besaid.zone / core
forked from tangled.org/core
Monorepo for Tangled
fork atom

Nix use a secretFile instead of secret option

So the secret isn't put in the public Nix store

Tangled dcfa51c3 f2269cce

options
unified split
Changed files
+9 -6
flake.nix
+9 -6
flake.nix
··· 279 description = "Internal address for inter-service communication"; 280 }; 281 282 - secret = mkOption { 283 - type = types.str; 284 - example = "super-secret-key"; 285 - description = "Secret key provided by appview (required)"; 286 }; 287 288 dbPath = mkOption { ··· 359 "APPVIEW_ENDPOINT=${config.services.tangled-knotserver.appviewEndpoint}" 360 "KNOT_SERVER_INTERNAL_LISTEN_ADDR=${config.services.tangled-knotserver.server.internalListenAddr}" 361 "KNOT_SERVER_LISTEN_ADDR=${config.services.tangled-knotserver.server.listenAddr}" 362 - "KNOT_SERVER_SECRET=${config.services.tangled-knotserver.server.secret}" 363 "KNOT_SERVER_HOSTNAME=${config.services.tangled-knotserver.server.hostname}" 364 ]; 365 ExecStart = "${self.packages.${pkgs.system}.knotserver}/bin/knotserver"; 366 Restart = "always"; 367 }; ··· 384 virtualisation.cores = 2; 385 services.getty.autologinUser = "root"; 386 environment.systemPackages = with pkgs; [curl vim git]; 387 services.tangled-knotserver = { 388 enable = true; 389 server = { 390 - secret = "6995e040e80e2d593b5e5e9ca611a70140b9ef8044add0a28b48b1ee34aa3e85"; 391 hostname = "localhost:6000"; 392 listenAddr = "0.0.0.0:6000"; 393 };
··· 279 description = "Internal address for inter-service communication"; 280 }; 281 282 + secretFile = mkOption { 283 + type = lib.types.path; 284 + example = "KNOT_SERVER_SECRET=<hash>"; 285 + description = "File containing secret key provided by appview (required)"; 286 }; 287 288 dbPath = mkOption { ··· 359 "APPVIEW_ENDPOINT=${config.services.tangled-knotserver.appviewEndpoint}" 360 "KNOT_SERVER_INTERNAL_LISTEN_ADDR=${config.services.tangled-knotserver.server.internalListenAddr}" 361 "KNOT_SERVER_LISTEN_ADDR=${config.services.tangled-knotserver.server.listenAddr}" 362 "KNOT_SERVER_HOSTNAME=${config.services.tangled-knotserver.server.hostname}" 363 ]; 364 + EnvironmentFile = config.services.tangled-knotserver.server.secretFile; 365 ExecStart = "${self.packages.${pkgs.system}.knotserver}/bin/knotserver"; 366 Restart = "always"; 367 }; ··· 384 virtualisation.cores = 2; 385 services.getty.autologinUser = "root"; 386 environment.systemPackages = with pkgs; [curl vim git]; 387 + systemd.tmpfiles.rules = [ 388 + "w /var/lib/knotserver/secret 0660 git git - KNOT_SERVER_SECRET=6995e040e80e2d593b5e5e9ca611a70140b9ef8044add0a28b48b1ee34aa3e85" 389 + ]; 390 services.tangled-knotserver = { 391 enable = true; 392 server = { 393 + secretFile = "/var/lib/knotserver/secret"; 394 hostname = "localhost:6000"; 395 listenAddr = "0.0.0.0:6000"; 396 };