commit 6f2eca1744b4ca74f456f77a1aa6e5b4ce937793 · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

wordpress: replace the dbPassword option with dbPasswordFile (#24146)

We shouldn't force users to store passwords in the world-readable Nix store.

authored by Bas van Dijk and committed by Joachim Schiele 9 years ago 6f2eca17 8c28474c

+28 -3

1 changed file

expand all

unified split

nixos

modules

services

web-servers

apache-httpd

wordpress.nix

+28 -3

nixos/modules/services/web-servers/apache-httpd/wordpress.nix

··· 9 9 <?php 10 10 define('DB_NAME', '${config.dbName}'); 11 11 define('DB_USER', '${config.dbUser}'); 12 - define('DB_PASSWORD', '${config.dbPassword}'); 12 + define('DB_PASSWORD', file_get_contents('${config.dbPasswordFile}')); 13 13 define('DB_HOST', '${config.dbHost}'); 14 14 define('DB_CHARSET', 'utf8'); 15 15 $table_prefix = '${config.tablePrefix}'; ··· 137 137 }; 138 138 dbPassword = mkOption { 139 139 default = "wordpress"; 140 - description = "The mysql password to the respective dbUser."; 140 + description = '' 141 + The mysql password to the respective dbUser. 142 + 143 + Warning: this password is stored in the world-readable Nix store. It's 144 + recommended to use the $dbPasswordFile option since that gives you control over 145 + the security of the password. $dbPasswordFile also takes precedence over $dbPassword. 146 + ''; 141 147 example = "wordpress"; 142 148 }; 149 + dbPasswordFile = mkOption { 150 + type = types.str; 151 + default = toString (pkgs.writeTextFile { 152 + name = "wordpress-dbpassword"; 153 + text = config.dbPassword; 154 + }); 155 + example = "/run/keys/wordpress-dbpassword"; 156 + description = '' 157 + Path to a file that contains the mysql password to the respective dbUser. 158 + The file should be readable by the user: config.services.httpd.user. 159 + 160 + $dbPasswordFile takes precedence over the $dbPassword option. 161 + 162 + This defaults to a file in the world-readable Nix store that contains the value 163 + of the $dbPassword option. It's recommended to override this with a path not in 164 + the Nix store. Tip: use nixops key management: 165 + <link xlink:href='https://nixos.org/nixops/manual/#idm140737318306400'/> 166 + ''; 167 + }; 143 168 tablePrefix = mkOption { 144 169 default = "wp_"; 145 170 description = '' ··· 251 276 sleep 1 252 277 done 253 278 ${pkgs.mysql}/bin/mysql -e 'CREATE DATABASE ${config.dbName};' 254 - ${pkgs.mysql}/bin/mysql -e 'GRANT ALL ON ${config.dbName}.* TO ${config.dbUser}@localhost IDENTIFIED BY "${config.dbPassword}";' 279 + ${pkgs.mysql}/bin/mysql -e "GRANT ALL ON ${config.dbName}.* TO ${config.dbUser}@localhost IDENTIFIED BY \"$(cat ${config.dbPasswordFile})\";" 255 280 else 256 281 echo "Good, no need to do anything database related." 257 282 fi