pyrox.dev / nixpkgs
lol
fork atom

nixos/lemmy: limit impurity by secrets

Split `services.lemmy.secretFile` into
multiple options to allow only secrets.

Eric Wolf 318d8cc4 e6f2df77

options
unified split
Changed files
+58 -34
nixos
modules
services
web-apps
lemmy.nix
tests
lemmy.nix
+56 -26
nixos/modules/services/web-apps/lemmy.nix 
···

       
1

       

       
-

       
{ lib, pkgs, config, ... }:


     

       

       
1

       
+

       
{ lib, pkgs, config, utils, ... }:


     

       
2

       
2

       
 

       
with lib;


     

       
3

       
3

       
 

       
let


     

       
4

       
4

       
 

       
  cfg = config.services.lemmy;


     
···

       
41

       
41

       
 

       
        default = null;


     

       
42

       
42

       
 

       
        description = lib.mdDoc "The connection URI to use. Takes priority over the configuration file if set.";


     

       
43

       
43

       
 

       
      };


     

       

       
44

       
+

       



     

       

       
45

       
+

       
      uriFile = mkOption {


     

       

       
46

       
+

       
        type = with types; nullOr path;


     

       

       
47

       
+

       
        default = null;


     

       

       
48

       
+

       
        description = lib.mdDoc "File which contains the database uri.";


     

       

       
49

       
+

       
      };


     

       

       
50

       
+

       
    };


     

       

       
51

       
+

       



     

       

       
52

       
+

       
    pictrsApiKeyFile = mkOption {


     

       

       
53

       
+

       
      type = with types; nullOr path;


     

       

       
54

       
+

       
      default = null;


     

       

       
55

       
+

       
      description = lib.mdDoc "File which contains the value of `pictrs.api_key`.";


     

       

       
56

       
+

       
    };


     

       

       
57

       
+

       



     

       

       
58

       
+

       
    smtpPasswordFile = mkOption {


     

       

       
59

       
+

       
      type = with types; nullOr path;


     

       

       
60

       
+

       
      default = null;


     

       

       
61

       
+

       
      description = lib.mdDoc "File which contains the value of `email.smtp_password`.";


     

       

       
62

       
+

       
    };


     

       

       
63

       
+

       



     

       

       
64

       
+

       
    adminPasswordFile = mkOption {


     

       

       
65

       
+

       
      type = with types; nullOr path;


     

       

       
66

       
+

       
      default = null;


     

       

       
67

       
+

       
      description = lib.mdDoc "File which contains the value of `setup.admin_password`.";


     

       
44

       
68

       
 

       
    };


     

       
45

       
69

       
 

       



     

       
46

       
70

       
 

       
    settings = mkOption {


     
···

       
76

       
100

       
 

       
        };


     

       
77

       
101

       
 

       
      };


     

       
78

       
102

       
 

       
    };


     

       
79

       

       
-

       



     

       
80

       

       
-

       
    secretFile = mkOption {


     

       
81

       

       
-

       
      type = with types; nullOr path;


     

       
82

       

       
-

       
      default = null;


     

       
83

       

       
-

       
      description = lib.mdDoc "Path to a secret JSON configuration file which is merged at runtime with the one generated from {option}`services.lemmy.settings`.";


     

       
84

       

       
-

       
    };


     

       
85

       
103

       
 

       
  };


     

       
86

       
104

       
 

       



     

       
87

       
105

       
 

       
  config =


     

       

       
106

       
+

       
    let


     

       

       
107

       
+

       
      secretOptions = {


     

       

       
108

       
+

       
        pictrsApiKeyFile = { setting = [ "pictrs" "api_key" ]; path = cfg.pictrsApiKeyFile; };


     

       

       
109

       
+

       
        smtpPasswordFile = { setting = [ "email" "smtp_password" ]; path = cfg.smtpPasswordFile; };


     

       

       
110

       
+

       
        adminPasswordFile = { setting = [ "setup" "admin_password" ]; path = cfg.adminPasswordFile; };


     

       

       
111

       
+

       
        uriFile = { setting = [ "database" "uri" ]; path = cfg.database.uriFile; };


