nixos/privacyidea: use envsubst to avoid leaking secrets to the store

This commit is contained in:
Maximilian Bosch 2021-03-17 15:40:50 +01:00
parent f6092fe869
commit 4a4f7dfb77
No known key found for this signature in database
GPG Key ID: 091DBF4D1FC46B8E
2 changed files with 36 additions and 3 deletions

View File

@ -57,6 +57,26 @@ in
services.privacyidea = { services.privacyidea = {
enable = mkEnableOption "PrivacyIDEA"; enable = mkEnableOption "PrivacyIDEA";
environmentFile = mkOption {
type = types.nullOr types.path;
default = null;
example = "/root/privacyidea.env";
description = ''
File to load as environment file. Environment variables
from this file will be interpolated into the config file
using <package>envsubst</package> which is helpful for specifying
secrets:
<programlisting>
{ <xref linkend="opt-services.privacyidea.secretKey" /> = "$SECRET"; }
</programlisting>
The environment-file can now specify the actual secret key:
<programlisting>
SECRET=veryverytopsecret
</programlisting>
'';
};
stateDir = mkOption { stateDir = mkOption {
type = types.str; type = types.str;
default = "/var/lib/privacyidea"; default = "/var/lib/privacyidea";
@ -206,7 +226,7 @@ in
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "postgresql.service" ]; after = [ "postgresql.service" ];
path = with pkgs; [ openssl ]; path = with pkgs; [ openssl ];
environment.PRIVACYIDEA_CONFIGFILE = piCfgFile; environment.PRIVACYIDEA_CONFIGFILE = "${cfg.stateDir}/privacyidea.cfg";
preStart = let preStart = let
pi-manage = "${pkgs.sudo}/bin/sudo -u privacyidea -HE ${penv}/bin/pi-manage"; pi-manage = "${pkgs.sudo}/bin/sudo -u privacyidea -HE ${penv}/bin/pi-manage";
pgsu = config.services.postgresql.superUser; pgsu = config.services.postgresql.superUser;
@ -214,6 +234,10 @@ in
in '' in ''
mkdir -p ${cfg.stateDir} /run/privacyidea mkdir -p ${cfg.stateDir} /run/privacyidea
chown ${cfg.user}:${cfg.group} -R ${cfg.stateDir} /run/privacyidea chown ${cfg.user}:${cfg.group} -R ${cfg.stateDir} /run/privacyidea
umask 077
${lib.getBin pkgs.envsubst}/bin/envsubst -o ${cfg.stateDir}/privacyidea.cfg \
-i "${piCfgFile}"
chown ${cfg.user}:${cfg.group} ${cfg.stateDir}/privacyidea.cfg
if ! test -e "${cfg.stateDir}/db-created"; then if ! test -e "${cfg.stateDir}/db-created"; then
${pkgs.sudo}/bin/sudo -u ${pgsu} ${psql}/bin/createuser --no-superuser --no-createdb --no-createrole ${cfg.user} ${pkgs.sudo}/bin/sudo -u ${pgsu} ${psql}/bin/createuser --no-superuser --no-createdb --no-createrole ${cfg.user}
${pkgs.sudo}/bin/sudo -u ${pgsu} ${psql}/bin/createdb --owner ${cfg.user} privacyidea ${pkgs.sudo}/bin/sudo -u ${pgsu} ${psql}/bin/createdb --owner ${cfg.user} privacyidea
@ -231,6 +255,7 @@ in
Type = "notify"; Type = "notify";
ExecStart = "${uwsgi}/bin/uwsgi --json ${piuwsgi}"; ExecStart = "${uwsgi}/bin/uwsgi --json ${piuwsgi}";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile;
ExecStop = "${pkgs.coreutils}/bin/kill -INT $MAINPID"; ExecStop = "${pkgs.coreutils}/bin/kill -INT $MAINPID";
NotifyAccess = "main"; NotifyAccess = "main";
KillSignal = "SIGQUIT"; KillSignal = "SIGQUIT";

View File

@ -12,10 +12,16 @@ import ./make-test-python.nix ({ pkgs, ...} : rec {
services.privacyidea = { services.privacyidea = {
enable = true; enable = true;
secretKey = "testing"; secretKey = "$SECRET_KEY";
pepper = "testing"; pepper = "$PEPPER";
adminPasswordFile = pkgs.writeText "admin-password" "testing"; adminPasswordFile = pkgs.writeText "admin-password" "testing";
adminEmail = "root@localhost"; adminEmail = "root@localhost";
# Don't try this at home!
environmentFile = pkgs.writeText "pi-secrets.env" ''
SECRET_KEY=testing
PEPPER=testing
'';
}; };
services.nginx = { services.nginx = {
enable = true; enable = true;
@ -29,6 +35,8 @@ import ./make-test-python.nix ({ pkgs, ...} : rec {
machine.start() machine.start()
machine.wait_for_unit("multi-user.target") machine.wait_for_unit("multi-user.target")
machine.succeed("curl --fail http://localhost | grep privacyIDEA") machine.succeed("curl --fail http://localhost | grep privacyIDEA")
machine.succeed("grep \"SECRET_KEY = 'testing'\" /var/lib/privacyidea/privacyidea.cfg")
machine.succeed("grep \"PI_PEPPER = 'testing'\" /var/lib/privacyidea/privacyidea.cfg")
machine.succeed( machine.succeed(
"curl --fail http://localhost/auth -F username=admin -F password=testing | grep token" "curl --fail http://localhost/auth -F username=admin -F password=testing | grep token"
) )