wordpress: replace the dbPassword option with dbPasswordFile (#24146)

We shouldn't force users to store passwords in the world-readable Nix store.
2024-12-26 04:43:09 +03:00 · 2017-03-28 17:38:16 +02:00 · 2017-03-28 17:38:16 +02:00 · 6f2eca1744
commit 6f2eca1744
parent 8c28474c02
1 changed files with 28 additions and 3 deletions
--- a/nixos/modules/services/web-servers/apache-httpd/wordpress.nix
+++ b/nixos/modules/services/web-servers/apache-httpd/wordpress.nix
@ -9,7 +9,7 @@ let
    <?php
    define('DB_NAME',     '${config.dbName}');
    define('DB_USER',     '${config.dbUser}');
-    define('DB_PASSWORD', '${config.dbPassword}');
+    define('DB_PASSWORD', file_get_contents('${config.dbPasswordFile}'));
    define('DB_HOST',     '${config.dbHost}');
    define('DB_CHARSET',  'utf8');
    $table_prefix  = '${config.tablePrefix}';
@ -137,9 +137,34 @@ in
    };
    dbPassword = mkOption {
      default = "wordpress";
-      description = "The mysql password to the respective dbUser.";
+      description = ''
+        The mysql password to the respective dbUser.
+
+        Warning: this password is stored in the world-readable Nix store. It's
+        recommended to use the $dbPasswordFile option since that gives you control over
+        the security of the password. $dbPasswordFile also takes precedence over $dbPassword.
+      '';
      example = "wordpress";
    };
+    dbPasswordFile = mkOption {
+      type = types.str;
+      default = toString (pkgs.writeTextFile {
+        name = "wordpress-dbpassword";
+        text = config.dbPassword;
+      });
+      example = "/run/keys/wordpress-dbpassword";
+      description = ''
+        Path to a file that contains the mysql password to the respective dbUser.
+        The file should be readable by the user: config.services.httpd.user.
+
+        $dbPasswordFile takes precedence over the $dbPassword option.
+
+        This defaults to a file in the world-readable Nix store that contains the value
+        of the $dbPassword option. It's recommended to override this with a path not in
+        the Nix store. Tip: use nixops key management:
+        <link xlink:href='https://nixos.org/nixops/manual/#idm140737318306400'/>
+      '';
+    };
    tablePrefix = mkOption {
      default = "wp_";
      description = ''
@ -251,7 +276,7 @@ in
        sleep 1
      done
      ${pkgs.mysql}/bin/mysql -e 'CREATE DATABASE ${config.dbName};'
-      ${pkgs.mysql}/bin/mysql -e 'GRANT ALL ON ${config.dbName}.* TO ${config.dbUser}@localhost IDENTIFIED BY "${config.dbPassword}";'
+      ${pkgs.mysql}/bin/mysql -e "GRANT ALL ON ${config.dbName}.* TO ${config.dbUser}@localhost IDENTIFIED BY \"$(cat ${config.dbPasswordFile})\";"
    else
      echo "Good, no need to do anything database related."
    fi