     

       

       
112

       
+

       
      };


     

       

       
113

       
+

       
      secrets = lib.filterAttrs (option: data: data.path != null) secretOptions;


     

       

       
114

       
+

       
    in


     

       
88

       
115

       
 

       
    lib.mkIf cfg.enable {


     

       
89

       

       
-

       
      services.lemmy.settings = (mapAttrs (name: mkDefault)


     

       

       
116

       
+

       
      services.lemmy.settings = lib.attrsets.recursiveUpdate (mapAttrs (name: mkDefault)


     

       
90

       
117

       
 

       
        {


     

       
91

       
118

       
 

       
          bind = "127.0.0.1";


     

       
92

       
119

       
 

       
          tls_enabled = true;


     
···

       
104

       
131

       
 

       
          rate_limit.image = 6;


     

       
105

       
132

       
 

       
          rate_limit.image_per_second = 3600;


     

       
106

       
133

       
 

       
        } // {


     

       
107

       

       
-

       
        database = mapAttrs (name: mkDefault) {


     

       
108

       

       
-

       
          user = "lemmy";


     

       
109

       

       
-

       
          host = "/run/postgresql";


     

       
110

       

       
-

       
          port = 5432;


     

       
111

       

       
-

       
          database = "lemmy";


     

       
112

       

       
-

       
          pool_size = 5;


     

       
113

       

       
-

       
        };


     

       
114

       

       
-

       
      });


     

       

       
134

       
+

       
          database = mapAttrs (name: mkDefault) {


     

       

       
135

       
+

       
            user = "lemmy";


     

       

       
136

       
+

       
            host = "/run/postgresql";


     

       

       
137

       
+

       
            port = 5432;


     

       

       
138

       
+

       
            database = "lemmy";


     

       

       
139

       
+

       
            pool_size = 5;


     

       

       
140

       
+

       
          };


     

       

       
141

       
+

       
        }) (lib.foldlAttrs (acc: option: data: acc // lib.setAttrByPath data.setting { _secret = option; }) {} secrets);


     

       

       
142

       
+

       
        # the option name is the id of the credential loaded by LoadCredential


     

       
115

       
143

       
 

       



     

       
116

       
144

       
 

       
      services.postgresql = mkIf cfg.database.createLocally {


     

       
117

       
145

       
 

       
        enable = true;


     
···

       
202

       
230

       
 

       
          assertion = (!(hasAttrByPath ["federation"] cfg.settings)) && (!(hasAttrByPath ["federation" "enabled"] cfg.settings));


     

       
203

       
231

       
 

       
          message = "`services.lemmy.settings.federation` was removed in 0.17.0 and no longer has any effect";


     

       
204

       
232

       
 

       
        }


     

       

       
233

       
+

       
        {


     

       

       
234

       
+

       
          assertion = cfg.database.uriFile != null -> cfg.database.uri == null && !cfg.database.createLocally;


     

       

       
235

       
+

       
          message = "specifying a database uri while also specifying a database uri file is not allowed";


     

       

       
236

       
+

       
        }


     

       
205

       
237

       
 

       
      ];


     

       
206

       
238

       
 

       



     

       
207

       
239

       
 

       
      systemd.services.lemmy = let


     

       
208

       

       
-

       
        configFile = settingsFormat.generate "config.hjson" cfg.settings;


     

       
209

       

       
-

       
        mergedConfig = "/run/lemmy/config.hjson";


     

       

       
240

       
+

       
        substitutedConfig = "/run/lemmy/config.hjson";


     

       
210

       
241

       
 

       
      in {


     

       
211

       
242

       
 

       
        description = "Lemmy server";


     

       
212

       
243

       
 

       



     

       
213

       
244

       
 

       
        environment = {


     

       
214

       

       
-

       
          LEMMY_CONFIG_LOCATION = if cfg.secretFile == null then configFile else mergedConfig;


     

       

       
245

       
+

       
          LEMMY_CONFIG_LOCATION = if secrets == {} then settingsFormat.generate "config.hjson" cfg.settings else substitutedConfig;


     

