Merge pull request #300487 from davidkna/kavita-token

nixos/kavita: document new `tokenKeyFile` requirements
2024-04-07 19:27:34 +02:00 · 2024-04-07 19:27:34 +02:00 · 0f58ce3b44
parent 067462038e 2bde9aa8f8
commit 0f58ce3b44
2 changed files with 4 additions and 3 deletions
--- a/nixos/doc/manual/release-notes/rl-2405.section.md
+++ b/nixos/doc/manual/release-notes/rl-2405.section.md
@ -506,7 +506,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m

 - `services.kavita` now uses the freeform option `services.kavita.settings` for the application settings file.
  The options `services.kavita.ipAdresses` and `services.kavita.port` now exist at `services.kavita.settings.IpAddresses`
-  and `services.kavita.settings.IpAddresses`.
+  and `services.kavita.settings.IpAddresses`. The file at `services.kavita.tokenKeyFile` now needs to contain a secret with
+  512+ bits instead of 128+ bits.

 - The `krb5` module has been rewritten and moved to `security.krb5`, moving all options but `security.krb5.enable` and `security.krb5.package` into `security.krb5.settings`.

--- a/nixos/modules/services/web-apps/kavita.nix
+++ b/nixos/modules/services/web-apps/kavita.nix
@ -34,8 +34,8 @@ in
    tokenKeyFile = lib.mkOption {
      type = lib.types.path;
      description = lib.mdDoc ''
-        A file containing the TokenKey, a secret with at 128+ bits.
-        It can be generated with `head -c 32 /dev/urandom | base64`.
+        A file containing the TokenKey, a secret with at 512+ bits.
+        It can be generated with `head -c 64 /dev/urandom | base64 --wrap=0`.
      '';
    };