nixos/codimd: add option `environmentFile` for injecting secrets

Secrets are injected from the environment into the rendered configuration before each startup using envsubst. The test now makes use of this feature for the db password.
4 years ago · 403c215bdd
parent 5bfe6004e1
commit 403c215bdd
2 changed files with 47 additions and 2 deletions
--- a/nixos/modules/services/web-apps/codimd.nix
+++ b/nixos/modules/services/web-apps/codimd.nix
@ -877,6 +877,37 @@ in
        description = "Configure the SAML integration.";
      };
    };
+
+
+    environmentFile = mkOption {
+      type = with types; nullOr path;
+      default = null;
+      example = "/var/lib/codimd/codimd.env";
+      description = ''
+        Environment file as defined in <citerefentry>
+        <refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum>
+        </citerefentry>.
+
+        Secrets may be passed to the service without adding them to the world-readable
+        Nix store, by specifying placeholder variables as the option value in Nix and
+        setting these variables accordingly in the environment file.
+
+        <programlisting>
+          # snippet of CodiMD-related config
+          services.codimd.configuration.dbURL = "postgres://codimd:\''${DB_PASSWORD}@db-host:5432/codimddb";
+          services.codimd.configuration.minio.secretKey = "$MINIO_SECRET_KEY";
+        </programlisting>
+
+        <programlisting>
+          # content of the environment file
+          DB_PASSWORD=verysecretdbpassword
+          MINIO_SECRET_KEY=verysecretminiokey
+        </programlisting>
+
+        Note that this file needs to be available on the host on which
+        <literal>CodiMD</literal> is running.
+      '';
+    };
  };

  config = mkIf cfg.enable {
@ -900,11 +931,17 @@ in
      description = "CodiMD Service";
      wantedBy = [ "multi-user.target" ];
      after = [ "networking.target" ];
+      preStart = ''
+        ${pkgs.envsubst}/bin/envsubst \
+          -o ${cfg.workDir}/config.json \
+          -i ${prettyJSON cfg.configuration}
+      '';
      serviceConfig = {
        WorkingDirectory = cfg.workDir;
        ExecStart = "${pkgs.codimd}/bin/codimd";
+        EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ];
        Environment = [
-          "CMD_CONFIG_FILE=${prettyJSON cfg.configuration}"
+          "CMD_CONFIG_FILE=${cfg.workDir}/config.json"
          "NODE_ENV=production"
        ];
        Restart = "always";
--- a/nixos/tests/codimd.nix
+++ b/nixos/tests/codimd.nix
@ -21,7 +21,15 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
      services = {
        codimd = {
          enable = true;
-          configuration.dbURL = "postgres://codimd:snakeoilpassword@localhost:5432/codimddb";
+          configuration.dbURL = "postgres://codimd:\${DB_PASSWORD}@localhost:5432/codimddb";
+
+          /*
+           * Do not use pkgs.writeText for secrets as
+           * they will end up in the world-readable Nix store.
+           */
+          environmentFile = pkgs.writeText "codimd-env" ''
+            DB_PASSWORD=snakeoilpassword
+          '';
        };
        postgresql = {
          enable = true;