pyrox.dev / nixpkgs
lol
fork atom

wordpress: replace the dbPassword option with dbPasswordFile (#24146)

We shouldn't force users to store passwords in the world-readable Nix store.

Bas van Dijk 6f2eca17 8c28474c

options
unified split
Changed files
+28 -3
nixos
modules
services
web-servers
apache-httpd
wordpress.nix
+28 -3
nixos/modules/services/web-servers/apache-httpd/wordpress.nix 
···

       
9

       
 

       
    <?php


     

       
10

       
 

       
    define('DB_NAME',     '${config.dbName}');


     

       
11

       
 

       
    define('DB_USER',     '${config.dbUser}');


     

       
12

       
-

       
    define('DB_PASSWORD', '${config.dbPassword}');


     

       
13

       
 

       
    define('DB_HOST',     '${config.dbHost}');


     

       
14

       
 

       
    define('DB_CHARSET',  'utf8');


     

       
15

       
 

       
    $table_prefix  = '${config.tablePrefix}';


     
···

       
137

       
 

       
    };


     

       
138

       
 

       
    dbPassword = mkOption {


     

       
139

       
 

       
      default = "wordpress";


     

       
140

       
-

       
      description = "The mysql password to the respective dbUser.";


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
141

       
 

       
      example = "wordpress";


     

       
142

       
 

       
    };


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
143

       
 

       
    tablePrefix = mkOption {


     

       
144

       
 

       
      default = "wp_";


     

       
145

       
 

       
      description = ''


     
···

       
251

       
 

       
        sleep 1


     

       
252

       
 

       
      done


     

       
253

       
 

       
      ${pkgs.mysql}/bin/mysql -e 'CREATE DATABASE ${config.dbName};'


     

       
254

       
-

       
      ${pkgs.mysql}/bin/mysql -e 'GRANT ALL ON ${config.dbName}.* TO ${config.dbUser}@localhost IDENTIFIED BY "${config.dbPassword}";'


     

       
255

       
 

       
    else


     

       
256

       
 

       
      echo "Good, no need to do anything database related."


     

       
257

       
 

       
    fi


     
···

       
9

       
 

       
    <?php


     

       
10

       
 

       
    define('DB_NAME',     '${config.dbName}');


     

       
11

       
 

       
    define('DB_USER',     '${config.dbUser}');


     

       
12

       
+

       
    define('DB_PASSWORD', file_get_contents('${config.dbPasswordFile}'));


     

       
13

       
 

       
    define('DB_HOST',     '${config.dbHost}');


     

       
14

       
 

       
    define('DB_CHARSET',  'utf8');


     

       
15

       
 

       
    $table_prefix  = '${config.tablePrefix}';


     
···

       
137

       
 

       
    };


     

       
138

       
 

       
    dbPassword = mkOption {


     

       
139

       
 

       
      default = "wordpress";


     

       
140

       
+

       
      description = ''


     

       
141

       
+

       
        The mysql password to the respective dbUser.


     

       
142

       
+

       



     

       
143

       
+

       
        Warning: this password is stored in the world-readable Nix store. It's


     

       
144

       
+

       
        recommended to use the $dbPasswordFile option since that gives you control over


     

       
145

       
+

       
        the security of the password. $dbPasswordFile also takes precedence over $dbPassword.


     

       
146

       
+

       
      '';


     

       
147

       
 

       
      example = "wordpress";


     

       
148

       
 

       
    };


     

       
149

       
+

       
    dbPasswordFile = mkOption {


     

       
150

       
+

       
      type = types.str;


     

       
151

       
+

       
      default = toString (pkgs.writeTextFile {


     

       
152

       
+

       
        name = "wordpress-dbpassword";


     

       
153

       
+

       
        text = config.dbPassword;


     

       
154

       
+

       
      });


     

       
155

       
+

       
      example = "/run/keys/wordpress-dbpassword";


     

       
156

       
+

       
      description = ''


     

       
157

       
+

       
        Path to a file that contains the mysql password to the respective dbUser.


     

       
158

       
+

       
        The file should be readable by the user: config.services.httpd.user.


     

       
159

       
+

       



     

       
160

       
+

       
        $dbPasswordFile takes precedence over the $dbPassword option.


     

       
161

       
+

       



     

       
162

       
+

       
        This defaults to a file in the world-readable Nix store that contains the value


     

       
163

       
+

       
        of the $dbPassword option. It's recommended to override this with a path not in


     

       
164

       
+

       
        the Nix store. Tip: use nixops key management:


     

       
165

       
+

       
        <link xlink:href='https://nixos.org/nixops/manual/#idm140737318306400'/>


     

       
166

       
+

       
      '';


     

       
167

       
+

       
    };


     

       
168

       
 

       
    tablePrefix = mkOption {


     

       
169

       
 

       
      default = "wp_";


     

       
170

       
 

       
      description = ''


     
···

       
276

       
 

       
        sleep 1


     

       
277

       
 

       
      done


     

       
278

       
 

       
      ${pkgs.mysql}/bin/mysql -e 'CREATE DATABASE ${config.dbName};'


     

       
279

       
+

       
      ${pkgs.mysql}/bin/mysql -e "GRANT ALL ON ${config.dbName}.* TO ${config.dbUser}@localhost IDENTIFIED BY \"$(cat ${config.dbPasswordFile})\";"


     

       
280

       
 

       
    else


     

       
281

       
 

       
      echo "Good, no need to do anything database related."


     

       
282

       
 

       
    fi