cafkafk/nixpkgs
cafkafk/nixpkgs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2

Merge pull request #156601 from symphorien/miniflux-password

Browse source 
nixos/miniflux: no cleartext password in the store
This commit is contained in:
Guillaume Girol 2022-02-21 21:18:36 +00:00 committed by GitHub
commit 4846d948b4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 46 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
View file

@ -444,6 +444,13 @@
support due to python2 deprecation in nixpkgs support due to python2 deprecation in nixpkgs
</para> </para>
</listitem> </listitem>
<listitem>
<para>
<literal>services.miniflux.adminCredentialFiles</literal> is
now required, instead of defaulting to
<literal>admin</literal> and <literal>password</literal>.
</para>
</listitem>
<listitem> <listitem>
<para> <para>
The <literal>autorestic</literal> package has been upgraded The <literal>autorestic</literal> package has been upgraded

2
nixos/doc/manual/release-notes/rl-2205.section.md
View file

@ -147,6 +147,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- opensmtpd-extras is no longer build with python2 scripting support due to python2 deprecation in nixpkgs - opensmtpd-extras is no longer build with python2 scripting support due to python2 deprecation in nixpkgs
- `services.miniflux.adminCredentialFiles` is now required, instead of defaulting to `admin` and `password`.
- The `autorestic` package has been upgraded from 1.3.0 to 1.5.0 which introduces breaking changes in config file, check [their migration guide](https://autorestic.vercel.app/migration/1.4_1.5) for more details. - The `autorestic` package has been upgraded from 1.3.0 to 1.5.0 which introduces breaking changes in config file, check [their migration guide](https://autorestic.vercel.app/migration/1.4_1.5) for more details.
- For `pkgs.python3.pkgs.ipython`, its direct dependency `pkgs.python3.pkgs.matplotlib-inline` - For `pkgs.python3.pkgs.ipython`, its direct dependency `pkgs.python3.pkgs.matplotlib-inline`

