dont store passwords in /nix/store anymore

ep3-bs.nix

@@ -1,6 +1,7 @@
-{ config, lib, options, pkgs, ... }:
+{ config, lib, pkgs, ... }:
+
+  with lib;
 
-with lib;
 
 let
   cfg = config.services.ep3-bs;
@@ -27,6 +28,13 @@ let
 
     };
 
+  dbInitScript = pkgs.writeText "ep3bsnixInitScript.sql" ''
+    CREATE USER '${cfg.database.user}'@localhost IDENTIFIED BY '%%PASSWORD_DB%%';
+    CREATE DATABASE ${cfg.database.name};
+    GRANT ALL PRIVILEGES ON *.* TO '${cfg.database.user}'@localhost IDENTIFIED BY '%%PASSWORD_DB%%';
+    FLUSH PRIVILEGES;
+  '';
+
   configFile = pkgs.writeText "local.php" ''
     <?php
     /**
@@ -40,7 +48,7 @@ let
         'db' => array(
             'database' => '${cfg.database.name}',
             'username' => '${cfg.database.user}',
-            'password' => '${cfg.database.password}',
+            'password' => '%%PASSWORD_DB%%',
     
             'hostname' => 'localhost',
             'port' => null,
@@ -52,7 +60,7 @@ let
     
             'host' => '${cfg.mail.host}', // for 'smtp' type only, otherwise remove or leave as is
             'user' => '${cfg.mail.user}', // for 'smtp' type only, otherwise remove or leave as is
-            'pw' => '${cfg.mail.password}', // for 'smtp' type only, otherwise remove or leave as is
+            'pw' => '%%PASSWORD_MAIL%%',  // for 'smtp' type only, otherwise remove or leave as is
     
             'port' => '${cfg.mail.port}', // for 'smtp' type only, otherwise remove or leave as is
             'auth' => '${cfg.mail.auth}', // for 'smtp' type only, change this to 'login' if you have problems with SMTP authentication
@@ -90,6 +98,15 @@ let
     rm ${cfg.stateDir}/config/autoload/local.php.dist
     rm ${cfg.stateDir}/data/cache/*
 
+    cp -f ${dbInitScript} ${cfg.stateDir}/dbInitScript.sql
+    sed -i s/%%PASSWORD_DB%%/$(cat ${cfg.database.passwordFile})/ ${cfg.stateDir}/dbInitScript.sql
+
+    cat ${cfg.stateDir}/dbInitScript.sql | ${config.services.mysql.package}/bin/mysql -u root -N
+    rm ${cfg.stateDir}/dbInitScript.sql
+
+    chmod -R 0770 ${cfg.stateDir}
+    chown -R ${cfg.user} ${cfg.stateDir}
+
     touch "${cfg.stateDir}/.is_initialized"
   '';
 
@@ -100,8 +117,15 @@ let
     ${pkgs.php81Packages.composer}/bin/composer install --ignore-platform-reqs
     cp ${cfg.favicon} ${cfg.stateDir}/public/imgs-client/icons/fav.ico
     cp ${cfg.logo} ${cfg.stateDir}/public/imgs-client/layout/logo.png
+
     cp -f ${configFile} ${cfg.stateDir}/config/autoload/local.php
 
+    sed -i s/%%PASSWORD_DB%%/$(cat ${cfg.database.passwordFile})/ ${cfg.stateDir}/config/autoload/local.php
+
+    if test -e ${cfg.mail.passwordFile}; then
+      sed -i s/%%PASSWORD_MAIL%%/$(cat ${cfg.mail.passwordFile})/ ${cfg.stateDir}/config/autoload/local.php
+    fi
+
     if "${if cfg.in_production == true then "true" else "false"}"
     then
       rm ${cfg.stateDir}/public/setup.php
@@ -220,9 +244,14 @@ in
               default = "?";
             };
 
-            password = mkOption {
+            passwordFile = mkOption {
               type = types.str;
-              default = "?";
+              default = "";
+              example = "/run/keys/mail-passwd";
+              description = lib.mdDoc ''
+                A file containing the password corresponding to
+                {option}`mail.user`.
+              '';
             };
 
             port = mkOption {
@@ -258,16 +287,6 @@ in
           description = lib.mdDoc "Database user.";
         };
 
