diff options
author | pennae <82953136+pennae@users.noreply.github.com> | 2023-07-26 18:23:06 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-07-26 18:23:06 +0200 |
commit | e2a43fbfb3f0535d866d3e6a516dae30821d7d9d (patch) | |
tree | 0cdd5c5541d1dad98e4959abe0d935e90943dc16 | |
parent | f8e5fdc6472abab83356f0027405365ce22aec9d (diff) | |
parent | 533ff8546ba1cab0072c846c588def683613eac8 (diff) |
Merge pull request #244356 from datafoo/mosquitto-systemd-credentials
nixos/mosquitto: leverage systemd credentials
-rw-r--r-- | nixos/modules/services/networking/mosquitto.nix | 65 |
1 files changed, 56 insertions, 9 deletions
diff --git a/nixos/modules/services/networking/mosquitto.nix b/nixos/modules/services/networking/mosquitto.nix index a4fd2fd7c89f1..c53d86c0babcd 100644 --- a/nixos/modules/services/networking/mosquitto.nix +++ b/nixos/modules/services/networking/mosquitto.nix @@ -42,12 +42,15 @@ let }; passwordFile = mkOption { - type = uniq (nullOr types.path); + type = uniq (nullOr path); example = "/path/to/file"; default = null; description = lib.mdDoc '' Specifies the path to a file containing the clear text password for the MQTT user. + The file is securely passed to mosquitto by + leveraging systemd credentials. No special + permissions need to be set on this file. ''; }; @@ -64,7 +67,7 @@ let }; hashedPasswordFile = mkOption { - type = uniq (nullOr types.path); + type = uniq (nullOr path); example = "/path/to/file"; default = null; description = mdDoc '' @@ -73,6 +76,9 @@ let To generate hashed password install the `mosquitto` package and use `mosquitto_passwd`, then remove the `username:` prefix from the generated file. + The file is securely passed to mosquitto by + leveraging systemd credentials. No special + permissions need to be set on this file. ''; }; @@ -102,15 +108,43 @@ let message = "Cannot set more than one password option for user ${n} in ${prefix}"; }) users; - makePasswordFile = users: path: + listenerScope = index: "listener-${toString index}"; + userScope = prefix: index: "${prefix}-user-${toString index}"; + credentialID = prefix: credential: "${prefix}-${credential}"; + + toScopedUsers = listenerScope: users: pipe users [ + attrNames + (imap0 (index: user: nameValuePair user + (users.${user} // { scope = userScope listenerScope index; }) + )) + listToAttrs + ]; + + userCredentials = user: credentials: pipe credentials [ + (filter (credential: user.${credential} != null)) + (map (credential: "${credentialID user.scope credential}:${user.${credential}}")) + ]; + usersCredentials = listenerScope: users: credentials: pipe users [ + (toScopedUsers listenerScope) + (mapAttrsToList (_: user: userCredentials user credentials)) + concatLists + ]; + systemdCredentials = listeners: listenerCredentials: pipe listeners [ + (imap0 (index: listener: listenerCredentials (listenerScope index) listener)) + concatLists + ]; + + makePasswordFile = listenerScope: users: path: let - makeLines = store: file: + makeLines = store: file: let + scopedUsers = toScopedUsers listenerScope users; + in mapAttrsToList - (n: u: "addLine ${escapeShellArg n} ${escapeShellArg u.${store}}") - (filterAttrs (_: u: u.${store} != null) users) + (name: user: ''addLine ${escapeShellArg name} "''$(systemd-creds cat ${credentialID user.scope store})"'') + (filterAttrs (_: user: user.${store} != null) scopedUsers) ++ mapAttrsToList - (n: u: "addFile ${escapeShellArg n} ${escapeShellArg "${u.${file}}"}") - (filterAttrs (_: u: u.${file} != null) users); + (name: user: ''addFile ${escapeShellArg name} "''${CREDENTIALS_DIRECTORY}/${credentialID user.scope file}"'') + (filterAttrs (_: user: user.${file} != null) scopedUsers); plainLines = makeLines "password" "passwordFile"; hashedLines = makeLines "hashedPassword" "hashedPasswordFile"; in @@ -581,6 +615,19 @@ in ExecStart = "${cfg.package}/bin/mosquitto -c ${configFile}"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + # Credentials + SetCredential = let + listenerCredentials = listenerScope: listener: + usersCredentials listenerScope listener.users [ "password" "hashedPassword" ]; + in + systemdCredentials cfg.listeners listenerCredentials; + + LoadCredential = let + listenerCredentials = listenerScope: listener: + usersCredentials listenerScope listener.users [ "passwordFile" "hashedPasswordFile" ]; + in + systemdCredentials cfg.listeners listenerCredentials; + # Hardening CapabilityBoundingSet = ""; DevicePolicy = "closed"; @@ -653,7 +700,7 @@ in concatStringsSep "\n" (imap0 - (idx: listener: makePasswordFile listener.users "${cfg.dataDir}/passwd-${toString idx}") + (idx: listener: makePasswordFile (listenerScope idx) listener.users "${cfg.dataDir}/passwd-${toString idx}") cfg.listeners); }; |