Merge pull request #182267 from mayflower/confluence-secrets
nixos/confluence: store crowd SSO password securely
This commit is contained in:
commit
1f6910b7dd
@ -8,9 +8,11 @@ let
|
|||||||
|
|
||||||
pkg = cfg.package.override (optionalAttrs cfg.sso.enable {
|
pkg = cfg.package.override (optionalAttrs cfg.sso.enable {
|
||||||
enableSSO = cfg.sso.enable;
|
enableSSO = cfg.sso.enable;
|
||||||
crowdProperties = ''
|
});
|
||||||
|
|
||||||
|
crowdProperties = pkgs.writeText "crowd.properties" ''
|
||||||
application.name ${cfg.sso.applicationName}
|
application.name ${cfg.sso.applicationName}
|
||||||
application.password ${cfg.sso.applicationPassword}
|
application.password ${if cfg.sso.applicationPassword != null then cfg.sso.applicationPassword else "@NIXOS_CONFLUENCE_CROWD_SSO_PWD@"}
|
||||||
application.login.url ${cfg.sso.crowd}/console/
|
application.login.url ${cfg.sso.crowd}/console/
|
||||||
|
|
||||||
crowd.server.url ${cfg.sso.crowd}/services/
|
crowd.server.url ${cfg.sso.crowd}/services/
|
||||||
@ -21,7 +23,6 @@ let
|
|||||||
session.validationinterval ${toString cfg.sso.validationInterval}
|
session.validationinterval ${toString cfg.sso.validationInterval}
|
||||||
session.lastvalidation session.lastvalidation
|
session.lastvalidation session.lastvalidation
|
||||||
'';
|
'';
|
||||||
});
|
|
||||||
|
|
||||||
in
|
in
|
||||||
|
|
||||||
@ -107,10 +108,17 @@ in
|
|||||||
};
|
};
|
||||||
|
|
||||||
applicationPassword = mkOption {
|
applicationPassword = mkOption {
|
||||||
type = types.str;
|
type = types.nullOr types.str;
|
||||||
|
default = null;
|
||||||
description = "Application password of this Confluence instance in Crowd";
|
description = "Application password of this Confluence instance in Crowd";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
applicationPasswordFile = mkOption {
|
||||||
|
type = types.nullOr types.str;
|
||||||
|
default = null;
|
||||||
|
description = "Path to the application password for Crowd of Confluence.";
|
||||||
|
};
|
||||||
|
|
||||||
validationInterval = mkOption {
|
validationInterval = mkOption {
|
||||||
type = types.int;
|
type = types.int;
|
||||||
default = 2;
|
default = 2;
|
||||||
@ -147,6 +155,16 @@ in
|
|||||||
group = cfg.group;
|
group = cfg.group;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
assertions = [
|
||||||
|
{ assertion = cfg.sso.enable -> ((cfg.sso.applicationPassword == null) != (cfg.sso.applicationPasswordFile));
|
||||||
|
message = "Please set either applicationPassword or applicationPasswordFile";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
warnings = mkIf (cfg.sso.enable && cfg.sso.applicationPassword != null) [
|
||||||
|
"Using `services.confluence.sso.applicationPassword` is deprecated! Use `applicationPasswordFile` instead!"
|
||||||
|
];
|
||||||
|
|
||||||
users.groups.${cfg.group} = {};
|
users.groups.${cfg.group} = {};
|
||||||
|
|
||||||
systemd.tmpfiles.rules = [
|
systemd.tmpfiles.rules = [
|
||||||
@ -173,6 +191,7 @@ in
|
|||||||
CONF_USER = cfg.user;
|
CONF_USER = cfg.user;
|
||||||
JAVA_HOME = "${cfg.jrePackage}";
|
JAVA_HOME = "${cfg.jrePackage}";
|
||||||
CATALINA_OPTS = concatStringsSep " " cfg.catalinaOptions;
|
CATALINA_OPTS = concatStringsSep " " cfg.catalinaOptions;
|
||||||
|
JAVA_OPTS = mkIf cfg.sso.enable "-Dcrowd.properties=${cfg.home}/crowd.properties";
|
||||||
};
|
};
|
||||||
|
|
||||||
preStart = ''
|
preStart = ''
|
||||||
@ -183,6 +202,16 @@ in
|
|||||||
-e 's,protocol="org.apache.coyote.http11.Http11NioProtocol",protocol="org.apache.coyote.http11.Http11NioProtocol" proxyName="${cfg.proxy.name}" proxyPort="${toString cfg.proxy.port}" scheme="${cfg.proxy.scheme}",' \
|
-e 's,protocol="org.apache.coyote.http11.Http11NioProtocol",protocol="org.apache.coyote.http11.Http11NioProtocol" proxyName="${cfg.proxy.name}" proxyPort="${toString cfg.proxy.port}" scheme="${cfg.proxy.scheme}",' \
|
||||||
'') + ''
|
'') + ''
|
||||||
${pkg}/conf/server.xml.dist > ${cfg.home}/server.xml
|
${pkg}/conf/server.xml.dist > ${cfg.home}/server.xml
|
||||||
|
|
||||||
|
${optionalString cfg.sso.enable ''
|
||||||
|
install -m660 ${crowdProperties} ${cfg.home}/crowd.properties
|
||||||
|
${optionalString (cfg.sso.applicationPasswordFile != null) ''
|
||||||
|
${pkgs.replace-secret}/bin/replace-secret \
|
||||||
|
'@NIXOS_CONFLUENCE_CROWD_SSO_PWD@' \
|
||||||
|
${cfg.sso.applicationPasswordFile} \
|
||||||
|
${cfg.home}/crowd.properties
|
||||||
|
''}
|
||||||
|
''}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
|
@ -6,7 +6,14 @@
|
|||||||
|
|
||||||
assert withMysql -> (mysql_jdbc != null);
|
assert withMysql -> (mysql_jdbc != null);
|
||||||
|
|
||||||
stdenvNoCC.mkDerivation rec {
|
let
|
||||||
|
optionalWarning = cond: msg:
|
||||||
|
if cond then lib.warn msg
|
||||||
|
else lib.id;
|
||||||
|
in
|
||||||
|
|
||||||
|
optionalWarning (crowdProperties != null) "Using `crowdProperties` is deprecated!"
|
||||||
|
(stdenvNoCC.mkDerivation rec {
|
||||||
pname = "atlassian-confluence";
|
pname = "atlassian-confluence";
|
||||||
version = "7.18.1";
|
version = "7.18.1";
|
||||||
|
|
||||||
@ -45,6 +52,6 @@ stdenvNoCC.mkDerivation rec {
|
|||||||
homepage = "https://www.atlassian.com/software/confluence";
|
homepage = "https://www.atlassian.com/software/confluence";
|
||||||
sourceProvenance = with sourceTypes; [ binaryBytecode ];
|
sourceProvenance = with sourceTypes; [ binaryBytecode ];
|
||||||
license = licenses.unfree;
|
license = licenses.unfree;
|
||||||
maintainers = with maintainers; [ fpletz globin willibutz ciil techknowlogick ];
|
maintainers = with maintainers; [ fpletz globin willibutz ciil techknowlogick ma27 ];
|
||||||
};
|
};
|
||||||
}
|
})
|
||||||
|
Loading…
Reference in New Issue
Block a user