Merge pull request #156601 from symphorien/miniflux-password
nixos/miniflux: no cleartext password in the store
This commit is contained in:
commit
4846d948b4
4 changed files with 46 additions and 33 deletions
|
@ -444,6 +444,13 @@
|
|||
support due to python2 deprecation in nixpkgs
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<literal>services.miniflux.adminCredentialFiles</literal> is
|
||||
now required, instead of defaulting to
|
||||
<literal>admin</literal> and <literal>password</literal>.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The <literal>autorestic</literal> package has been upgraded
|
||||
|
|
|
@ -147,6 +147,8 @@ In addition to numerous new and upgraded packages, this release has the followin
|
|||
|
||||
- opensmtpd-extras is no longer build with python2 scripting support due to python2 deprecation in nixpkgs
|
||||
|
||||
- `services.miniflux.adminCredentialFiles` is now required, instead of defaulting to `admin` and `password`.
|
||||
|
||||
- The `autorestic` package has been upgraded from 1.3.0 to 1.5.0 which introduces breaking changes in config file, check [their migration guide](https://autorestic.vercel.app/migration/1.4_1.5) for more details.
|
||||
|
||||
- For `pkgs.python3.pkgs.ipython`, its direct dependency `pkgs.python3.pkgs.matplotlib-inline`
|
||||
|
|
|
@ -7,26 +7,12 @@ let
|
|||
defaultAddress = "localhost:8080";
|
||||
|
||||
dbUser = "miniflux";
|
||||
dbPassword = "miniflux";
|
||||
dbHost = "localhost";
|
||||
dbName = "miniflux";
|
||||
|
||||
defaultCredentials = pkgs.writeText "miniflux-admin-credentials" ''
|
||||
ADMIN_USERNAME=admin
|
||||
ADMIN_PASSWORD=password
|
||||
'';
|
||||
|
||||
pgbin = "${config.services.postgresql.package}/bin";
|
||||
preStart = pkgs.writeScript "miniflux-pre-start" ''
|
||||
#!${pkgs.runtimeShell}
|
||||
db_exists() {
|
||||
[ "$(${pgbin}/psql -Atc "select 1 from pg_database where datname='$1'")" == "1" ]
|
||||
}
|
||||
if ! db_exists "${dbName}"; then
|
||||
${pgbin}/psql postgres -c "CREATE ROLE ${dbUser} WITH LOGIN NOCREATEDB NOCREATEROLE ENCRYPTED PASSWORD '${dbPassword}'"
|
||||
${pgbin}/createdb --owner "${dbUser}" "${dbName}"
|
||||
${pgbin}/psql "${dbName}" -c "CREATE EXTENSION IF NOT EXISTS hstore"
|
||||
fi
|
||||
${pgbin}/psql "${dbName}" -c "CREATE EXTENSION IF NOT EXISTS hstore"
|
||||
'';
|
||||
in
|
||||
|
||||
|
@ -54,11 +40,10 @@ in
|
|||
};
|
||||
|
||||
adminCredentialsFile = mkOption {
|
||||
type = types.nullOr types.path;
|
||||
default = null;
|
||||
type = types.path;
|
||||
description = ''
|
||||
File containing the ADMIN_USERNAME, default is "admin", and
|
||||
ADMIN_PASSWORD (length >= 6), default is "password"; in the format of
|
||||
File containing the ADMIN_USERNAME and
|
||||
ADMIN_PASSWORD (length >= 6) in the format of
|
||||
an EnvironmentFile=, as described by systemd.exec(5).
