Merge pull request #182456 from mayflower/crowd-secrets
nixos/crowd: store openid password securely
This commit is contained in:
commit
f923f5b9aa
|
@ -14,6 +14,21 @@ let
|
||||||
proxyUrl = "${cfg.proxy.scheme}://${cfg.proxy.name}:${toString cfg.proxy.port}";
|
proxyUrl = "${cfg.proxy.scheme}://${cfg.proxy.name}:${toString cfg.proxy.port}";
|
||||||
});
|
});
|
||||||
|
|
||||||
|
crowdPropertiesFile = pkgs.writeText "crowd.properties" ''
|
||||||
|
application.name crowd-openid-server
|
||||||
|
application.password @NIXOS_CROWD_OPENID_PW@
|
||||||
|
application.base.url http://localhost:${toString cfg.listenPort}/openidserver
|
||||||
|
application.login.url http://localhost:${toString cfg.listenPort}/openidserver
|
||||||
|
application.login.url.template http://localhost:${toString cfg.listenPort}/openidserver?returnToUrl=''${RETURN_TO_URL}
|
||||||
|
|
||||||
|
crowd.server.url http://localhost:${toString cfg.listenPort}/crowd/services/
|
||||||
|
|
||||||
|
session.isauthenticated session.isauthenticated
|
||||||
|
session.tokenkey session.tokenkey
|
||||||
|
session.validationinterval 0
|
||||||
|
session.lastvalidation session.lastvalidation
|
||||||
|
'';
|
||||||
|
|
||||||
in
|
in
|
||||||
|
|
||||||
{
|
{
|
||||||
|
@ -53,9 +68,16 @@ in
|
||||||
|
|
||||||
openidPassword = mkOption {
|
openidPassword = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
|
default = "WILL_NEVER_BE_SET";
|
||||||
description = "Application password for OpenID server.";
|
description = "Application password for OpenID server.";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
openidPasswordFile = mkOption {
|
||||||
|
type = types.nullOr types.str;
|
||||||
|
default = null;
|
||||||
|
description = "Path to the file containing the application password for OpenID server.";
|
||||||
|
};
|
||||||
|
|
||||||
catalinaOptions = mkOption {
|
catalinaOptions = mkOption {
|
||||||
type = types.listOf types.str;
|
type = types.listOf types.str;
|
||||||
default = [];
|
default = [];
|
||||||
|
@ -140,6 +162,7 @@ in
|
||||||
JAVA_HOME = "${cfg.jrePackage}";
|
JAVA_HOME = "${cfg.jrePackage}";
|
||||||
CATALINA_OPTS = concatStringsSep " " cfg.catalinaOptions;
|
CATALINA_OPTS = concatStringsSep " " cfg.catalinaOptions;
|
||||||
CATALINA_TMPDIR = "/tmp";
|
CATALINA_TMPDIR = "/tmp";
|
||||||
|
JAVA_OPTS = mkIf (cfg.openidPasswordFile != null) "-Dcrowd.properties=${cfg.home}/crowd.properties";
|
||||||
};
|
};
|
||||||
|
|
||||||
preStart = ''
|
preStart = ''
|
||||||
|
@ -151,6 +174,14 @@ in
|
||||||
-e 's,compression="on",compression="off" protocol="HTTP/1.1" proxyName="${cfg.proxy.name}" proxyPort="${toString cfg.proxy.port}" scheme="${cfg.proxy.scheme}" secure="${boolToString cfg.proxy.secure}",' \
|
-e 's,compression="on",compression="off" protocol="HTTP/1.1" proxyName="${cfg.proxy.name}" proxyPort="${toString cfg.proxy.port}" scheme="${cfg.proxy.scheme}" secure="${boolToString cfg.proxy.secure}",' \
|
||||||
'') + ''
|
'') + ''
|
||||||
${pkg}/apache-tomcat/conf/server.xml.dist > ${cfg.home}/server.xml
|
${pkg}/apache-tomcat/conf/server.xml.dist > ${cfg.home}/server.xml
|
||||||
|
|
||||||
|
${optionalString (cfg.openidPasswordFile != null) ''
|
||||||
|
install -m660 ${crowdPropertiesFile} ${cfg.home}/crowd.properties
|
||||||
|
${pkgs.replace-secret}/bin/replace-secret \
|
||||||
|
'@NIXOS_CROWD_OPENID_PW@' \
|
||||||
|
${cfg.openidPasswordFile} \
|
||||||
|
${cfg.home}/crowd.properties
|
||||||
|
''}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
|
|
|
@ -1,7 +1,14 @@
|
||||||
{ lib, stdenv, fetchurl, home ? "/var/lib/crowd"
|
{ lib, stdenv, fetchurl, home ? "/var/lib/crowd"
|
||||||
, port ? 8092, proxyUrl ? null, openidPassword ? "WILL_NEVER_BE_SET" }:
|
, port ? 8092, proxyUrl ? null, openidPassword ? "WILL_NEVER_BE_SET" }:
|
||||||
|
|
||||||
stdenv.mkDerivation rec {
|
let
|
||||||
|
optionalWarning = cond: msg:
|
||||||
|
if cond then lib.warn msg
|
||||||
|
else lib.id;
|
||||||
|
in
|
||||||
|
|
||||||
|
optionalWarning (openidPassword != "WILL_NEVER_BE_SET") "Using `crowdProperties` is deprecated!"
|
||||||
|
(stdenv.mkDerivation rec {
|
||||||
pname = "atlassian-crowd";
|
pname = "atlassian-crowd";
|
||||||
version = "5.0.1";
|
version = "5.0.1";
|
||||||
|
|
||||||
|
@ -46,4 +53,4 @@ stdenv.mkDerivation rec {
|
||||||
license = licenses.unfree;
|
license = licenses.unfree;
|
||||||
maintainers = with maintainers; [ fpletz globin ];
|
maintainers = with maintainers; [ fpletz globin ];
|
||||||
};
|
};
|
||||||
}
|
})
|
||||||
|
|
Loading…
Reference in a new issue