nixos/resilio: support secret files

When using the declarative shared folder configuration for resilio sync it is now possible to pass a path from which to read the secret should be read at runtime. The path will not be added to the nix store. The 'secret' parameter to specify the secret directly is still supported. This option will still store the secret in the nix store. This commit follows the pattern described in this issue, for upstream programs that do not provide support for setting a password using a file: https://github.com/NixOS/nixpkgs/issues/24288
2021-06-05 16:14:01 +02:00 · 2021-06-05 16:14:01 +02:00 · c8f9d170d4
parent edeb96b887
commit c8f9d170d4
3 changed files with 38 additions and 6 deletions
--- a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
@ -121,6 +121,13 @@
          <link xlink:href="https://search.nixos.org/packages?channel=unstable&amp;show=utm&amp;from=0&amp;size=1&amp;sort=relevance&amp;type=packages&amp;query=utm">package</link>.
        </para>
      </listitem>
+      <listitem>
+        <para>
+          Resilio sync secret keys can now be provided using a secrets
+          file at runtime, preventing these secrets from ending up in
+          the Nix store.
+        </para>
+      </listitem>
    </itemizedlist>
  </section>
 </section>
--- a/nixos/doc/manual/release-notes/rl-2305.section.md
+++ b/nixos/doc/manual/release-notes/rl-2305.section.md
@ -40,3 +40,5 @@ In addition to numerous new and upgraded packages, this release has the followin
 - The module for the application firewall `opensnitch` got the ability to configure rules. Available as [services.opensnitch.rules](#opt-services.opensnitch.rules)

 - A new `virtualisation.rosetta` module was added to allow running `x86_64` binaries through [Rosetta](https://developer.apple.com/documentation/apple-silicon/about-the-rosetta-translation-environment) inside virtualised NixOS guests on Apple silicon. This feature works by default with the [UTM](https://docs.getutm.app/) virtualisation [package](https://search.nixos.org/packages?channel=unstable&show=utm&from=0&size=1&sort=relevance&type=packages&query=utm).
+
+- Resilio sync secret keys can now be provided using a secrets file at runtime, preventing these secrets from ending up in the Nix store.
--- a/nixos/modules/services/networking/resilio.nix
+++ b/nixos/modules/services/networking/resilio.nix
@ -8,7 +8,6 @@ let
  resilioSync = pkgs.resilio-sync;

  sharedFoldersRecord = map (entry: {
-    secret = entry.secret;
    dir = entry.directory;

    use_relay_server = entry.useRelayServer;
@ -40,6 +39,31 @@ let
    shared_folders = sharedFoldersRecord;
  }));

+  sharedFoldersSecretFiles = map (entry: {
+    dir = entry.directory;
+    secretFile = if builtins.hasAttr "secret" entry then
+      toString (pkgs.writeTextFile {
+        name = "secret-file";
+        text = entry.secret;
+      })
+    else
+      entry.secretFile;
+  }) cfg.sharedFolders;
+
+  runConfigPath = "/run/rslsync/config.json";
+
+  createConfig = pkgs.writeShellScriptBin "create-resilio-config" ''
+    ${pkgs.jq}/bin/jq \
+      '.shared_folders |= map(.secret = $ARGS.named[.dir])' \
+      ${
+        lib.concatMapStringsSep " \\\n  "
+        (entry: ''--arg '${entry.dir}' "$(cat '${entry.secretFile}')"'')
+        sharedFoldersSecretFiles
+      } \
+      <${configFile} \
+      >${runConfigPath}
+  '';
+
 in
 {
  options = {
@ -186,7 +210,7 @@ in
        default = [];
        type = types.listOf (types.attrsOf types.anything);
        example =
-          [ { secret         = "AHMYFPCQAHBM7LQPFXQ7WV6Y42IGUXJ5Y";
+          [ { secretFile     = "/run/resilio-secret";
              directory      = "/home/user/sync_test";
              useRelayServer = true;
              useTracker     = true;
@ -202,9 +226,6 @@ in
        description = lib.mdDoc ''
          Shared folder list. If enabled, web UI must be
          disabled. Secrets can be generated using `rslsync --generate-secret`.
-          Note that this secret will be
-          put inside the Nix store, so it is realistically not very
-          secret.

          If you would like to be able to modify the contents of this
          directories, it is recommended that you make your user a
@ -256,8 +277,10 @@ in
        Restart   = "on-abort";
        UMask     = "0002";
        User      = "rslsync";
+        RuntimeDirectory = "rslsync";
+        ExecStartPre = "${createConfig}/bin/create-resilio-config";
        ExecStart = ''
-          ${resilioSync}/bin/rslsync --nodaemon --config ${configFile}
+          ${resilioSync}/bin/rslsync --nodaemon --config ${runConfigPath}
        '';
      };
    };