-        password = mkOption {
-          type = types.str;
-          default = "";
-          description = lib.mdDoc ''
-            The password corresponding to {option}`database.user`.
-            Warning: this is stored in cleartext in the Nix store!
-            Use {option}`database.passwordFile` instead.
-          '';
-        };
-
         passwordFile = mkOption {
           type = types.nullOr types.path;
           default = null;
@@ -320,7 +339,7 @@ in
         '';
       }
       {
-        assertion = if useSmtp then cfg.mail.password != "?" else true; 
+        assertion = if useSmtp then cfg.mail.passwordFile != "" else true; 
         message = ''
           You need to specify mail.password when using mail.type "smtp" or "smtp-tls".
         '';
@@ -354,25 +373,11 @@ in
     services.mysql = mkIf (cfg.database.createDatabase == true) {
       enable = mkDefault true;
       package = mkDefault pkgs.mariadb;
-
-      initialScript = pkgs.writeText "mysqlInitScript" ''
-        CREATE USER '${cfg.database.user}'@localhost IDENTIFIED BY '${cfg.database.password}';
-        CREATE DATABASE ${cfg.database.name};
-        GRANT ALL PRIVILEGES ON *.* TO '${cfg.database.user}'@localhost IDENTIFIED BY '${cfg.database.password}';
-        FLUSH PRIVILEGES;
-      '';
-
-      ensureDatabases = [ cfg.database.name ];
-      ensureUsers = [
-        { name = cfg.database.user;
-          ensurePermissions = { "${cfg.database.name}.*" = "ALL PRIVILEGES"; };
-        }
-      ];
     };
 
     systemd.services.ep3-bs-init = {
       description = "Initialize ep3-bs Data Directory";
-      after = [ "network.target" ];
+      after = [ "network.target" "mysql.service" ];
       wantedBy = [ "multi-user.target" ];
 
       preStart = ''
@@ -384,7 +389,7 @@ in
 
       serviceConfig = {
         Type = "oneshot";
-        User = cfg.user;
+        User = "root";
         Group = cfg.group;
         PermissionsStartOnly = true;
         PrivateNetwork = false;

flake.lock

@@ -2,11 +2,11 @@
   "nodes": {
     "nixpkgs": {
       "locked": {
-        "lastModified": 1679319606,
+        "lastModified": 1694948089,
-        "narHash": "sha256-wyEMIZB6BnsmJWInEgDZu66hXVMGJEZFl5uDsn27f9M=",
+        "narHash": "sha256-d2B282GmQ9o8klc22/Rbbbj6r99EnELQpOQjWMyv0rU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "8bc6945b1224a1cfa679d6801580b1054dba1a5c",
+        "rev": "5148520bfab61f99fd25fb9ff7bfbb50dad3c9db",
         "type": "github"
       },
       "original": {
@@ -20,13 +20,31 @@
         "utils": "utils"
       }
     },
-    "utils": {
+    "systems": {
       "locked": {
-        "lastModified": 1678901627,
+        "lastModified": 1681028828,
-        "narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=",
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1694529238,
+        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6",
+        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
         "type": "github"
       },
       "original": {

flake.nix

@@ -23,14 +23,15 @@
           services.ep3-bs.enable = true;
           services.ep3-bs.mail.address = "test@test.de";
           services.ep3-bs.database.user = "testuser3";
-          services.ep3-bs.database.password = "testPassword1234";
+          services.ep3-bs.database.passwordFile = "/var/lib/db.txt";
+          services.ep3-bs.mail.passwordFile = "/var/lib/mail.txt";
           users.users.test = {
             isNormalUser = true;
             extraGroups = [ "wheel" ];
             initialPassword = "test";
           };
 
-          virtualisation.vmVariant.virtualisation.graphics = true;
+          virtualisation.vmVariant.virtualisation.graphics = false;
         }
       ];
     };