|
||||
'';
|
||||
example = "/etc/nixos/miniflux-admin-credentials";
|
||||
|
@ -70,16 +55,24 @@ in
|
|||
|
||||
services.miniflux.config = {
|
||||
LISTEN_ADDR = mkDefault defaultAddress;
|
||||
DATABASE_URL = "postgresql://${dbUser}:${dbPassword}@${dbHost}/${dbName}?sslmode=disable";
|
||||
DATABASE_URL = "user=${dbUser} host=/run/postgresql dbname=${dbName}";
|
||||
RUN_MIGRATIONS = "1";
|
||||
CREATE_ADMIN = "1";
|
||||
};
|
||||
|
||||
services.postgresql.enable = true;
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
ensureUsers = [ {
|
||||
name = dbUser;
|
||||
ensurePermissions = {
|
||||
"DATABASE ${dbName}" = "ALL PRIVILEGES";
|
||||
};
|
||||
} ];
|
||||
ensureDatabases = [ dbName ];
|
||||
};
|
||||
|
||||
systemd.services.miniflux-dbsetup = {
|
||||
description = "Miniflux database setup";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
requires = [ "postgresql.service" ];
|
||||
after = [ "network.target" "postgresql.service" ];
|
||||
serviceConfig = {
|
||||
|
@ -92,17 +85,16 @@ in
|
|||
systemd.services.miniflux = {
|
||||
description = "Miniflux service";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
requires = [ "postgresql.service" ];
|
||||
requires = [ "miniflux-dbsetup.service" ];
|
||||
after = [ "network.target" "postgresql.service" "miniflux-dbsetup.service" ];
|
||||
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.miniflux}/bin/miniflux";
|
||||
User = dbUser;
|
||||
DynamicUser = true;
|
||||
RuntimeDirectory = "miniflux";
|
||||
RuntimeDirectoryMode = "0700";
|
||||
EnvironmentFile = if cfg.adminCredentialsFile == null
|
||||
then defaultCredentials
|
||||
else cfg.adminCredentialsFile;
|
||||
EnvironmentFile = cfg.adminCredentialsFile;
|
||||
# Hardening
|
||||
CapabilityBoundingSet = [ "" ];
|
||||
DeviceAllow = [ "" ];
|
||||
|
@ -119,7 +111,7 @@ in
|
|||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectProc = "invisible";
|
||||
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
|
||||
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
|
|
|
@ -7,6 +7,15 @@ let
|
|||
defaultPort = 8080;
|
||||
defaultUsername = "admin";
|
||||
defaultPassword = "password";
|
||||
adminCredentialsFile = pkgs.writeText "admin-credentials" ''
|
||||
ADMIN_USERNAME=${defaultUsername}
|
||||
ADMIN_PASSWORD=${defaultPassword}
|
||||
'';
|
||||
customAdminCredentialsFile = pkgs.writeText "admin-credentials" ''
|
||||
ADMIN_USERNAME=${username}
|
||||
ADMIN_PASSWORD=${password}
|
||||
'';
|
||||
|
||||
in
|
||||
with lib;
|
||||
{
|
||||
|
@ -17,13 +26,19 @@ with lib;
|
|||
default =
|
||||
{ ... }:
|
||||
{
|
||||
services.miniflux.enable = true;
|
||||
services.miniflux = {
|
||||
enable = true;
|
||||
inherit adminCredentialsFile;
|
||||
};
|
||||
};
|
||||
|
||||
withoutSudo =
|
||||
{ ... }:
|
||||
{
|
||||
services.miniflux.enable = true;
|
||||
services.miniflux = {
|
||||
enable = true;
|
||||
inherit adminCredentialsFile;
|
||||
};
|
||||
security.sudo.enable = false;
|
||||
};
|
||||
|
||||
|
@ -36,10 +51,7 @@ with lib;
|
|||
CLEANUP_FREQUENCY = "48";
|
||||
LISTEN_ADDR = "localhost:${toString port}";
|
||||
};
|
||||
adminCredentialsFile = pkgs.writeText "admin-credentials" ''
|
||||
ADMIN_USERNAME=${username}
|
||||
ADMIN_PASSWORD=${password}
|
||||
'';
|
||||
adminCredentialsFile = customAdminCredentialsFile;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
Loading…
Reference in a new issue