From b134abeb6d9e78f2ec41d19478c22a72db452d7c Mon Sep 17 00:00:00 2001 From: ibizaman Date: Mon, 14 Oct 2024 22:11:47 +0200 Subject: [PATCH] switch forgejo to new secrets contract --- modules/services/forgejo.nix | 70 ++++++++++++++++++------------------ test/services/forgejo.nix | 32 +++++++++++++---- 2 files changed, 60 insertions(+), 42 deletions(-) diff --git a/modules/services/forgejo.nix b/modules/services/forgejo.nix index 180b801..f78fb54 100644 --- a/modules/services/forgejo.nix +++ b/modules/services/forgejo.nix @@ -82,14 +82,12 @@ in default = "admin"; }; - adminPasswordFile = lib.mkOption { - type = lib.types.path; - description = '' - File containing the admin password of the LDAP server. - - Must be readable by the forgejo system user. - ''; - default = ""; + adminPassword = contracts.secret.mkOption { + description = "LDAP admin password."; + mode = "0440"; + owner = "forgejo"; + group = "forgejo"; + restartUnits = [ "forgejo.service" ]; }; userGroup = lib.mkOption { @@ -140,37 +138,37 @@ in default = "one_factor"; }; - secretFile = lib.mkOption { - type = lib.types.path; - description = '' - File containing the secret for the OIDC endpoint. - - Must be readable by the forgejo system user. - ''; + sharedSecret = contracts.secret.mkOption { + description = "OIDC shared secret for Forgejo."; + mode = "0440"; + owner = "forgejo"; + group = "forgejo"; + restartUnits = [ "forgejo.service" ]; }; - secretFileForAuthelia = lib.mkOption { - type = lib.types.path; - description = '' - File containing the secret for the OIDC endpoint, must be readable by the Authelia user. - - Must be readable by the authelia system user. - ''; + sharedSecretForAuthelia = contracts.secret.mkOption { + description = "OIDC shared secret for Authelia."; + mode = "0400"; + owner = "authelia"; }; }; }; }; - adminPasswordFile = lib.mkOption { - type = lib.types.path; + adminPassword = contracts.secret.mkOption { description = "File containing the Forgejo admin user password."; - example = "/run/secrets/forgejo/adminPassword"; + mode = "0440"; + owner = "forgejo"; + group = "forgejo"; + restartUnits = [ "forgejo.service" ]; }; - databasePasswordFile = lib.mkOption { - type = lib.types.path; + databasePassword = contracts.secret.mkOption { description = "File containing the Forgejo database password."; - example = "/run/secrets/forgejo/databasePassword"; + mode = "0440"; + owner = "forgejo"; + group = "forgejo"; + restartUnits = [ "forgejo.service" ]; }; repositoryRoot = lib.mkOption { @@ -344,7 +342,7 @@ in services.forgejo.database = { type = "postgres"; - passwordFile = cfg.databasePasswordFile; + passwordFile = cfg.databasePassword.result.path; }; }) @@ -380,7 +378,7 @@ in --host ${cfg.ldap.host} \ --port ${toString cfg.ldap.port} \ --bind-dn uid=${cfg.ldap.adminName},ou=people,${cfg.ldap.dcdomain} \ - --bind-password $(tr -d '\n' < ${cfg.ldap.adminPasswordFile}) \ + --bind-password $(tr -d '\n' < ${cfg.ldap.adminPassword.result.path}) \ --security-protocol Unencrypted \ --user-search-base ou=people,${cfg.ldap.dcdomain} \ --user-filter '(&(memberof=cn=${cfg.ldap.userGroup},ou=groups,${cfg.ldap.dcdomain})(|(uid=%[1]s)(mail=%[1]s)))' \ @@ -399,7 +397,7 @@ in --host ${cfg.ldap.host} \ --port ${toString cfg.ldap.port} \ --bind-dn uid=${cfg.ldap.adminName},ou=people,${cfg.ldap.dcdomain} \ - --bind-password $(tr -d '\n' < ${cfg.ldap.adminPasswordFile}) \ + --bind-password $(tr -d '\n' < ${cfg.ldap.adminPassword.result.path}) \ --security-protocol Unencrypted \ --user-search-base ou=people,${cfg.ldap.dcdomain} \ --user-filter '(&(memberof=cn=${cfg.ldap.userGroup},ou=groups,${cfg.ldap.dcdomain})(|(uid=%[1]s)(mail=%[1]s)))' \ @@ -456,7 +454,7 @@ in --name ${provider} \ --provider openidConnect \ --key forgejo \ - --secret $(tr -d '\n' < ${cfg.sso.secretFile}) \ + --secret $(tr -d '\n' < ${cfg.sso.sharedSecret.result.path}) \ --auto-discover-url ${cfg.sso.endpoint}/.well-known/openid-configuration else echo Did not find any sso configuration, creating one with name ${provider}. @@ -464,7 +462,7 @@ in --name ${provider} \ --provider openidConnect \ --key forgejo \ - --secret $(tr -d '\n' < ${cfg.sso.secretFile}) \ + --secret $(tr -d '\n' < ${cfg.sso.sharedSecret.result.path}) \ --auto-discover-url ${cfg.sso.endpoint}/.well-known/openid-configuration fi ''; @@ -475,7 +473,7 @@ in in { client_id = cfg.sso.clientID; client_name = "Forgejo"; - client_secret.source = cfg.sso.secretFileForAuthelia; + client_secret.source = cfg.sso.sharedSecretForAuthelia.result.path; public = false; authorization_policy = cfg.sso.authorization_policy; redirect_uris = [ "https://${cfg.subdomain}.${cfg.domain}/user/oauth2/${provider}/callback" ]; @@ -486,8 +484,8 @@ in (lib.mkIf cfg.enable { systemd.services.forgejo.preStart = '' admin="${lib.getExe config.services.forgejo.package} admin user" - $admin create --admin --email "root@localhost" --username meadmin --password "$(tr -d '\n' < ${cfg.adminPasswordFile})" || true - $admin change-password --username meadmin --password "$(tr -d '\n' < ${cfg.adminPasswordFile})" || true + $admin create --admin --email "root@localhost" --username meadmin --password "$(tr -d '\n' < ${cfg.adminPassword.result.path})" || true + $admin change-password --username meadmin --password "$(tr -d '\n' < ${cfg.adminPassword.result.path})" || true ''; }) diff --git a/test/services/forgejo.nix b/test/services/forgejo.nix index 6a15c66..dbae04b 100644 --- a/test/services/forgejo.nix +++ b/test/services/forgejo.nix @@ -29,19 +29,27 @@ let ../../modules/services/forgejo.nix ]; - basic = { + basic = { config, ... }: { shb.forgejo = { enable = true; inherit domain subdomain; - adminPasswordFile = pkgs.writeText "adminPasswordFile" adminPassword; - databasePasswordFile = pkgs.writeText "databasePassword" "databasePassword"; + adminPassword.result.path = config.shb.hardcodedsecret.forgejoAdminPassword.path; + databasePassword.result.path = config.shb.hardcodedsecret.forgejoDatabasePassword.path; }; # Needed for gitea-runner-local to be able to ping forgejo. networking.hosts = { "127.0.0.1" = [ "${subdomain}.${domain}" ]; }; + + shb.hardcodedsecret.forgejoAdminPassword = config.shb.forgejo.adminPassword.request // { + content = adminPassword; + }; + + shb.hardcodedsecret.forgejoDatabasePassword = config.shb.forgejo.databasePassword.request // { + content = "databasePassword"; + }; }; https = { config, ... }: { @@ -57,9 +65,13 @@ let host = "127.0.0.1"; port = config.shb.ldap.ldapPort; dcdomain = config.shb.ldap.dcdomain; - adminPasswordFile = config.shb.ldap.ldapUserPassword.result.path; + adminPassword.result.path = config.shb.hardcodedsecret.forgejoLdapUserPassword.path; }; }; + + shb.hardcodedsecret.forgejoLdapUserPassword = config.shb.forgejo.ldap.adminPassword.request // { + content = "ldapUserPassword"; + }; }; sso = { config, ... }: { @@ -67,10 +79,18 @@ let sso = { enable = true; endpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}"; - secretFile = pkgs.writeText "ssoSecretFile" "ssoSecretFile"; - secretFileForAuthelia = pkgs.writeText "ssoSecretFile" "ssoSecretFile"; + sharedSecret.result.path = config.shb.hardcodedsecret.forgejoSSOPassword.path; + sharedSecretForAuthelia.result.path = config.shb.hardcodedsecret.forgejoSSOPasswordAuthelia.path; }; }; + + shb.hardcodedsecret.forgejoSSOPassword = config.shb.forgejo.sso.sharedSecret.request // { + content = "ssoPassword"; + }; + + shb.hardcodedsecret.forgejoSSOPasswordAuthelia = config.shb.forgejo.sso.sharedSecretForAuthelia.request // { + content = "ssoPassword"; + }; }; in {