dont store passwords in /nix/store anymore

.gitignore

@@ -0,0 +1,3 @@
+*.qcow2
+result
+*.bak

LICENSE

@@ -0,0 +1,21 @@
+Copyright (c) 2003-2023 Eelco Dolstra and the Nixpkgs/NixOS contributors
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+

README.md

@@ -2,34 +2,22 @@
 
 This flake aims to provide a nixosModule that handles running an [ep3-bs](https://bs.hbsys.de/) instance.
 
-## What does it look like?
+## Usage
 
 Here is a minimal configuration:
 ``` nix
 {
-  services.ep3-bs.enable = true;
-  services.ep3-bs.mail.address = "test@test.de";
+  services.ep3-bs = {
+    enable = true;
+    mail.address = "test@test.de";
+    database.user = "testuser3";
+    database.password = "testPassword1234"; #TODO: should be set as file
+    in_production = false;
+  };
 }
 ```
 
-Now you can access ep3-bs using your browser. You will be guided through the database setup in the frontend. Afterwards you have to manually delete the ```setup.php```. This only has to be done once on the initial setup.
+Now you can access ep3-bs using your browser. You will be guided through the database setup in the frontend. When you are done set ```service.ep3-bs.in_production = true``` and rebuild your machine.
 
-It can be done as root with:
-``` shell
-rm /var/lib/ep3-bs/public/setup.php
-```
-
-If there is a better solution using nix, please let me know.
-
-## Installation
-
-### Using flakes
-
-Add ep3-bs as input:
-``` nix
-{
-  # ...
-  inputs.ep3-bs.url = github:kalipso/ep3-bs.nix;
-}
-```
+If there is a better solution where you dont have to toggle the in_production variable, please let me know.
 

ep3-bs.nix

@@ -1,12 +1,12 @@
-{ config, lib, options, pkgs, ... }:
+{ config, lib, pkgs, ... }:
+
+  with lib;
 
-with lib;
 
 let
   cfg = config.services.ep3-bs;
   useSmtp = cfg.mail.type == "smtp" || cfg.mail.type == "smtp-tls";
 
-
   ep3-bs-pkg =
     with pkgs;
     stdenv.mkDerivation {
@@ -28,9 +28,12 @@ let
 
     };
 
-    nixosModules.ep3-bs = import ./ep3-bs.nix {
-      ep3-bs-pkg = self.packages.x86_64-linux.ep3-bs;
-    };
+  dbInitScript = pkgs.writeText "ep3bsnixInitScript.sql" ''
+    CREATE USER '${cfg.database.user}'@localhost IDENTIFIED BY '%%PASSWORD_DB%%';
+    CREATE DATABASE ${cfg.database.name};
+    GRANT ALL PRIVILEGES ON *.* TO '${cfg.database.user}'@localhost IDENTIFIED BY '%%PASSWORD_DB%%';
+    FLUSH PRIVILEGES;
+  '';
 
   configFile = pkgs.writeText "local.php" ''
     <?php
@@ -45,7 +48,7 @@ let
         'db' => array(
             'database' => '${cfg.database.name}',
             'username' => '${cfg.database.user}',
-            'password' => '${cfg.database.password}',
+            'password' => '%%PASSWORD_DB%%',
     
             'hostname' => 'localhost',
             'port' => null,
@@ -57,7 +60,7 @@ let
     
             'host' => '${cfg.mail.host}', // for 'smtp' type only, otherwise remove or leave as is
             'user' => '${cfg.mail.user}', // for 'smtp' type only, otherwise remove or leave as is
-            'pw' => '${cfg.mail.password}', // for 'smtp' type only, otherwise remove or leave as is
+            'pw' => '%%PASSWORD_MAIL%%',  // for 'smtp' type only, otherwise remove or leave as is
     
             'port' => '${cfg.mail.port}', // for 'smtp' type only, otherwise remove or leave as is
             'auth' => '${cfg.mail.auth}', // for 'smtp' type only, change this to 'login' if you have problems with SMTP authentication
@@ -95,6 +98,15 @@ let
     rm ${cfg.stateDir}/config/autoload/local.php.dist
     rm ${cfg.stateDir}/data/cache/*
 