46
nixos/modules/services/web-apps/miniflux.nix
View file

@ -7,26 +7,12 @@ let
defaultAddress = "localhost:8080"; defaultAddress = "localhost:8080";
dbUser = "miniflux"; dbUser = "miniflux";
dbPassword = "miniflux";
dbHost = "localhost";
dbName = "miniflux"; dbName = "miniflux";
defaultCredentials = pkgs.writeText "miniflux-admin-credentials" ''
ADMIN_USERNAME=admin
ADMIN_PASSWORD=password
'';
pgbin = "${config.services.postgresql.package}/bin"; pgbin = "${config.services.postgresql.package}/bin";
preStart = pkgs.writeScript "miniflux-pre-start" '' preStart = pkgs.writeScript "miniflux-pre-start" ''
#!${pkgs.runtimeShell} #!${pkgs.runtimeShell}
db_exists() { ${pgbin}/psql "${dbName}" -c "CREATE EXTENSION IF NOT EXISTS hstore"
[ "$(${pgbin}/psql -Atc "select 1 from pg_database where datname='$1'")" == "1" ]
}
if ! db_exists "${dbName}"; then
${pgbin}/psql postgres -c "CREATE ROLE ${dbUser} WITH LOGIN NOCREATEDB NOCREATEROLE ENCRYPTED PASSWORD '${dbPassword}'"
${pgbin}/createdb --owner "${dbUser}" "${dbName}"
${pgbin}/psql "${dbName}" -c "CREATE EXTENSION IF NOT EXISTS hstore"
fi
''; '';
in in
@ -54,11 +40,10 @@ in
}; };
adminCredentialsFile = mkOption { adminCredentialsFile = mkOption {
type = types.nullOr types.path; type = types.path;
default = null;
description = '' description = ''
File containing the ADMIN_USERNAME, default is "admin", and File containing the ADMIN_USERNAME and
ADMIN_PASSWORD (length >= 6), default is "password"; in the format of ADMIN_PASSWORD (length >= 6) in the format of
an EnvironmentFile=, as described by systemd.exec(5). an EnvironmentFile=, as described by systemd.exec(5).
''; '';
example = "/etc/nixos/miniflux-admin-credentials"; example = "/etc/nixos/miniflux-admin-credentials";
@ -70,16 +55,24 @@ in
services.miniflux.config = { services.miniflux.config = {
LISTEN_ADDR = mkDefault defaultAddress; LISTEN_ADDR = mkDefault defaultAddress;
DATABASE_URL = "postgresql://${dbUser}:${dbPassword}@${dbHost}/${dbName}?sslmode=disable"; DATABASE_URL = "user=${dbUser} host=/run/postgresql dbname=${dbName}";
RUN_MIGRATIONS = "1"; RUN_MIGRATIONS = "1";
CREATE_ADMIN = "1"; CREATE_ADMIN = "1";
}; };
services.postgresql.enable = true; services.postgresql = {
enable = true;
ensureUsers = [ {
name = dbUser;
ensurePermissions = {
"DATABASE ${dbName}" = "ALL PRIVILEGES";
};
} ];
ensureDatabases = [ dbName ];
};
systemd.services.miniflux-dbsetup = { systemd.services.miniflux-dbsetup = {
description = "Miniflux database setup"; description = "Miniflux database setup";
wantedBy = [ "multi-user.target" ];
requires = [ "postgresql.service" ]; requires = [ "postgresql.service" ];
after = [ "network.target" "postgresql.service" ]; after = [ "network.target" "postgresql.service" ];
serviceConfig = { serviceConfig = {
@ -92,17 +85,16 @@ in
systemd.services.miniflux = { systemd.services.miniflux = {
description = "Miniflux service"; description = "Miniflux service";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
requires = [ "postgresql.service" ]; requires = [ "miniflux-dbsetup.service" ];
after = [ "network.target" "postgresql.service" "miniflux-dbsetup.service" ]; after = [ "network.target" "postgresql.service" "miniflux-dbsetup.service" ];
serviceConfig = { serviceConfig = {
ExecStart = "${pkgs.miniflux}/bin/miniflux"; ExecStart = "${pkgs.miniflux}/bin/miniflux";
User = dbUser;
DynamicUser = true; DynamicUser = true;
RuntimeDirectory = "miniflux"; RuntimeDirectory = "miniflux";
RuntimeDirectoryMode = "0700"; RuntimeDirectoryMode = "0700";
EnvironmentFile = if cfg.adminCredentialsFile == null EnvironmentFile = cfg.adminCredentialsFile;
then defaultCredentials
else cfg.adminCredentialsFile;
# Hardening # Hardening
CapabilityBoundingSet = [ "" ]; CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ]; DeviceAllow = [ "" ];
@ -119,7 +111,7 @@ in
ProtectKernelModules = true; ProtectKernelModules = true;
ProtectKernelTunables = true; ProtectKernelTunables = true;
ProtectProc = "invisible"; ProtectProc = "invisible";
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
RestrictNamespaces = true; RestrictNamespaces = true;
RestrictRealtime = true; RestrictRealtime = true;
RestrictSUIDSGID = true; RestrictSUIDSGID = true;

24
nixos/tests/miniflux.nix
View file

@ -7,6 +7,15 @@ let
defaultPort = 8080; defaultPort = 8080;
defaultUsername = "admin"; defaultUsername = "admin";
defaultPassword = "password"; defaultPassword = "password";
adminCredentialsFile = pkgs.writeText "admin-credentials" ''
ADMIN_USERNAME=${defaultUsername}
ADMIN_PASSWORD=${defaultPassword}
'';
customAdminCredentialsFile = pkgs.writeText "admin-credentials" ''
ADMIN_USERNAME=${username}
ADMIN_PASSWORD=${password}
'';
in in
with lib; with lib;
{ {
@ -17,13 +26,19 @@ with lib;
default = default =
{ ... }: { ... }:
{ {
services.miniflux.enable = true; services.miniflux = {
enable = true;
inherit adminCredentialsFile;
};
}; };
withoutSudo = withoutSudo =
{ ... }: { ... }:
{ {
services.miniflux.enable = true; services.miniflux = {
enable = true;
inherit adminCredentialsFile;
};
security.sudo.enable = false; security.sudo.enable = false;
}; };
@ -36,10 +51,7 @@ with lib;
CLEANUP_FREQUENCY = "48"; CLEANUP_FREQUENCY = "48";
LISTEN_ADDR = "localhost:${toString port}"; LISTEN_ADDR = "localhost:${toString port}";
}; };
adminCredentialsFile = pkgs.writeText "admin-credentials" '' adminCredentialsFile = customAdminCredentialsFile;
ADMIN_USERNAME=${username}
ADMIN_PASSWORD=${password}
'';
}; };
}; };
}; };