mirror of
https://github.com/ilyakooo0/nixpkgs.git
synced 2024-12-27 05:43:50 +03:00
nixos/privacyidea: use envsubst to avoid leaking secrets to the store
This commit is contained in:
parent
f6092fe869
commit
4a4f7dfb77
@ -57,6 +57,26 @@ in
|
|||||||
services.privacyidea = {
|
services.privacyidea = {
|
||||||
enable = mkEnableOption "PrivacyIDEA";
|
enable = mkEnableOption "PrivacyIDEA";
|
||||||
|
|
||||||
|
environmentFile = mkOption {
|
||||||
|
type = types.nullOr types.path;
|
||||||
|
default = null;
|
||||||
|
example = "/root/privacyidea.env";
|
||||||
|
description = ''
|
||||||
|
File to load as environment file. Environment variables
|
||||||
|
from this file will be interpolated into the config file
|
||||||
|
using <package>envsubst</package> which is helpful for specifying
|
||||||
|
secrets:
|
||||||
|
<programlisting>
|
||||||
|
{ <xref linkend="opt-services.privacyidea.secretKey" /> = "$SECRET"; }
|
||||||
|
</programlisting>
|
||||||
|
|
||||||
|
The environment-file can now specify the actual secret key:
|
||||||
|
<programlisting>
|
||||||
|
SECRET=veryverytopsecret
|
||||||
|
</programlisting>
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
stateDir = mkOption {
|
stateDir = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = "/var/lib/privacyidea";
|
default = "/var/lib/privacyidea";
|
||||||
@ -206,7 +226,7 @@ in
|
|||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
after = [ "postgresql.service" ];
|
after = [ "postgresql.service" ];
|
||||||
path = with pkgs; [ openssl ];
|
path = with pkgs; [ openssl ];
|
||||||
environment.PRIVACYIDEA_CONFIGFILE = piCfgFile;
|
environment.PRIVACYIDEA_CONFIGFILE = "${cfg.stateDir}/privacyidea.cfg";
|
||||||
preStart = let
|
preStart = let
|
||||||
pi-manage = "${pkgs.sudo}/bin/sudo -u privacyidea -HE ${penv}/bin/pi-manage";
|
pi-manage = "${pkgs.sudo}/bin/sudo -u privacyidea -HE ${penv}/bin/pi-manage";
|
||||||
pgsu = config.services.postgresql.superUser;
|
pgsu = config.services.postgresql.superUser;
|
||||||
@ -214,6 +234,10 @@ in
|
|||||||
in ''
|
in ''
|
||||||
mkdir -p ${cfg.stateDir} /run/privacyidea
|
mkdir -p ${cfg.stateDir} /run/privacyidea
|
||||||
chown ${cfg.user}:${cfg.group} -R ${cfg.stateDir} /run/privacyidea
|
chown ${cfg.user}:${cfg.group} -R ${cfg.stateDir} /run/privacyidea
|
||||||
|
umask 077
|
||||||
|
${lib.getBin pkgs.envsubst}/bin/envsubst -o ${cfg.stateDir}/privacyidea.cfg \
|
||||||
|
-i "${piCfgFile}"
|
||||||
|
chown ${cfg.user}:${cfg.group} ${cfg.stateDir}/privacyidea.cfg
|
||||||
if ! test -e "${cfg.stateDir}/db-created"; then
|
if ! test -e "${cfg.stateDir}/db-created"; then
|
||||||
${pkgs.sudo}/bin/sudo -u ${pgsu} ${psql}/bin/createuser --no-superuser --no-createdb --no-createrole ${cfg.user}
|
${pkgs.sudo}/bin/sudo -u ${pgsu} ${psql}/bin/createuser --no-superuser --no-createdb --no-createrole ${cfg.user}
|
||||||
${pkgs.sudo}/bin/sudo -u ${pgsu} ${psql}/bin/createdb --owner ${cfg.user} privacyidea
|
${pkgs.sudo}/bin/sudo -u ${pgsu} ${psql}/bin/createdb --owner ${cfg.user} privacyidea
|
||||||
@ -231,6 +255,7 @@ in
|
|||||||
Type = "notify";
|
Type = "notify";
|
||||||
ExecStart = "${uwsgi}/bin/uwsgi --json ${piuwsgi}";
|
ExecStart = "${uwsgi}/bin/uwsgi --json ${piuwsgi}";
|
||||||
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
||||||
|
EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile;
|
||||||
ExecStop = "${pkgs.coreutils}/bin/kill -INT $MAINPID";
|
ExecStop = "${pkgs.coreutils}/bin/kill -INT $MAINPID";
|
||||||
NotifyAccess = "main";
|
NotifyAccess = "main";
|
||||||
KillSignal = "SIGQUIT";
|
KillSignal = "SIGQUIT";
|
||||||
|
@ -12,10 +12,16 @@ import ./make-test-python.nix ({ pkgs, ...} : rec {
|
|||||||
|
|
||||||
services.privacyidea = {
|
services.privacyidea = {
|
||||||
enable = true;
|
enable = true;
|
||||||
secretKey = "testing";
|
secretKey = "$SECRET_KEY";
|
||||||
pepper = "testing";
|
pepper = "$PEPPER";
|
||||||
adminPasswordFile = pkgs.writeText "admin-password" "testing";
|
adminPasswordFile = pkgs.writeText "admin-password" "testing";
|
||||||
adminEmail = "root@localhost";
|
adminEmail = "root@localhost";
|
||||||
|
|
||||||
|
# Don't try this at home!
|
||||||
|
environmentFile = pkgs.writeText "pi-secrets.env" ''
|
||||||
|
SECRET_KEY=testing
|
||||||
|
PEPPER=testing
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
@ -29,6 +35,8 @@ import ./make-test-python.nix ({ pkgs, ...} : rec {
|
|||||||
machine.start()
|
machine.start()
|
||||||
machine.wait_for_unit("multi-user.target")
|
machine.wait_for_unit("multi-user.target")
|
||||||
machine.succeed("curl --fail http://localhost | grep privacyIDEA")
|
machine.succeed("curl --fail http://localhost | grep privacyIDEA")
|
||||||
|
machine.succeed("grep \"SECRET_KEY = 'testing'\" /var/lib/privacyidea/privacyidea.cfg")
|
||||||
|
machine.succeed("grep \"PI_PEPPER = 'testing'\" /var/lib/privacyidea/privacyidea.cfg")
|
||||||
machine.succeed(
|
machine.succeed(
|
||||||
"curl --fail http://localhost/auth -F username=admin -F password=testing | grep token"
|
"curl --fail http://localhost/auth -F username=admin -F password=testing | grep token"
|
||||||
)
|
)
|
||||||
|
Loading…
Reference in New Issue
Block a user