nixos/rabbitmq: Rename cookie -> unsafeCookie

Not a mkRenamedOptionModule, because user intervention is required
to determine whether they have a problem. mkRenamed* does not let
us explain anything to the user.
This commit is contained in:
Robert Hensing 2024-02-04 21:41:29 +01:00
parent 4c9b5cb310
commit 6761394083

View file

@ -14,6 +14,15 @@ let
in in
{ {
imports = [
(mkRemovedOptionModule [ "services" "rabbitmq" "cookie" ] ''
This option wrote the Erlang cookie to the store, while it should be kept secret.
Please remove it from your NixOS configuration and deploy a cookie securely instead.
The renamed `unsafeCookie` must ONLY be used in isolated non-production environments such as NixOS VM tests.
'')
];
###### interface ###### interface
options = { options = {
services.rabbitmq = { services.rabbitmq = {
@ -62,13 +71,18 @@ in
''; '';
}; };
cookie = mkOption { unsafeCookie = mkOption {
default = ""; default = "";
type = types.str; type = types.str;
description = lib.mdDoc '' description = lib.mdDoc ''
Erlang cookie is a string of arbitrary length which must Erlang cookie is a string of arbitrary length which must
be the same for several nodes to be allowed to communicate. be the same for several nodes to be allowed to communicate.
Leave empty to generate automatically. Leave empty to generate automatically.
Setting the cookie via this option exposes the cookie to the store, which
is not recommended for security reasons.
Only use this option in an isolated non-production environment such as
NixOS VM tests.
''; '';
}; };
@ -209,8 +223,8 @@ in
}; };
preStart = '' preStart = ''
${optionalString (cfg.cookie != "") '' ${optionalString (cfg.unsafeCookie != "") ''
install -m 600 <(echo -n ${cfg.cookie}) ${cfg.dataDir}/.erlang.cookie install -m 600 <(echo -n ${cfg.unsafeCookie}) ${cfg.dataDir}/.erlang.cookie
''} ''}
''; '';
}; };