kookie
/
nomicon
1
0
Fork 0
Code Issues Projects Releases 1 Activity

nixos/miniflux: no cleartext password in the store

Browse Source
main
Guillaume Girol 2 years ago
parent d5ddafd0fa
commit 1df9e95ed7
4 changed files with 46 additions and 33 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 7
      nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
  2. 2
      nixos/doc/manual/release-notes/rl-2205.section.md
  3. 46
      nixos/modules/services/web-apps/miniflux.nix
  4. 24
      nixos/tests/miniflux.nix

7
nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
Unescape View File

@ -325,6 +325,13 @@
support due to python2 deprecation in nixpkgs
</para>
</listitem>
<listitem>
<para>
<literal>services.miniflux.adminCredentialFiles</literal> is
now required, instead of defaulting to
<literal>admin</literal> and <literal>password</literal>.
</para>
</listitem>
<listitem>
<para>
The <literal>autorestic</literal> package has been upgraded

2
nixos/doc/manual/release-notes/rl-2205.section.md
Unescape View File

@ -109,6 +109,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- opensmtpd-extras is no longer build with python2 scripting support due to python2 deprecation in nixpkgs
- `services.miniflux.adminCredentialFiles` is now required, instead of defaulting to `admin` and `password`.
- The `autorestic` package has been upgraded from 1.3.0 to 1.5.0 which introduces breaking changes in config file, check [their migration guide](https://autorestic.vercel.app/migration/1.4_1.5) for more details.
- For `pkgs.python3.pkgs.ipython`, its direct dependency `pkgs.python3.pkgs.matplotlib-inline`

46
nixos/modules/services/web-apps/miniflux.nix
Unescape View File

@ -7,26 +7,12 @@ let
defaultAddress = "localhost:8080";
dbUser = "miniflux";
dbPassword = "miniflux";
dbHost = "localhost";
dbName = "miniflux";
defaultCredentials = pkgs.writeText "miniflux-admin-credentials" ''
ADMIN_USERNAME=admin
ADMIN_PASSWORD=password
'';
pgbin = "${config.services.postgresql.package}/bin";
preStart = pkgs.writeScript "miniflux-pre-start" ''
#!${pkgs.runtimeShell}
db_exists() {
[ "$(${pgbin}/psql -Atc "select 1 from pg_database where datname='$1'")" == "1" ]
}
if ! db_exists "${dbName}"; then
${pgbin}/psql postgres -c "CREATE ROLE ${dbUser} WITH LOGIN NOCREATEDB NOCREATEROLE ENCRYPTED PASSWORD '${dbPassword}'"
${pgbin}/createdb --owner "${dbUser}" "${dbName}"
${pgbin}/psql "${dbName}" -c "CREATE EXTENSION IF NOT EXISTS hstore"
fi
${pgbin}/psql "${dbName}" -c "CREATE EXTENSION IF NOT EXISTS hstore"
'';
in
@ -54,11 +40,10 @@ in
};
adminCredentialsFile = mkOption {
type = types.nullOr types.path;
default = null;
type = types.path;
description = ''
File containing the ADMIN_USERNAME, default is "admin", and
ADMIN_PASSWORD (length >= 6), default is "password"; in the format of
File containing the ADMIN_USERNAME and
ADMIN_PASSWORD (length >= 6) in the format of
an EnvironmentFile=, as described by systemd.exec(5).
'';
example = "/etc/nixos/miniflux-admin-credentials";
@ -70,16 +55,24 @@ in
services.miniflux.config = {
LISTEN_ADDR = mkDefault defaultAddress;
DATABASE_URL = "postgresql://${dbUser}:${dbPassword}@${dbHost}/${dbName}?sslmode=disable";
DATABASE_URL = "user=${dbUser} host=/run/postgresql dbname=${dbName}";
RUN_MIGRATIONS = "1";
CREATE_ADMIN = "1";
};
services.postgresql.enable = true;
services.postgresql = {
enable = true;
ensureUsers = [ {
name = dbUser;
ensurePermissions = {
"DATABASE ${dbName}" = "ALL PRIVILEGES";
};
} ];
ensureDatabases = [ dbName ];
};
systemd.services.miniflux-dbsetup = {
description = "Miniflux database setup";
wantedBy = [ "multi-user.target" ];
requires = [ "postgresql.service" ];
after = [ "network.target" "postgresql.service" ];
serviceConfig = {
@ -92,17 +85,16 @@ in
systemd.services.miniflux = {
description = "Miniflux service";
wantedBy = [ "multi-user.target" ];
requires = [ "postgresql.service" ];
requires = [ "miniflux-dbsetup.service" ];
after = [ "network.target" "postgresql.service" "miniflux-dbsetup.service" ];
serviceConfig = {
ExecStart = "${pkgs.miniflux}/bin/miniflux";
User = dbUser;
DynamicUser = true;
RuntimeDirectory = "miniflux";
RuntimeDirectoryMode = "0700";
EnvironmentFile = if cfg.adminCredentialsFile == null
then defaultCredentials
else cfg.adminCredentialsFile;
EnvironmentFile = cfg.adminCredentialsFile;
# Hardening
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
@ -119,7 +111,7 @@ in
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;

24
nixos/tests/miniflux.nix
Unescape View File

@ -7,6 +7,15 @@ let
defaultPort = 8080;
defaultUsername = "admin";
defaultPassword = "password";
adminCredentialsFile = pkgs.writeText "admin-credentials" ''
ADMIN_USERNAME=${defaultUsername}
ADMIN_PASSWORD=${defaultPassword}
'';
customAdminCredentialsFile = pkgs.writeText "admin-credentials" ''
ADMIN_USERNAME=${username}
ADMIN_PASSWORD=${password}
'';
in
with lib;
{
@ -17,13 +26,19 @@ with lib;
default =
{ ... }:
{
services.miniflux.enable = true;
services.miniflux = {
enable = true;
inherit adminCredentialsFile;
};
};
withoutSudo =
{ ... }:
{
services.miniflux.enable = true;
services.miniflux = {
enable = true;
inherit adminCredentialsFile;
};
security.sudo.enable = false;
};
@ -36,10 +51,7 @@ with lib;
CLEANUP_FREQUENCY = "48";
LISTEN_ADDR = "localhost:${toString port}";
};
adminCredentialsFile = pkgs.writeText "admin-credentials" ''
ADMIN_USERNAME=${username}
ADMIN_PASSWORD=${password}
'';
adminCredentialsFile = customAdminCredentialsFile;
};
};
};

Write Preview
Loading…
Cancel
Save