···
define('DB_NAME', '${config.dbName}');
define('DB_USER', '${config.dbUser}');
12
-
define('DB_PASSWORD', '${config.dbPassword}');
12
+
define('DB_PASSWORD', file_get_contents('${config.dbPasswordFile}'));
define('DB_HOST', '${config.dbHost}');
define('DB_CHARSET', 'utf8');
$table_prefix = '${config.tablePrefix}';
···
140
-
description = "The mysql password to the respective dbUser.";
141
+
The mysql password to the respective dbUser.
143
+
Warning: this password is stored in the world-readable Nix store. It's
144
+
recommended to use the $dbPasswordFile option since that gives you control over
145
+
the security of the password. $dbPasswordFile also takes precedence over $dbPassword.
149
+
dbPasswordFile = mkOption {
151
+
default = toString (pkgs.writeTextFile {
152
+
name = "wordpress-dbpassword";
153
+
text = config.dbPassword;
155
+
example = "/run/keys/wordpress-dbpassword";
157
+
Path to a file that contains the mysql password to the respective dbUser.
158
+
The file should be readable by the user: config.services.httpd.user.
160
+
$dbPasswordFile takes precedence over the $dbPassword option.
162
+
This defaults to a file in the world-readable Nix store that contains the value
163
+
of the $dbPassword option. It's recommended to override this with a path not in
164
+
the Nix store. Tip: use nixops key management:
165
+
<link xlink:href='https://nixos.org/nixops/manual/#idm140737318306400'/>
···
${pkgs.mysql}/bin/mysql -e 'CREATE DATABASE ${config.dbName};'
254
-
${pkgs.mysql}/bin/mysql -e 'GRANT ALL ON ${config.dbName}.* TO ${config.dbUser}@localhost IDENTIFIED BY "${config.dbPassword}";'
279
+
${pkgs.mysql}/bin/mysql -e "GRANT ALL ON ${config.dbName}.* TO ${config.dbUser}@localhost IDENTIFIED BY \"$(cat ${config.dbPasswordFile})\";"
echo "Good, no need to do anything database related."
pyrox.dev