diff options
-rw-r--r-- | nixos/modules/services/development/zammad.nix | 47 | ||||
-rw-r--r-- | nixos/tests/all-tests.nix | 2 | ||||
-rw-r--r-- | nixos/tests/zammad.nix | 7 |
3 files changed, 41 insertions, 15 deletions
diff --git a/nixos/modules/services/development/zammad.nix b/nixos/modules/services/development/zammad.nix index 119e8fc961e5b..17f78acdfa36f 100644 --- a/nixos/modules/services/development/zammad.nix +++ b/nixos/modules/services/development/zammad.nix @@ -5,6 +5,7 @@ with lib; let cfg = config.services.zammad; settingsFormat = pkgs.formats.yaml { }; + filterNull = filterAttrs (_: v: v != null); serviceConfig = { Type = "simple"; Restart = "always"; @@ -14,8 +15,6 @@ let PrivateTmp = true; StateDirectory = "zammad"; WorkingDirectory = cfg.dataDir; - - EnvironmentFile = cfg.secretsFile; }; environment = { RAILS_ENV = "production"; @@ -139,26 +138,36 @@ in { }; }; - secretsFile = mkOption { + secretKeyBaseFile = mkOption { type = types.nullOr types.path; default = null; + example = "/run/keys/secret_key_base"; description = '' - Path of a file containing secrets the format of EnvironmentFile as - described by systemd.exec(5). You must to define: - - PGPASSWORD - - SECRET_KEY_BASE - SECRET_KEY_BASE can be generated using: - ruby -e "require 'securerandom'; puts SecureRandom.hex(64)" + The path to a file containing the + <literal>secret_key_base</literal> secret. + + Zammad uses <literal>secret_key_base</literal> to encrypt + the cookie store, which contains session data, and to digest + user auth tokens. + + Needs to be a 64 byte long string of hexadecimal + characters. You can generate one by running + + <screen> + <prompt>$ </prompt>openssl rand -hex 64 >/path/to/secret_key_base_file + </screen> + + This should be a string, not a nix path, since nix paths are + copied into the world-readable nix store. ''; }; }; - }; config = mkIf cfg.enable { services.zammad.database.settings = { - production = (mapAttrs (_: v: mkDefault v) { + production = mapAttrs (_: v: mkDefault v) (filterNull { adapter = { PostgreSQL = "postgresql"; MySQL = "mysql2"; @@ -169,7 +178,7 @@ in { encoding = "utf8"; username = cfg.database.user; host = cfg.database.host; - port = lib.mkIf (cfg.database.port != null) cfg.database.port + port = cfg.database.port; }); }; @@ -242,6 +251,20 @@ in { chmod -R u+w . # config file cp ${databaseConfig} ./config/database.yml + chmod -R u+w . + ${optionalString (cfg.database.passwordFile != null) '' + { + echo -n " password: " + cat ${cfg.database.passwordFile} + } >> ./config/database.yml + ''} + ${optionalString (cfg.secretKeyBaseFile != null) '' + { + echo "production: " + echo -n " secret_key_base: " + cat ${cfg.secretKeyBaseFile} + } > ./config/secrets.yml + ''} if [ `${config.services.postgresql.package}/bin/psql \ --host ${cfg.database.host} \ ${optionalString diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index d348c2b0e91f0..fd5cabe2153b5 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -571,7 +571,7 @@ in xxh = handleTest ./xxh.nix {}; yabar = handleTest ./yabar.nix {}; yggdrasil = handleTest ./yggdrasil.nix {}; - zammad = handleTest ./zammad {}; + zammad = handleTest ./zammad.nix {}; zfs = handleTest ./zfs.nix {}; zigbee2mqtt = handleTest ./zigbee2mqtt.nix {}; zoneminder = handleTest ./zoneminder.nix {}; diff --git a/nixos/tests/zammad.nix b/nixos/tests/zammad.nix index 0125aa3a8da96..5849e5bf2163b 100644 --- a/nixos/tests/zammad.nix +++ b/nixos/tests/zammad.nix @@ -1,5 +1,5 @@ -import ../make-test-python.nix ( - { lib, ... }: +import ./make-test-python.nix ( + { lib, pkgs, ... }: { name = "zammad"; @@ -8,6 +8,9 @@ import ../make-test-python.nix ( nodes.machine = { services.zammad.enable = true; + services.zammad.secretKeyBaseFile = pkgs.writeText "secret" '' + 52882ef142066e09ab99ce816ba72522e789505caba224a52d750ec7dc872c2c371b2fd19f16b25dfbdd435a4dd46cb3df9f82eb63fafad715056bdfe25740d6 + ''; }; testScript = '' |