+    cp -f ${dbInitScript} ${cfg.stateDir}/dbInitScript.sql
+    sed -i s/%%PASSWORD_DB%%/$(cat ${cfg.database.passwordFile})/ ${cfg.stateDir}/dbInitScript.sql
+
+    cat ${cfg.stateDir}/dbInitScript.sql | ${config.services.mysql.package}/bin/mysql -u root -N
+    rm ${cfg.stateDir}/dbInitScript.sql
+
+    chmod -R 0770 ${cfg.stateDir}
+    chown -R ${cfg.user} ${cfg.stateDir}
+
     touch "${cfg.stateDir}/.is_initialized"
   '';
 
@@ -105,8 +117,15 @@ let
     ${pkgs.php81Packages.composer}/bin/composer install --ignore-platform-reqs
     cp ${cfg.favicon} ${cfg.stateDir}/public/imgs-client/icons/fav.ico
     cp ${cfg.logo} ${cfg.stateDir}/public/imgs-client/layout/logo.png
+
     cp -f ${configFile} ${cfg.stateDir}/config/autoload/local.php
 
+    sed -i s/%%PASSWORD_DB%%/$(cat ${cfg.database.passwordFile})/ ${cfg.stateDir}/config/autoload/local.php
+
+    if test -e ${cfg.mail.passwordFile}; then
+      sed -i s/%%PASSWORD_MAIL%%/$(cat ${cfg.mail.passwordFile})/ ${cfg.stateDir}/config/autoload/local.php
+    fi
+
     if "${if cfg.in_production == true then "true" else "false"}"
     then
       rm ${cfg.stateDir}/public/setup.php
@@ -225,9 +244,14 @@ in
               default = "?";
             };
 
-            password = mkOption {
+            passwordFile = mkOption {
               type = types.str;
-              default = "?";
+              default = "";
+              example = "/run/keys/mail-passwd";
+              description = lib.mdDoc ''
+                A file containing the password corresponding to
+                {option}`mail.user`.
+              '';
             };
 
             port = mkOption {
@@ -263,16 +287,6 @@ in
           description = lib.mdDoc "Database user.";
         };
 
-        password = mkOption {
-          type = types.str;
-          default = "";
-          description = lib.mdDoc ''
-            The password corresponding to {option}`database.user`.
-            Warning: this is stored in cleartext in the Nix store!
-            Use {option}`database.passwordFile` instead.
-          '';
-        };
-
         passwordFile = mkOption {
           type = types.nullOr types.path;
           default = null;
@@ -325,7 +339,7 @@ in
         '';
       }
       {
-        assertion = if useSmtp then cfg.mail.password != "?" else true; 
+        assertion = if useSmtp then cfg.mail.passwordFile != "" else true; 
         message = ''
           You need to specify mail.password when using mail.type "smtp" or "smtp-tls".
         '';
@@ -359,25 +373,11 @@ in
     services.mysql = mkIf (cfg.database.createDatabase == true) {
       enable = mkDefault true;
       package = mkDefault pkgs.mariadb;
-
-      initialScript = pkgs.writeText "mysqlInitScript" ''
-        CREATE USER '${cfg.database.user}'@localhost IDENTIFIED BY '${cfg.database.password}';
-        CREATE DATABASE ${cfg.database.name};
-        GRANT ALL PRIVILEGES ON *.* TO '${cfg.database.user}'@localhost IDENTIFIED BY '${cfg.database.password}';
-        FLUSH PRIVILEGES;
-      '';
-
-      ensureDatabases = [ cfg.database.name ];
-      ensureUsers = [
-        { name = cfg.database.user;
-          ensurePermissions = { "${cfg.database.name}.*" = "ALL PRIVILEGES"; };
-        }
-      ];
     };
 
     systemd.services.ep3-bs-init = {
       description = "Initialize ep3-bs Data Directory";
-      after = [ "network.target" ];
+      after = [ "network.target" "mysql.service" ];
       wantedBy = [ "multi-user.target" ];
 
       preStart = ''
@@ -389,7 +389,7 @@ in
 
       serviceConfig = {
         Type = "oneshot";
-        User = cfg.user;
+        User = "root";
         Group = cfg.group;
         PermissionsStartOnly = true;
         PrivateNetwork = false;