       
215

       
246

       
 

       
          LEMMY_DATABASE_URL = if cfg.database.uri != null then cfg.database.uri else (mkIf (cfg.database.createLocally) "postgres:///lemmy?host=/run/postgresql&user=lemmy");


     

       
216

       
247

       
 

       
        };


     

       
217

       
248

       
 

       



     
···

       
226

       
257

       
 

       



     

       
227

       
258

       
 

       
        requires = lib.optionals cfg.database.createLocally [ "postgresql.service" ];


     

       
228

       
259

       
 

       



     

       
229

       

       
-

       
        path = mkIf (cfg.secretFile != null) [ pkgs.jq ];


     

       
230

       

       
-

       



     

       
231

       

       
-

       
        # merge the two configs and prevent others from reading the result


     

       

       
260

       
+

       
        # substitute secrets and prevent others from reading the result


     

       
232

       
261

       
 

       
        # if somehow $CREDENTIALS_DIRECTORY is not set we fail


     

       
233

       

       
-

       
        preStart = mkIf (cfg.secretFile != null) ''


     

       

       
262

       
+

       
        preStart = mkIf (secrets != {}) ''


     

       
234

       
263

       
 

       
          set -u


     

       
235

       

       
-

       
          umask 177


     

       
236

       

       
-

       
          jq --slurp '.[0] * .[1]' ${lib.escapeShellArg configFile} "$CREDENTIALS_DIRECTORY/secretFile" > ${lib.escapeShellArg mergedConfig}


     

       

       
264

       
+

       
          umask u=rw,g=,o=


     

       

       
265

       
+

       
          cd "$CREDENTIALS_DIRECTORY"


     

       

       
266

       
+

       
          ${utils.genJqSecretsReplacementSnippet cfg.settings substitutedConfig}


     

       
237

       
267

       
 

       
        '';


     

       
238

       
268

       
 

       



     

       
239

       
269

       
 

       
        serviceConfig = {


     

       
240

       
270

       
 

       
          DynamicUser = true;


     

       
241

       
271

       
 

       
          RuntimeDirectory = "lemmy";


     

       
242

       
272

       
 

       
          ExecStart = "${cfg.server.package}/bin/lemmy_server";


     

       
243

       

       
-

       
          LoadCredential = mkIf (cfg.secretFile != null) "secretFile:${toString cfg.secretFile}";


     

       

       
273

       
+

       
          LoadCredential = lib.foldlAttrs (acc: option: data: acc ++ [ "${option}:${toString data.path}" ]) [] secrets;


     

       
244

       
274

       
 

       
          PrivateTmp = true;


     

       
245

       
275

       
 

       
          MemoryDenyWriteExecute = true;


     

       
246

       
276

       
 

       
          NoNewPrivileges = true;
+2 -8
nixos/tests/lemmy.nix 
···

       
26

       
26

       
 

       
            admin_email = "mightyiam@example.com";


     

       
27

       
27

       
 

       
          };


     

       
28

       
28

       
 

       
        };


     

       
29

       

       
-

       
        secretFile = /etc/lemmy-config.hjson;


     

       

       
29

       
+

       
        adminPasswordFile = /etc/lemmy-admin-password.txt;


     

       
30

       
30

       
 

       
        caddy.enable = true;


     

       
31

       
31

       
 

       
      };


     

       
32

       
32

       
 

       



     

       
33

       

       
-

       
      environment.etc."lemmy-config.hjson".text = ''


     

       
34

       

       
-

       
        {


     

       
35

       

       
-

       
          "setup": {


     

       
36

       

       
-

       
            "admin_password": "ThisIsWhatIUseEverywhereTryIt"


     

       
37

       

       
-

       
          }


     

       
38

       

       
-

       
        }


     

       
39

       

       
-

       
      '';


     

       

       
33

       
+

       
      environment.etc."lemmy-admin-password.txt".text = "ThisIsWhatIUseEverywhereTryIt";


     

       
40

       
34

       
 

       



     

       
41

       
35

       
 

       
      networking.firewall.allowedTCPPorts = [ 80 ];


     

       
42

       
36