dont store passwords in /nix/store anymore

WIP password -> passwordFile
update flake description
2024-06-26 11:56:07 +02:00 · 2024-06-24 20:31:49 +02:00 · 2024-01-26 15:10:26 +01:00 · 2024-01-26 15:10:19 +01:00
4 changed files with 88 additions and 43 deletions
--- a/21
+++ b/21
@@ -0,0 +1,21 @@
+Copyright (c) 2003-2023 Eelco Dolstra and the Nixpkgs/NixOS contributors
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
--- a/ep3-bs.nix
+++ b/ep3-bs.nix
@@ -1,6 +1,7 @@
-{ config, lib, options, pkgs, ... }:
+{ config, lib, pkgs, ... }:
+
+  with lib;

-with lib;

 let
  cfg = config.services.ep3-bs;
@@ -27,6 +28,13 @@ let

    };

+  dbInitScript = pkgs.writeText "ep3bsnixInitScript.sql" ''
+    CREATE USER '${cfg.database.user}'@localhost IDENTIFIED BY '%%PASSWORD_DB%%';
+    CREATE DATABASE ${cfg.database.name};
+    GRANT ALL PRIVILEGES ON *.* TO '${cfg.database.user}'@localhost IDENTIFIED BY '%%PASSWORD_DB%%';
+    FLUSH PRIVILEGES;
+  '';
+
  configFile = pkgs.writeText "local.php" ''
    <?php
    /**
@@ -40,7 +48,7 @@ let
        'db' => array(
            'database' => '${cfg.database.name}',
            'username' => '${cfg.database.user}',
-            'password' => '${cfg.database.password}',
+            'password' => '%%PASSWORD_DB%%',
    
            'hostname' => 'localhost',
            'port' => null,
@@ -52,7 +60,7 @@ let
    
            'host' => '${cfg.mail.host}', // for 'smtp' type only, otherwise remove or leave as is
            'user' => '${cfg.mail.user}', // for 'smtp' type only, otherwise remove or leave as is
-            'pw' => '${cfg.mail.password}', // for 'smtp' type only, otherwise remove or leave as is
+            'pw' => '%%PASSWORD_MAIL%%',  // for 'smtp' type only, otherwise remove or leave as is
    
            'port' => '${cfg.mail.port}', // for 'smtp' type only, otherwise remove or leave as is
            'auth' => '${cfg.mail.auth}', // for 'smtp' type only, change this to 'login' if you have problems with SMTP authentication
@@ -90,6 +98,15 @@ let
    rm ${cfg.stateDir}/config/autoload/local.php.dist
    rm ${cfg.stateDir}/data/cache/*

+    cp -f ${dbInitScript} ${cfg.stateDir}/dbInitScript.sql
+    sed -i s/%%PASSWORD_DB%%/$(cat ${cfg.database.passwordFile})/ ${cfg.stateDir}/dbInitScript.sql
+
+    cat ${cfg.stateDir}/dbInitScript.sql | ${config.services.mysql.package}/bin/mysql -u root -N
+    rm ${cfg.stateDir}/dbInitScript.sql
+
+    chmod -R 0770 ${cfg.stateDir}
+    chown -R ${cfg.user} ${cfg.stateDir}
+
    touch "${cfg.stateDir}/.is_initialized"
  '';

@@ -100,8 +117,15 @@ let
    ${pkgs.php81Packages.composer}/bin/composer install --ignore-platform-reqs
    cp ${cfg.favicon} ${cfg.stateDir}/public/imgs-client/icons/fav.ico
    cp ${cfg.logo} ${cfg.stateDir}/public/imgs-client/layout/logo.png
+
    cp -f ${configFile} ${cfg.stateDir}/config/autoload/local.php

+    sed -i s/%%PASSWORD_DB%%/$(cat ${cfg.database.passwordFile})/ ${cfg.stateDir}/config/autoload/local.php
+
+    if test -e ${cfg.mail.passwordFile}; then
+      sed -i s/%%PASSWORD_MAIL%%/$(cat ${cfg.mail.passwordFile})/ ${cfg.stateDir}/config/autoload/local.php
+    fi
+
    if "${if cfg.in_production == true then "true" else "false"}"
    then
      rm ${cfg.stateDir}/public/setup.php
@@ -220,9 +244,14 @@ in
              default = "?";
            };

