nixos/rabbitmq: Rename cookie -> unsafeCookie
Not a mkRenamedOptionModule, because user intervention is required to determine whether they have a problem. mkRenamed* does not let us explain anything to the user.
This commit is contained in:
parent
4c9b5cb310
commit
6761394083
1 changed files with 17 additions and 3 deletions
|
@ -14,6 +14,15 @@ let
|
||||||
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
|
||||||
|
imports = [
|
||||||
|
(mkRemovedOptionModule [ "services" "rabbitmq" "cookie" ] ''
|
||||||
|
This option wrote the Erlang cookie to the store, while it should be kept secret.
|
||||||
|
Please remove it from your NixOS configuration and deploy a cookie securely instead.
|
||||||
|
The renamed `unsafeCookie` must ONLY be used in isolated non-production environments such as NixOS VM tests.
|
||||||
|
'')
|
||||||
|
];
|
||||||
|
|
||||||
###### interface
|
###### interface
|
||||||
options = {
|
options = {
|
||||||
services.rabbitmq = {
|
services.rabbitmq = {
|
||||||
|
@ -62,13 +71,18 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
cookie = mkOption {
|
unsafeCookie = mkOption {
|
||||||
default = "";
|
default = "";
|
||||||
type = types.str;
|
type = types.str;
|
||||||
description = lib.mdDoc ''
|
description = lib.mdDoc ''
|
||||||
Erlang cookie is a string of arbitrary length which must
|
Erlang cookie is a string of arbitrary length which must
|
||||||
be the same for several nodes to be allowed to communicate.
|
be the same for several nodes to be allowed to communicate.
|
||||||
Leave empty to generate automatically.
|
Leave empty to generate automatically.
|
||||||
|
|
||||||
|
Setting the cookie via this option exposes the cookie to the store, which
|
||||||
|
is not recommended for security reasons.
|
||||||
|
Only use this option in an isolated non-production environment such as
|
||||||
|
NixOS VM tests.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -209,8 +223,8 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
preStart = ''
|
preStart = ''
|
||||||
${optionalString (cfg.cookie != "") ''
|
${optionalString (cfg.unsafeCookie != "") ''
|
||||||
install -m 600 <(echo -n ${cfg.cookie}) ${cfg.dataDir}/.erlang.cookie
|
install -m 600 <(echo -n ${cfg.unsafeCookie}) ${cfg.dataDir}/.erlang.cookie
|
||||||
''}
|
''}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in a new issue