colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #182267 from mayflower/confluence-secrets

Browse Source 
nixos/confluence: store crowd SSO password securely
This commit is contained in:
Maximilian Bosch 2022-07-22 13:12:17 +02:00 committed by GitHub
commit 1f6910b7dd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 53 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
nixos/modules/services/web-apps/atlassian/confluence.nix
View File

@ -8,9 +8,11 @@ let
pkg = cfg.package.override (optionalAttrs cfg.sso.enable { pkg = cfg.package.override (optionalAttrs cfg.sso.enable {
enableSSO = cfg.sso.enable; enableSSO = cfg.sso.enable;
crowdProperties = '' });
crowdProperties = pkgs.writeText "crowd.properties" ''
application.name ${cfg.sso.applicationName} application.name ${cfg.sso.applicationName}
application.password ${cfg.sso.applicationPassword} application.password ${if cfg.sso.applicationPassword != null then cfg.sso.applicationPassword else "@NIXOS_CONFLUENCE_CROWD_SSO_PWD@"}
application.login.url ${cfg.sso.crowd}/console/ application.login.url ${cfg.sso.crowd}/console/
crowd.server.url ${cfg.sso.crowd}/services/ crowd.server.url ${cfg.sso.crowd}/services/
@ -21,7 +23,6 @@ let
session.validationinterval ${toString cfg.sso.validationInterval} session.validationinterval ${toString cfg.sso.validationInterval}
session.lastvalidation session.lastvalidation session.lastvalidation session.lastvalidation
''; '';
});
in in
@ -107,10 +108,17 @@ in
}; };
applicationPassword = mkOption { applicationPassword = mkOption {
type = types.str; type = types.nullOr types.str;
default = null;
description = "Application password of this Confluence instance in Crowd"; description = "Application password of this Confluence instance in Crowd";
}; };
applicationPasswordFile = mkOption {
type = types.nullOr types.str;
default = null;
description = "Path to the application password for Crowd of Confluence.";
};
validationInterval = mkOption { validationInterval = mkOption {
type = types.int; type = types.int;
default = 2; default = 2;
@ -147,6 +155,16 @@ in
group = cfg.group; group = cfg.group;
}; };
assertions = [
{ assertion = cfg.sso.enable -> ((cfg.sso.applicationPassword == null) != (cfg.sso.applicationPasswordFile));
message = "Please set either applicationPassword or applicationPasswordFile";
}
];
warnings = mkIf (cfg.sso.enable && cfg.sso.applicationPassword != null) [
"Using `services.confluence.sso.applicationPassword` is deprecated! Use `applicationPasswordFile` instead!"
];
users.groups.${cfg.group} = {}; users.groups.${cfg.group} = {};
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
@ -173,6 +191,7 @@ in
CONF_USER = cfg.user; CONF_USER = cfg.user;
JAVA_HOME = "${cfg.jrePackage}"; JAVA_HOME = "${cfg.jrePackage}";
CATALINA_OPTS = concatStringsSep " " cfg.catalinaOptions; CATALINA_OPTS = concatStringsSep " " cfg.catalinaOptions;
JAVA_OPTS = mkIf cfg.sso.enable "-Dcrowd.properties=${cfg.home}/crowd.properties";
}; };
preStart = '' preStart = ''
@ -183,6 +202,16 @@ in
-e 's,protocol="org.apache.coyote.http11.Http11NioProtocol",protocol="org.apache.coyote.http11.Http11NioProtocol" proxyName="${cfg.proxy.name}" proxyPort="${toString cfg.proxy.port}" scheme="${cfg.proxy.scheme}",' \ -e 's,protocol="org.apache.coyote.http11.Http11NioProtocol",protocol="org.apache.coyote.http11.Http11NioProtocol" proxyName="${cfg.proxy.name}" proxyPort="${toString cfg.proxy.port}" scheme="${cfg.proxy.scheme}",' \
'') + '' '') + ''
${pkg}/conf/server.xml.dist > ${cfg.home}/server.xml ${pkg}/conf/server.xml.dist > ${cfg.home}/server.xml
${optionalString cfg.sso.enable ''
install -m660 ${crowdProperties} ${cfg.home}/crowd.properties
${optionalString (cfg.sso.applicationPasswordFile != null) ''
${pkgs.replace-secret}/bin/replace-secret \
'@NIXOS_CONFLUENCE_CROWD_SSO_PWD@' \
${cfg.sso.applicationPasswordFile} \
${cfg.home}/crowd.properties
''}
''}
''; '';
serviceConfig = { serviceConfig = {

13
pkgs/servers/atlassian/confluence.nix
View File

@ -6,7 +6,14 @@
assert withMysql -> (mysql_jdbc != null); assert withMysql -> (mysql_jdbc != null);
stdenvNoCC.mkDerivation rec { let
optionalWarning = cond: msg:
if cond then lib.warn msg
else lib.id;
in
optionalWarning (crowdProperties != null) "Using `crowdProperties` is deprecated!"
(stdenvNoCC.mkDerivation rec {
pname = "atlassian-confluence"; pname = "atlassian-confluence";
version = "7.18.1"; version = "7.18.1";
@ -45,6 +52,6 @@ stdenvNoCC.mkDerivation rec {
homepage = "https://www.atlassian.com/software/confluence"; homepage = "https://www.atlassian.com/software/confluence";
sourceProvenance = with sourceTypes; [ binaryBytecode ]; sourceProvenance = with sourceTypes; [ binaryBytecode ];
license = licenses.unfree; license = licenses.unfree;
maintainers = with maintainers; [ fpletz globin willibutz ciil techknowlogick ]; maintainers = with maintainers; [ fpletz globin willibutz ciil techknowlogick ma27 ];
}; };
} })