    },
-    "utils": {
+    "systems": {
      "locked": {
-        "lastModified": 1678901627,
-        "narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=",
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1694529238,
+        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6",
+        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
        "type": "github"
      },
      "original": {