nixos/redis: add requirePassFile option

Avoids having the password in the nix store.
2024-12-29 14:57:28 +03:00 · 2020-02-13 15:56:29 +00:00 · 2020-02-13 15:56:29 +00:00 · 9cfe5a7a54
commit 9cfe5a7a54
parent 5c403726bc
1 changed files with 33 additions and 14 deletions
--- a/nixos/modules/services/databases/redis.nix
+++ b/nixos/modules/services/databases/redis.nix
@ -150,10 +150,20 @@ in
      requirePass = mkOption {
        type = with types; nullOr str;
        default = null;
-        description = "Password for database (STORED PLAIN TEXT, WORLD-READABLE IN NIX STORE)";
+        description = ''
+          Password for database (STORED PLAIN TEXT, WORLD-READABLE IN NIX STORE).
+          Use requirePassFile to store it outside of the nix store in a dedicated file.
+        '';
        example = "letmein!";
      };

+      requirePassFile = mkOption {
+        type = with types; nullOr path;
+        default = null;
+        description = "File with password for the database.";
+        example = "/run/keys/redis-password";
+      };
+
      appendOnly = mkOption {
        type = types.bool;
        default = false;
@ -192,6 +202,10 @@ in
  ###### implementation

  config = mkIf config.services.redis.enable {
+    assertions = [{
+      assertion = cfg.requirePass != null -> cfg.requirePassFile == null;
+      message = "You can only set one services.redis.requirePass or services.redis.requirePassFile";
+    }];
    boot.kernel.sysctl = (mkMerge [
      { "vm.nr_hugepages" = "0"; }
      ( mkIf cfg.vmOverCommit { "vm.overcommit_memory" = "1"; } )
@ -208,21 +222,26 @@ in

    environment.systemPackages = [ cfg.package ];

-    systemd.services.redis =
-      { description = "Redis Server";
+    systemd.services.redis = {
+      description = "Redis Server";

-        wantedBy = [ "multi-user.target" ];
-        after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];

-        serviceConfig = {
-          ExecStart = "${cfg.package}/bin/redis-server ${redisConfig}";
-          RuntimeDirectory = "redis";
-          StateDirectory = "redis";
-          Type = "notify";
-          User = "redis";
-        };
+      preStart = ''
+        install -m 600 ${redisConfig} /run/redis/redis.conf
+      '' + optionalString (cfg.requirePassFile != null) ''
+        password=$(cat ${escapeShellArg cfg.requirePassFile})
+        echo "requirePass $password" >> /run/redis/redis.conf
+      '';
+
+      serviceConfig = {
+        ExecStart = "${cfg.package}/bin/redis-server /run/redis/redis.conf";
+        RuntimeDirectory = "redis";
+        StateDirectory = "redis";
+        Type = "notify";
+        User = "redis";
      };
-
+    };
  };
-
 }