dont store passwords in /nix/store anymore
This commit is contained in:
61
ep3-bs.nix
61
ep3-bs.nix
@@ -28,6 +28,13 @@ let
|
|||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
dbInitScript = pkgs.writeText "ep3bsnixInitScript.sql" ''
|
||||||
|
CREATE USER '${cfg.database.user}'@localhost IDENTIFIED BY '%%PASSWORD_DB%%';
|
||||||
|
CREATE DATABASE ${cfg.database.name};
|
||||||
|
GRANT ALL PRIVILEGES ON *.* TO '${cfg.database.user}'@localhost IDENTIFIED BY '%%PASSWORD_DB%%';
|
||||||
|
FLUSH PRIVILEGES;
|
||||||
|
'';
|
||||||
|
|
||||||
configFile = pkgs.writeText "local.php" ''
|
configFile = pkgs.writeText "local.php" ''
|
||||||
<?php
|
<?php
|
||||||
/**
|
/**
|
||||||
@@ -91,6 +98,15 @@ let
|
|||||||
rm ${cfg.stateDir}/config/autoload/local.php.dist
|
rm ${cfg.stateDir}/config/autoload/local.php.dist
|
||||||
rm ${cfg.stateDir}/data/cache/*
|
rm ${cfg.stateDir}/data/cache/*
|
||||||
|
|
||||||
|
cp -f ${dbInitScript} ${cfg.stateDir}/dbInitScript.sql
|
||||||
|
sed -i s/%%PASSWORD_DB%%/$(cat ${cfg.database.passwordFile})/ ${cfg.stateDir}/dbInitScript.sql
|
||||||
|
|
||||||
|
cat ${cfg.stateDir}/dbInitScript.sql | ${config.services.mysql.package}/bin/mysql -u root -N
|
||||||
|
rm ${cfg.stateDir}/dbInitScript.sql
|
||||||
|
|
||||||
|
chmod -R 0770 ${cfg.stateDir}
|
||||||
|
chown -R ${cfg.user} ${cfg.stateDir}
|
||||||
|
|
||||||
touch "${cfg.stateDir}/.is_initialized"
|
touch "${cfg.stateDir}/.is_initialized"
|
||||||
'';
|
'';
|
||||||
|
|
||||||
@@ -105,8 +121,10 @@ let
|
|||||||
cp -f ${configFile} ${cfg.stateDir}/config/autoload/local.php
|
cp -f ${configFile} ${cfg.stateDir}/config/autoload/local.php
|
||||||
|
|
||||||
sed -i s/%%PASSWORD_DB%%/$(cat ${cfg.database.passwordFile})/ ${cfg.stateDir}/config/autoload/local.php
|
sed -i s/%%PASSWORD_DB%%/$(cat ${cfg.database.passwordFile})/ ${cfg.stateDir}/config/autoload/local.php
|
||||||
sed -i s/%%PASSWORD_MAIL%%/$(cat ${cfg.mail.passwordFile})/ ${cfg.stateDir}/config/autoload/local.php
|
|
||||||
|
|
||||||
|
if test -e ${cfg.mail.passwordFile}; then
|
||||||
|
sed -i s/%%PASSWORD_MAIL%%/$(cat ${cfg.mail.passwordFile})/ ${cfg.stateDir}/config/autoload/local.php
|
||||||
|
fi
|
||||||
|
|
||||||
if "${if cfg.in_production == true then "true" else "false"}"
|
if "${if cfg.in_production == true then "true" else "false"}"
|
||||||
then
|
then
|
||||||
@@ -226,18 +244,13 @@ in
|
|||||||
default = "?";
|
default = "?";
|
||||||
};
|
};
|
||||||
|
|
||||||
password = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "?";
|
|
||||||
};
|
|
||||||
|
|
||||||
passwordFile = mkOption {
|
passwordFile = mkOption {
|
||||||
type = types.nullOr types.path;
|
type = types.str;
|
||||||
default = null;
|
default = "";
|
||||||
example = "/run/keys/mail-passwd";
|
example = "/run/keys/mail-passwd";
|
||||||
description = lib.mdDoc ''
|
description = lib.mdDoc ''
|
||||||
A file containing the password corresponding to
|
A file containing the password corresponding to
|
||||||
{option}`database.user`.
