b12f/nixpkgs
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Merge pull request #156601 from symphorien/miniflux-password

Browse source 
nixos/miniflux: no cleartext password in the store
This commit is contained in:
Guillaume Girol 2022-02-21 21:18:36 +00:00 committed by GitHub
parent 0fca9900b1 1df9e95ed7
commit 4846d948b4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 46 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
View file

@ -444,6 +444,13 @@
support due to python2 deprecation in nixpkgs
</para>
</listitem>
<listitem>
<para>
<literal>services.miniflux.adminCredentialFiles</literal> is
now required, instead of defaulting to
<literal>admin</literal> and <literal>password</literal>.
</para>
</listitem>
<listitem>
<para>
The <literal>autorestic</literal> package has been upgraded

2
nixos/doc/manual/release-notes/rl-2205.section.md
View file

@ -147,6 +147,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- opensmtpd-extras is no longer build with python2 scripting support due to python2 deprecation in nixpkgs
- `services.miniflux.adminCredentialFiles` is now required, instead of defaulting to `admin` and `password`.
- The `autorestic` package has been upgraded from 1.3.0 to 1.5.0 which introduces breaking changes in config file, check [their migration guide](https://autorestic.vercel.app/migration/1.4_1.5) for more details.
- For `pkgs.python3.pkgs.ipython`, its direct dependency `pkgs.python3.pkgs.matplotlib-inline`

46
nixos/modules/services/web-apps/miniflux.nix
View file

@ -7,26 +7,12 @@ let
defaultAddress = "localhost:8080";
dbUser = "miniflux";
dbPassword = "miniflux";
dbHost = "localhost";
dbName = "miniflux";
defaultCredentials = pkgs.writeText "miniflux-admin-credentials" ''
ADMIN_USERNAME=admin
ADMIN_PASSWORD=password
'';
pgbin = "${config.services.postgresql.package}/bin";
preStart = pkgs.writeScript "miniflux-pre-start" ''
#!${pkgs.runtimeShell}
db_exists() {
[ "$(${pgbin}/psql -Atc "select 1 from pg_database where datname='$1'")" == "1" ]
}
if ! db_exists "${dbName}"; then
${pgbin}/psql postgres -c "CREATE ROLE ${dbUser} WITH LOGIN NOCREATEDB NOCREATEROLE ENCRYPTED PASSWORD '${dbPassword}'"
${pgbin}/createdb --owner "${dbUser}" "${dbName}"
${pgbin}/psql "${dbName}" -c "CREATE EXTENSION IF NOT EXISTS hstore"
fi
${pgbin}/psql "${dbName}" -c "CREATE EXTENSION IF NOT EXISTS hstore"
'';
in
@ -54,11 +40,10 @@ in
};
adminCredentialsFile = mkOption {
type = types.nullOr types.path;
default = null;
type = types.path;
description = ''
File containing the ADMIN_USERNAME, default is "admin", and
ADMIN_PASSWORD (length >= 6), default is "password"; in the format of
File containing the ADMIN_USERNAME and
ADMIN_PASSWORD (length >= 6) in the format of
an EnvironmentFile=, as described by systemd.exec(5).
'';
example = "/etc/nixos/miniflux-admin-credentials";
@ -70,16 +55,24 @@ in
services.miniflux.config = {
LISTEN_ADDR = mkDefault defaultAddress;
DATABASE_URL = "postgresql://${dbUser}:${dbPassword}@${dbHost}/${dbName}?sslmode=disable";
DATABASE_URL = "user=${dbUser} host=/run/postgresql dbname=${dbName}";
RUN_MIGRATIONS = "1";
CREATE_ADMIN = "1";
};
services.postgresql.enable = true;
services.postgresql = {
enable = true;
ensureUsers = [ {
name = dbUser;
ensurePermissions = {
"DATABASE ${dbName}" = "ALL PRIVILEGES";
};
} ];
ensureDatabases = [ dbName ];
};
systemd.services.miniflux-dbsetup = {
description = "Miniflux database setup";
wantedBy = [ "multi-user.target" ];
requires = [ "postgresql.service" ];
after = [ "network.target" "postgresql.service" ];
serviceConfig = {
@ -92,17 +85,16 @@ in
systemd.services.miniflux = {
description = "Miniflux service";
wantedBy = [ "multi-user.target" ];
requires = [ "postgresql.service" ];
requires = [ "miniflux-dbsetup.service" ];
after = [ "network.target" "postgresql.service" "miniflux-dbsetup.service" ];
serviceConfig = {
ExecStart = "${pkgs.miniflux}/bin/miniflux";
User = dbUser;
DynamicUser = true;
RuntimeDirectory = "miniflux";
RuntimeDirectoryMode = "0700";
EnvironmentFile = if cfg.adminCredentialsFile == null
then defaultCredentials
else cfg.adminCredentialsFile;
EnvironmentFile = cfg.adminCredentialsFile;
# Hardening
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
@ -119,7 +111,7 @@ in
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;

24
nixos/tests/miniflux.nix
View file

@ -7,6 +7,15 @@ let
defaultPort = 8080;
defaultUsername = "admin";
defaultPassword = "password";
adminCredentialsFile = pkgs.writeText "admin-credentials" ''
ADMIN_USERNAME=${defaultUsername}
ADMIN_PASSWORD=${defaultPassword}
'';
customAdminCredentialsFile = pkgs.writeText "admin-credentials" ''
ADMIN_USERNAME=${username}
ADMIN_PASSWORD=${password}
'';
in
with lib;
{
@ -17,13 +26,19 @@ with lib;
default =
{ ... }:
{
services.miniflux.enable = true;
services.miniflux = {
enable = true;
inherit adminCredentialsFile;
};
};
withoutSudo =
{ ... }:
{
services.miniflux.enable = true;
services.miniflux = {
enable = true;
inherit adminCredentialsFile;
};
security.sudo.enable = false;
};
@ -36,10 +51,7 @@ with lib;
CLEANUP_FREQUENCY = "48";
LISTEN_ADDR = "localhost:${toString port}";
};
adminCredentialsFile = pkgs.writeText "admin-credentials" ''
ADMIN_USERNAME=${username}
ADMIN_PASSWORD=${password}
'';
adminCredentialsFile = customAdminCredentialsFile;
};
};
};