-            password = mkOption {
+            passwordFile = mkOption {
              type = types.str;
-              default = "?";
+              default = "";
+              example = "/run/keys/mail-passwd";
+              description = lib.mdDoc ''
+                A file containing the password corresponding to
+                {option}`mail.user`.
+              '';
            };

            port = mkOption {
@@ -258,16 +287,6 @@ in
          description = lib.mdDoc "Database user.";
        };

-        password = mkOption {
-          type = types.str;
-          default = "";
-          description = lib.mdDoc ''
-            The password corresponding to {option}`database.user`.
-            Warning: this is stored in cleartext in the Nix store!
-            Use {option}`database.passwordFile` instead.
-          '';
-        };
-
        passwordFile = mkOption {
          type = types.nullOr types.path;
          default = null;
@@ -320,7 +339,7 @@ in
        '';
      }
      {
-        assertion = if useSmtp then cfg.mail.password != "?" else true; 
+        assertion = if useSmtp then cfg.mail.passwordFile != "" else true; 
        message = ''
          You need to specify mail.password when using mail.type "smtp" or "smtp-tls".
        '';
@@ -354,25 +373,11 @@ in
    services.mysql = mkIf (cfg.database.createDatabase == true) {
      enable = mkDefault true;
      package = mkDefault pkgs.mariadb;
-
-      initialScript = pkgs.writeText "mysqlInitScript" ''
-        CREATE USER '${cfg.database.user}'@localhost IDENTIFIED BY '${cfg.database.password}';
-        CREATE DATABASE ${cfg.database.name};
-        GRANT ALL PRIVILEGES ON *.* TO '${cfg.database.user}'@localhost IDENTIFIED BY '${cfg.database.password}';
-        FLUSH PRIVILEGES;
-      '';
-
-      ensureDatabases = [ cfg.database.name ];
-      ensureUsers = [
-        { name = cfg.database.user;
-          ensurePermissions = { "${cfg.database.name}.*" = "ALL PRIVILEGES"; };
-        }
-      ];
    };

    systemd.services.ep3-bs-init = {
      description = "Initialize ep3-bs Data Directory";
-      after = [ "network.target" ];
+      after = [ "network.target" "mysql.service" ];
      wantedBy = [ "multi-user.target" ];

      preStart = ''
@@ -384,7 +389,7 @@ in

      serviceConfig = {
        Type = "oneshot";
-        User = cfg.user;
+        User = "root";
        Group = cfg.group;
        PermissionsStartOnly = true;
        PrivateNetwork = false;
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
  "nodes": {
    "nixpkgs": {
      "locked": {
-        "lastModified": 1679319606,
-        "narHash": "sha256-wyEMIZB6BnsmJWInEgDZu66hXVMGJEZFl5uDsn27f9M=",
+        "lastModified": 1694948089,
+        "narHash": "sha256-d2B282GmQ9o8klc22/Rbbbj6r99EnELQpOQjWMyv0rU=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "8bc6945b1224a1cfa679d6801580b1054dba1a5c",
+        "rev": "5148520bfab61f99fd25fb9ff7bfbb50dad3c9db",
        "type": "github"
      },
      "original": {
@@ -20,13 +20,31 @@
        "utils": "utils"
      }
    },
-    "utils": {
+    "systems": {
      "locked": {
-        "lastModified": 1678901627,
-        "narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=",
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1694529238,
+        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6",
+        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -1,5 +1,5 @@
 {
-  description = "A very basic flake";
+  description = "providing ep3-bs as nixosModule";

  inputs.utils.url = "github:numtide/flake-utils";

@@ -23,14 +23,15 @@
          services.ep3-bs.enable = true;
          services.ep3-bs.mail.address = "test@test.de";
          services.ep3-bs.database.user = "testuser3";
-          services.ep3-bs.database.password = "testPassword1234";
+          services.ep3-bs.database.passwordFile = "/var/lib/db.txt";
+          services.ep3-bs.mail.passwordFile = "/var/lib/mail.txt";
          users.users.test = {
            isNormalUser = true;
            extraGroups = [ "wheel" ];
            initialPassword = "test";
          };

-          virtualisation.vmVariant.virtualisation.graphics = true;
+          virtualisation.vmVariant.virtualisation.graphics = false;
        }
      ];
    };
Author	SHA1	Message	Date
kalipso	a4128e9603	dont store passwords in /nix/store anymore	2024-06-26 11:56:07 +02:00
kalipso	2ddc2856f9	WIP password -> passwordFile	2024-06-24 20:31:49 +02:00
kalipso	5ea5fa2f15	update flake description	2024-01-26 15:10:26 +01:00
kalipso	2228675fa2	add MIT license	2024-01-26 15:10:19 +01:00