diff options
| author | sternenseemann <0rpkxez4ksa01gb3typccl0i@systemli.org> | 2020-09-18 16:41:08 +0200 |
|---|---|---|
| committer | sternenseemann <0rpkxez4ksa01gb3typccl0i@systemli.org> | 2020-09-18 16:43:41 +0200 |
| commit | 185e55665213996527a855ceb7b0a78189887c85 (patch) | |
| tree | c057fde844678482d3d306f631ebb0026f90812a | |
| parent | 19017d4697aa4a5b3480f86a2aab3f43ccbceba3 (diff) | |
feat(nixos,default.nix): configure salt and api tokens from nix
| -rw-r--r-- | default.nix | 51 | ||||
| -rw-r--r-- | nixos/flipdot-gschichtler.nix | 25 |
2 files changed, 70 insertions, 6 deletions
diff --git a/default.nix b/default.nix index 7e1d280..40a4106 100644 --- a/default.nix +++ b/default.nix @@ -1,4 +1,7 @@ -{ pkgs ? (import <nixpkgs> {}) }: +{ pkgs ? (import <nixpkgs> {}) +, scryptSalt ? null +, apiTokens ? null +}: with pkgs; @@ -23,8 +26,35 @@ let y2nlib = yarn2nix.passthru.nixLib; - warteraumDrv = { stdenv, redo, scrypt }: - stdenv.mkDerivation rec { + stringSegments = n: s: + let + stringSplitter = i: + builtins.substring (i * 2) n s; + nonempty = s: builtins.stringLength s != 0; + in + builtins.filter nonempty (builtins.genList + stringSplitter ((builtins.stringLength s / n) + 1)); + + warteraumDrv = { stdenv, redo, scrypt, scryptSalt ? null, apiTokens ? null }: + let + saltBytes = stringSegments 2 scryptSalt; + saltArray = + let + commas = builtins.foldl' (a: b: a + ", 0x" + b) "" saltBytes; + in builtins.substring 1 (builtins.stringLength commas) commas; + saltReplace = lib.optionalString (scryptSalt != null) '' + sed -i '/^ 0x/d' scrypt.h + sed -i '/const uint8_t salt/a\${saltArray}' scrypt.h + ''; + tokensReplace = lib.optionalString (apiTokens != null) '' + redo hashtoken + sed -i '/^ {/d' tokens.h + sed -i '/^};/d' tokens.h + ${lib.concatMapStringsSep "\n" + (x: "./hashtoken ${x} >> tokens.h; echo -n ', ' >> tokens.h") apiTokens} + echo "};" >> tokens.h + ''; + in stdenv.mkDerivation rec { pname = "warteraum"; sourceRoot = sourceName + "/warteraum"; @@ -35,6 +65,15 @@ let chmod -R u+w "$sourceRoot/.." ''; + patchPhase = '' + runHook prePatch + + ${saltReplace} + ${tokensReplace} + + runHook postPatch + ''; + buildPhase = "redo"; doCheck = true; @@ -55,9 +94,10 @@ rec { warteraum-static = (pkgsStatic.callPackage warteraumDrv { # todo clang? redo = pkgsStatic.redo-sh; + inherit scryptSalt apiTokens; }).overrideAttrs (old: { # musl, static linking - patchPhase = '' + postPatch = '' cat >> ./build_config << EOF CFLAGS="\$CFLAGS -static" EOF @@ -67,6 +107,7 @@ rec { warteraum = callPackage warteraumDrv { stdenv = clangStdenv; redo = redo-sh; + inherit scryptSalt apiTokens; }; bahnhofshalle = @@ -123,4 +164,6 @@ rec { buildInputs = [ pythonEnv sqlite ]; }; + + inherit stringSegments; } diff --git a/nixos/flipdot-gschichtler.nix b/nixos/flipdot-gschichtler.nix index 66c2ba5..33373e9 100644 --- a/nixos/flipdot-gschichtler.nix +++ b/nixos/flipdot-gschichtler.nix @@ -5,7 +5,10 @@ with lib; let cfg = config.services.flipdot-gschichtler; fg = flipdot-gschichtler; - + withTokens = fg.warteraum-static.override { + inherit (cfg) apiTokens; + scryptSalt = cfg.salt; + }; in { options = { services.flipdot-gschichtler = { @@ -19,6 +22,24 @@ in { warteraum and bahnhofshalle. ''; }; + + salt = mkOption { + type = types.str; + description = '' + Salt to use for hashing API tokens using scrypt_kdf(3). + Must be a string of hexadecimals which has a multiple of + 2 as a length. + ''; + }; + + apiTokens = mkOption { + type = types.listOf types.str; + default = []; + description = '' + List of API tokens to allow access. + May be strings of any length. + ''; + }; }; }; @@ -30,7 +51,7 @@ in { serviceConfig = { Type = "simple"; - ExecStart = "${fg.warteraum-static}/bin/warteraum"; + ExecStart = "${withTokens}/bin/warteraum"; InAccessibleDirectories = "/"; # mmap and munmap are used by libscrypt-kdf SystemCallFilter = "@default @basic-io @io-event @network-io fcntl @signal @process @timer brk mmap munmap"; |