ep3-bs_pkg.nix

@@ -1,34 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-  stdenv.mkDerivation rec {
-    pname = "ep3-bs";
-
-    src = fetchFromGitHub {
-      owner = "tkrebs";
-      repo = "ep3-bs";
-      rev = "1.8.1";
-      sha256 = "sha256-UqlUhzkt1Xj/LHw9LrJqQ5ldg+Mib1gMUlwG9cBWeBI=";
-    };
-
-    patches = [];
-
-    #passthru.tests = nixosTests.nextcloud;
-
-    #installPhase = ''
-    #  runHook preInstall
-    #  mkdir -p $out/
-    #  cp -R . $out/
-    #  runHook postInstall
-    #'';
-
-    #meta = with lib; {
-    #  changelog = "https://nextcloud.com/changelog/#${lib.replaceStrings [ "." ] [ "-" ] version}";
-    #  description = "Sharing solution for files, calendars, contacts and more";
-    #  homepage = "https://nextcloud.com";
-    #  maintainers = with maintainers; [ schneefux bachp globin ma27 ];
-    #  license = licenses.agpl3Plus;
-    #  platforms = with platforms; unix;
-    #  knownVulnerabilities = extraVulnerabilities
-    #    ++ (optional eol "Nextcloud version ${version} is EOL");
-    #};
-  };

flake.lock

@@ -2,11 +2,11 @@
   "nodes": {
     "nixpkgs": {
       "locked": {
-        "lastModified": 1679319606,
-        "narHash": "sha256-wyEMIZB6BnsmJWInEgDZu66hXVMGJEZFl5uDsn27f9M=",
+        "lastModified": 1694948089,
+        "narHash": "sha256-d2B282GmQ9o8klc22/Rbbbj6r99EnELQpOQjWMyv0rU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "8bc6945b1224a1cfa679d6801580b1054dba1a5c",
+        "rev": "5148520bfab61f99fd25fb9ff7bfbb50dad3c9db",
         "type": "github"
       },
       "original": {
@@ -20,13 +20,31 @@
         "utils": "utils"
       }
     },
-    "utils": {
+    "systems": {
       "locked": {
-        "lastModified": 1678901627,
-        "narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=",
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1694529238,
+        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6",
+        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
         "type": "github"
       },
       "original": {

flake.nix

@@ -1,5 +1,5 @@
 {
-  description = "A very basic flake";
+  description = "providing ep3-bs as nixosModule";
 
   inputs.utils.url = "github:numtide/flake-utils";
 
@@ -10,32 +10,8 @@
     pkgs = nixpkgs.legacyPackages."${system}";
   in
   {
-    devShells.default = pkgs.mkShell {
-      shellHook = ''
-        export QEMU_NET_OPTS="hostfwd=tcp::2221-:22,hostfwd=tcp::8080-:80"
-      '';
-    };
-
-    packages.ep3-bs = with pkgs; stdenv.mkDerivation {
-        name = "ep3-bs";
-        src = fetchFromGitHub {
-          owner = "tkrebs";
-          repo = "ep3-bs";
-          rev = "1.8.1";
-          sha256 = "sha256-mcuFgi1ebawaAyuEREsC9jdIqGA0BeMabqwiVcXsKSY=";
-        };
-
-        installPhase = ''
-          runHook preInstall
-          mkdir -p $out/
-          cp -R . $out/
-          runHook postInstall
-        '';
-
-      };
 
   }) // {
-
     nixosModules.ep3-bs = import ./ep3-bs.nix;
 
     nixosConfigurations.test = nixpkgs.lib.nixosSystem {
@@ -47,14 +23,15 @@
           services.ep3-bs.enable = true;
           services.ep3-bs.mail.address = "test@test.de";
           services.ep3-bs.database.user = "testuser3";
-          services.ep3-bs.database.password = "testPassword1234";
+          services.ep3-bs.database.passwordFile = "/var/lib/db.txt";
+          services.ep3-bs.mail.passwordFile = "/var/lib/mail.txt";
           users.users.test = {
             isNormalUser = true;
             extraGroups = [ "wheel" ];
             initialPassword = "test";
           };
 
-          virtualisation.vmVariant.virtualisation.graphics = true;
+          virtualisation.vmVariant.virtualisation.graphics = false;
         }
       ];
     };