commit 1f6910b7dd1eb0f2c58cbc3d37e72d5a0697ca03 · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

Merge pull request #182267 from mayflower/confluence-secrets

nixos/confluence: store crowd SSO password securely

authored by Maximilian Bosch and committed by GitHub 3 years ago 1f6910b7 85231bbd

+52 -16

2 changed files

expand all

unified split

nixos

modules

services

web-apps

atlassian

confluence.nix

pkgs

servers

atlassian

confluence.nix

+42 -13

nixos/modules/services/web-apps/atlassian/confluence.nix

··· 8 9 pkg = cfg.package.override (optionalAttrs cfg.sso.enable { 10 enableSSO = cfg.sso.enable; 11 - crowdProperties = '' 12 - application.name ${cfg.sso.applicationName} 13 - application.password ${cfg.sso.applicationPassword} 14 - application.login.url ${cfg.sso.crowd}/console/ 15 16 - crowd.server.url ${cfg.sso.crowd}/services/ 17 - crowd.base.url ${cfg.sso.crowd}/ 18 19 - session.isauthenticated session.isauthenticated 20 - session.tokenkey session.tokenkey 21 - session.validationinterval ${toString cfg.sso.validationInterval} 22 - session.lastvalidation session.lastvalidation 23 - ''; 24 - }); 25 26 in 27 ··· 107 }; 108 109 applicationPassword = mkOption { 110 - type = types.str; 111 description = "Application password of this Confluence instance in Crowd"; 112 }; 113 114 validationInterval = mkOption { 115 type = types.int; 116 default = 2; ··· 147 group = cfg.group; 148 }; 149 150 users.groups.${cfg.group} = {}; 151 152 systemd.tmpfiles.rules = [ ··· 173 CONF_USER = cfg.user; 174 JAVA_HOME = "${cfg.jrePackage}"; 175 CATALINA_OPTS = concatStringsSep " " cfg.catalinaOptions; 176 }; 177 178 preStart = '' ··· 183 -e 's,protocol="org.apache.coyote.http11.Http11NioProtocol",protocol="org.apache.coyote.http11.Http11NioProtocol" proxyName="${cfg.proxy.name}" proxyPort="${toString cfg.proxy.port}" scheme="${cfg.proxy.scheme}",' \ 184 '') + '' 185 ${pkg}/conf/server.xml.dist > ${cfg.home}/server.xml 186 ''; 187 188 serviceConfig = {

··· 8 9 pkg = cfg.package.override (optionalAttrs cfg.sso.enable { 10 enableSSO = cfg.sso.enable; 11 + }); 12 + 13 + crowdProperties = pkgs.writeText "crowd.properties" '' 14 + application.name ${cfg.sso.applicationName} 15 + application.password ${if cfg.sso.applicationPassword != null then cfg.sso.applicationPassword else "@NIXOS_CONFLUENCE_CROWD_SSO_PWD@"} 16 + application.login.url ${cfg.sso.crowd}/console/ 17 18 + crowd.server.url ${cfg.sso.crowd}/services/ 19 + crowd.base.url ${cfg.sso.crowd}/ 20 21 + session.isauthenticated session.isauthenticated 22 + session.tokenkey session.tokenkey 23 + session.validationinterval ${toString cfg.sso.validationInterval} 24 + session.lastvalidation session.lastvalidation 25 + ''; 26 27 in 28 ··· 108 }; 109 110 applicationPassword = mkOption { 111 + type = types.nullOr types.str; 112 + default = null; 113 description = "Application password of this Confluence instance in Crowd"; 114 }; 115 116 + applicationPasswordFile = mkOption { 117 + type = types.nullOr types.str; 118 + default = null; 119 + description = "Path to the application password for Crowd of Confluence."; 120 + }; 121 + 122 validationInterval = mkOption { 123 type = types.int; 124 default = 2; ··· 155 group = cfg.group; 156 }; 157 158 + assertions = [ 159 + { assertion = cfg.sso.enable -> ((cfg.sso.applicationPassword == null) != (cfg.sso.applicationPasswordFile)); 160 + message = "Please set either applicationPassword or applicationPasswordFile"; 161 + } 162 + ]; 163 + 164 + warnings = mkIf (cfg.sso.enable && cfg.sso.applicationPassword != null) [ 165 + "Using `services.confluence.sso.applicationPassword` is deprecated! Use `applicationPasswordFile` instead!" 166 + ]; 167 + 168 users.groups.${cfg.group} = {}; 169 170 systemd.tmpfiles.rules = [ ··· 191 CONF_USER = cfg.user; 192 JAVA_HOME = "${cfg.jrePackage}"; 193 CATALINA_OPTS = concatStringsSep " " cfg.catalinaOptions; 194 + JAVA_OPTS = mkIf cfg.sso.enable "-Dcrowd.properties=${cfg.home}/crowd.properties"; 195 }; 196 197 preStart = '' ··· 202 -e 's,protocol="org.apache.coyote.http11.Http11NioProtocol",protocol="org.apache.coyote.http11.Http11NioProtocol" proxyName="${cfg.proxy.name}" proxyPort="${toString cfg.proxy.port}" scheme="${cfg.proxy.scheme}",' \ 203 '') + '' 204 ${pkg}/conf/server.xml.dist > ${cfg.home}/server.xml 205 + 206 + ${optionalString cfg.sso.enable '' 207 + install -m660 ${crowdProperties} ${cfg.home}/crowd.properties 208 + ${optionalString (cfg.sso.applicationPasswordFile != null) '' 209 + ${pkgs.replace-secret}/bin/replace-secret \ 210 + '@NIXOS_CONFLUENCE_CROWD_SSO_PWD@' \ 211 + ${cfg.sso.applicationPasswordFile} \ 212 + ${cfg.home}/crowd.properties 213 + ''} 214 + ''} 215 ''; 216 217 serviceConfig = {

+10 -3

pkgs/servers/atlassian/confluence.nix

··· 6 7 assert withMysql -> (mysql_jdbc != null); 8 9 - stdenvNoCC.mkDerivation rec { 10 pname = "atlassian-confluence"; 11 version = "7.18.1"; 12 ··· 45 homepage = "https://www.atlassian.com/software/confluence"; 46 sourceProvenance = with sourceTypes; [ binaryBytecode ]; 47 license = licenses.unfree; 48 - maintainers = with maintainers; [ fpletz globin willibutz ciil techknowlogick ]; 49 }; 50 - }

··· 6 7 assert withMysql -> (mysql_jdbc != null); 8 9 + let 10 + optionalWarning = cond: msg: 11 + if cond then lib.warn msg 12 + else lib.id; 13 + in 14 + 15 + optionalWarning (crowdProperties != null) "Using `crowdProperties` is deprecated!" 16 + (stdenvNoCC.mkDerivation rec { 17 pname = "atlassian-confluence"; 18 version = "7.18.1"; 19 ··· 52 homepage = "https://www.atlassian.com/software/confluence"; 53 sourceProvenance = with sourceTypes; [ binaryBytecode ]; 54 license = licenses.unfree; 55 + maintainers = with maintainers; [ fpletz globin willibutz ciil techknowlogick ma27 ]; 56 }; 57 + })