|
{option}`mail.user`.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
@@ -274,16 +287,6 @@ in
|
|||||||
description = lib.mdDoc "Database user.";
|
description = lib.mdDoc "Database user.";
|
||||||
};
|
};
|
||||||
|
|
||||||
#password = mkOption {
|
|
||||||
# type = types.str;
|
|
||||||
# default = "";
|
|
||||||
# description = lib.mdDoc ''
|
|
||||||
# The password corresponding to {option}`database.user`.
|
|
||||||
# Warning: this is stored in cleartext in the Nix store!
|
|
||||||
# Use {option}`database.passwordFile` instead.
|
|
||||||
# '';
|
|
||||||
#};
|
|
||||||
|
|
||||||
passwordFile = mkOption {
|
passwordFile = mkOption {
|
||||||
type = types.nullOr types.path;
|
type = types.nullOr types.path;
|
||||||
default = null;
|
default = null;
|
||||||
@@ -336,7 +339,7 @@ in
|
|||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
assertion = if useSmtp then cfg.mail.password != "?" else true;
|
assertion = if useSmtp then cfg.mail.passwordFile != "" else true;
|
||||||
message = ''
|
message = ''
|
||||||
You need to specify mail.password when using mail.type "smtp" or "smtp-tls".
|
You need to specify mail.password when using mail.type "smtp" or "smtp-tls".
|
||||||
'';
|
'';
|
||||||
@@ -370,25 +373,11 @@ in
|
|||||||
services.mysql = mkIf (cfg.database.createDatabase == true) {
|
services.mysql = mkIf (cfg.database.createDatabase == true) {
|
||||||
enable = mkDefault true;
|
enable = mkDefault true;
|
||||||
package = mkDefault pkgs.mariadb;
|
package = mkDefault pkgs.mariadb;
|
||||||
|
|
||||||
initialScript = pkgs.writeText "mysqlInitScript" ''
|
|
||||||
CREATE USER '${cfg.database.user}'@localhost IDENTIFIED BY 'PW FOO';
|
|
||||||
CREATE DATABASE ${cfg.database.name};
|
|
||||||
GRANT ALL PRIVILEGES ON *.* TO '${cfg.database.user}'@localhost IDENTIFIED BY 'PW FOO';
|
|
||||||
FLUSH PRIVILEGES;
|
|
||||||
'';
|
|
||||||
|
|
||||||
ensureDatabases = [ cfg.database.name ];
|
|
||||||
ensureUsers = [
|
|
||||||
{ name = cfg.database.user;
|
|
||||||
ensurePermissions = { "${cfg.database.name}.*" = "ALL PRIVILEGES"; };
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.ep3-bs-init = {
|
systemd.services.ep3-bs-init = {
|
||||||
description = "Initialize ep3-bs Data Directory";
|
description = "Initialize ep3-bs Data Directory";
|
||||||
after = [ "network.target" ];
|
after = [ "network.target" "mysql.service" ];
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
|
||||||
preStart = ''
|
preStart = ''
|
||||||
@@ -400,7 +389,7 @@ in
|
|||||||
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "oneshot";
|
Type = "oneshot";
|
||||||
User = cfg.user;
|
User = "root";
|
||||||
Group = cfg.group;
|
Group = cfg.group;
|
||||||
PermissionsStartOnly = true;
|
PermissionsStartOnly = true;
|
||||||
PrivateNetwork = false;
|
PrivateNetwork = false;
|
||||||
|
|||||||
32
flake.lock
generated
32
flake.lock
generated
@@ -2,11 +2,11 @@
|
|||||||
"nodes": {
|
"nodes": {
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1679319606,
|
"lastModified": 1694948089,
|
||||||
"narHash": "sha256-wyEMIZB6BnsmJWInEgDZu66hXVMGJEZFl5uDsn27f9M=",
|
"narHash": "sha256-d2B282GmQ9o8klc22/Rbbbj6r99EnELQpOQjWMyv0rU=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "8bc6945b1224a1cfa679d6801580b1054dba1a5c",
|
"rev": "5148520bfab61f99fd25fb9ff7bfbb50dad3c9db",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@@ -20,13 +20,31 @@
|
|||||||
"utils": "utils"
|
"utils": "utils"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"utils": {
|
"systems": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1678901627,
|
"lastModified": 1681028828,
|
||||||
"narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=",
|
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||||
|
"owner": "nix-systems",
|
||||||
|
"repo": "default",
|
||||||
|
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nix-systems",
|
||||||
|
"repo": "default",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"utils": {
|
||||||
|
"inputs": {
|
||||||
|
"systems": "systems"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1694529238,
|
||||||
|
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
|
||||||
"owner": "numtide",
|
"owner": "numtide",
|
||||||
"repo": "flake-utils",
|
"repo": "flake-utils",
|
||||||
"rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6",
|
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|||||||
Reference in New Issue
Block a user