commit e2a43fbfb3f0535d866d3e6a516dae30821d7d9d

pyrox.dev / nixpkgs

lol

fork atom

Merge pull request #244356 from datafoo/mosquitto-systemd-credentials

nixos/mosquitto: leverage systemd credentials

authored by

pennae and committed by

GitHub 2 years ago e2a43fbf f8e5fdc6

+56 -9

1 changed file

expand all

unified split

nixos

modules

services

networking

mosquitto.nix

+56 -9

nixos/modules/services/networking/mosquitto.nix

··· 42 42 }; 43 43 44 44 passwordFile = mkOption { 45 - type = uniq (nullOr types.path); 45 + type = uniq (nullOr path); 46 46 example = "/path/to/file"; 47 47 default = null; 48 48 description = lib.mdDoc '' 49 49 Specifies the path to a file containing the 50 50 clear text password for the MQTT user. 51 + The file is securely passed to mosquitto by 52 + leveraging systemd credentials. No special 53 + permissions need to be set on this file. 51 54 ''; 52 55 }; 53 56 ··· 64 67 }; 65 68 66 69 hashedPasswordFile = mkOption { 67 - type = uniq (nullOr types.path); 70 + type = uniq (nullOr path); 68 71 example = "/path/to/file"; 69 72 default = null; 70 73 description = mdDoc '' ··· 73 76 To generate hashed password install the `mosquitto` 74 77 package and use `mosquitto_passwd`, then remove the 75 78 `username:` prefix from the generated file. 79 + The file is securely passed to mosquitto by 80 + leveraging systemd credentials. No special 81 + permissions need to be set on this file. 76 82 ''; 77 83 }; 78 84 ··· 102 108 message = "Cannot set more than one password option for user ${n} in ${prefix}"; 103 109 }) users; 104 110 105 - makePasswordFile = users: path: 111 + listenerScope = index: "listener-${toString index}"; 112 + userScope = prefix: index: "${prefix}-user-${toString index}"; 113 + credentialID = prefix: credential: "${prefix}-${credential}"; 114 + 115 + toScopedUsers = listenerScope: users: pipe users [ 116 + attrNames 117 + (imap0 (index: user: nameValuePair user 118 + (users.${user} // { scope = userScope listenerScope index; }) 119 + )) 120 + listToAttrs 121 + ]; 122 + 123 + userCredentials = user: credentials: pipe credentials [ 124 + (filter (credential: user.${credential} != null)) 125 + (map (credential: "${credentialID user.scope credential}:${user.${credential}}")) 126 + ]; 127 + usersCredentials = listenerScope: users: credentials: pipe users [ 128 + (toScopedUsers listenerScope) 129 + (mapAttrsToList (_: user: userCredentials user credentials)) 130 + concatLists 131 + ]; 132 + systemdCredentials = listeners: listenerCredentials: pipe listeners [ 133 + (imap0 (index: listener: listenerCredentials (listenerScope index) listener)) 134 + concatLists 135 + ]; 136 + 137 + makePasswordFile = listenerScope: users: path: 106 138 let 107 - makeLines = store: file: 139 + makeLines = store: file: let 140 + scopedUsers = toScopedUsers listenerScope users; 141 + in 108 142 mapAttrsToList 109 - (n: u: "addLine ${escapeShellArg n} ${escapeShellArg u.${store}}") 110 - (filterAttrs (_: u: u.${store} != null) users) 143 + (name: user: ''addLine ${escapeShellArg name} "''$(systemd-creds cat ${credentialID user.scope store})"'') 144 + (filterAttrs (_: user: user.${store} != null) scopedUsers) 111 145 ++ mapAttrsToList 112 - (n: u: "addFile ${escapeShellArg n} ${escapeShellArg "${u.${file}}"}") 113 - (filterAttrs (_: u: u.${file} != null) users); 146 + (name: user: ''addFile ${escapeShellArg name} "''${CREDENTIALS_DIRECTORY}/${credentialID user.scope file}"'') 147 + (filterAttrs (_: user: user.${file} != null) scopedUsers); 114 148 plainLines = makeLines "password" "passwordFile"; 115 149 hashedLines = makeLines "hashedPassword" "hashedPasswordFile"; 116 150 in ··· 581 615 ExecStart = "${cfg.package}/bin/mosquitto -c ${configFile}"; 582 616 ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; 583 617 618 + # Credentials 619 + SetCredential = let 620 + listenerCredentials = listenerScope: listener: 621 + usersCredentials listenerScope listener.users [ "password" "hashedPassword" ]; 622 + in 623 + systemdCredentials cfg.listeners listenerCredentials; 624 + 625 + LoadCredential = let 626 + listenerCredentials = listenerScope: listener: 627 + usersCredentials listenerScope listener.users [ "passwordFile" "hashedPasswordFile" ]; 628 + in 629 + systemdCredentials cfg.listeners listenerCredentials; 630 + 584 631 # Hardening 585 632 CapabilityBoundingSet = ""; 586 633 DevicePolicy = "closed"; ··· 653 700 concatStringsSep 654 701 "\n" 655 702 (imap0 656 - (idx: listener: makePasswordFile listener.users "${cfg.dataDir}/passwd-${toString idx}") 703 + (idx: listener: makePasswordFile (listenerScope idx) listener.users "${cfg.dataDir}/passwd-${toString idx}") 657 704 cfg.listeners); 658 705 }; 659 706