nixos/gitea: make more secrets persistent (#108676)
Added JWT_SECRET and INTERNAL_TOKEN to be persistent, like SECRET_KEY and LFS_JWT_SECRET do. Also renamed some vars belonging to SECRET_KEY and LFS_JWT_SECRET to get a consistent naming scheme over all secrets.
This commit is contained in:
parent
f3042e3078
commit
10eed48d10
1 changed files with 41 additions and 9 deletions
|
@ -349,7 +349,7 @@ in
|
|||
{
|
||||
DOMAIN = cfg.domain;
|
||||
STATIC_ROOT_PATH = cfg.staticRootPath;
|
||||
LFS_JWT_SECRET = "#jwtsecret#";
|
||||
LFS_JWT_SECRET = "#lfsjwtsecret#";
|
||||
ROOT_URL = cfg.rootUrl;
|
||||
}
|
||||
(mkIf cfg.enableUnixSocket {
|
||||
|
@ -381,6 +381,7 @@ in
|
|||
|
||||
security = {
|
||||
SECRET_KEY = "#secretkey#";
|
||||
INTERNAL_TOKEN = "#internaltoken#";
|
||||
INSTALL_LOCK = true;
|
||||
};
|
||||
|
||||
|
@ -396,6 +397,10 @@ in
|
|||
mailer = mkIf (cfg.mailerPasswordFile != null) {
|
||||
PASSWD = "#mailerpass#";
|
||||
};
|
||||
|
||||
oauth2 = {
|
||||
JWT_SECRET = "#oauth2jwtsecret#";
|
||||
};
|
||||
};
|
||||
|
||||
services.postgresql = optionalAttrs (usePostgresql && cfg.database.createDatabase) {
|
||||
|
@ -455,10 +460,20 @@ in
|
|||
wantedBy = [ "multi-user.target" ];
|
||||
path = [ gitea pkgs.git ];
|
||||
|
||||
# In older versions the secret naming for JWT was kind of confusing.
|
||||
# The file jwt_secret hold the value for LFS_JWT_SECRET and JWT_SECRET
|
||||
# wasn't persistant at all.
|
||||
# To fix that, there is now the file oauth2_jwt_secret containing the
|
||||
# values for JWT_SECRET and the file jwt_secret gets renamed to
|
||||
# lfs_jwt_secret.
|
||||
# We have to consider this to stay compatible with older installations.
|
||||
preStart = let
|
||||
runConfig = "${cfg.stateDir}/custom/conf/app.ini";
|
||||
secretKey = "${cfg.stateDir}/custom/conf/secret_key";
|
||||
jwtSecret = "${cfg.stateDir}/custom/conf/jwt_secret";
|
||||
oauth2JwtSecret = "${cfg.stateDir}/custom/conf/oauth2_jwt_secret";
|
||||
oldLfsJwtSecret = "${cfg.stateDir}/custom/conf/jwt_secret"; # old file for LFS_JWT_SECRET
|
||||
lfsJwtSecret = "${cfg.stateDir}/custom/conf/lfs_jwt_secret"; # new file for LFS_JWT_SECRET
|
||||
internalToken = "${cfg.stateDir}/custom/conf/internal_token";
|
||||
in ''
|
||||
# copy custom configuration and generate a random secret key if needed
|
||||
${optionalString (cfg.useWizard == false) ''
|
||||
|
@ -468,24 +483,41 @@ in
|
|||
${gitea}/bin/gitea generate secret SECRET_KEY > ${secretKey}
|
||||
fi
|
||||
|
||||
if [ ! -e ${jwtSecret} ]; then
|
||||
${gitea}/bin/gitea generate secret LFS_JWT_SECRET > ${jwtSecret}
|
||||
# Migrate LFS_JWT_SECRET filename
|
||||
if [[ -e ${oldLfsJwtSecret} && ! -e ${lfsJwtSecret} ]]; then
|
||||
mv ${oldLfsJwtSecret} ${lfsJwtSecret}
|
||||
fi
|
||||
|
||||
KEY="$(head -n1 ${secretKey})"
|
||||
if [ ! -e ${oauth2JwtSecret} ]; then
|
||||
${gitea}/bin/gitea generate secret JWT_SECRET > ${oauth2JwtSecret}
|
||||
fi
|
||||
|
||||
if [ ! -e ${lfsJwtSecret} ]; then
|
||||
${gitea}/bin/gitea generate secret LFS_JWT_SECRET > ${lfsJwtSecret}
|
||||
fi
|
||||
|
||||
if [ ! -e ${internalToken} ]; then
|
||||
${gitea}/bin/gitea generate secret INTERNAL_TOKEN > ${internalToken}
|
||||
fi
|
||||
|
||||
SECRETKEY="$(head -n1 ${secretKey})"
|
||||
DBPASS="$(head -n1 ${cfg.database.passwordFile})"
|
||||
JWTSECRET="$(head -n1 ${jwtSecret})"
|
||||
OAUTH2JWTSECRET="$(head -n1 ${oauth2JwtSecret})"
|
||||
LFSJWTSECRET="$(head -n1 ${lfsJwtSecret})"
|
||||
INTERNALTOKEN="$(head -n1 ${internalToken})"
|
||||
${if (cfg.mailerPasswordFile == null) then ''
|
||||
MAILERPASSWORD="#mailerpass#"
|
||||
'' else ''
|
||||
MAILERPASSWORD="$(head -n1 ${cfg.mailerPasswordFile} || :)"
|
||||
''}
|
||||
sed -e "s,#secretkey#,$KEY,g" \
|
||||
sed -e "s,#secretkey#,$SECRETKEY,g" \
|
||||
-e "s,#dbpass#,$DBPASS,g" \
|
||||
-e "s,#jwtsecret#,$JWTSECRET,g" \
|
||||
-e "s,#oauth2jwtsecret#,$OAUTH2JWTSECRET,g" \
|
||||
-e "s,#lfsjwtsecret#,$LFSJWTSECRET,g" \
|
||||
-e "s,#internaltoken#,$INTERNALTOKEN,g" \
|
||||
-e "s,#mailerpass#,$MAILERPASSWORD,g" \
|
||||
-i ${runConfig}
|
||||
chmod 640 ${runConfig} ${secretKey} ${jwtSecret}
|
||||
chmod 640 ${runConfig} ${secretKey} ${oauth2JwtSecret} ${lfsJwtSecret} ${internalToken}
|
||||
''}
|
||||
|
||||
# update all hooks' binary paths
|
||||
|
|
Loading…
Reference in a new issue