switch forgejo to new secrets contract

2024-10-14 22:11:47 +02:00 · 2024-10-14 22:11:47 +02:00 · b134abeb6d
commit b134abeb6d
parent b85705ab74
2 changed files with 60 additions and 42 deletions
--- a/modules/services/forgejo.nix
+++ b/modules/services/forgejo.nix
@ -82,14 +82,12 @@ in
            default = "admin";
          };
-          adminPasswordFile = lib.mkOption {
+          adminPassword = contracts.secret.mkOption {
-            type = lib.types.path;
+            description = "LDAP admin password.";
-            description = ''
+            mode = "0440";
-              File containing the admin password of the LDAP server.
+            owner = "forgejo";
-
+            group = "forgejo";
-              Must be readable by the forgejo system user.
+            restartUnits = [ "forgejo.service" ];
            '';
            default = "";
          };
          userGroup = lib.mkOption {
@ -140,37 +138,37 @@ in
            default = "one_factor";
          };
-          secretFile = lib.mkOption {
+          sharedSecret = contracts.secret.mkOption {
-            type = lib.types.path;
+            description = "OIDC shared secret for Forgejo.";
-            description = ''
+            mode = "0440";
-              File containing the secret for the OIDC endpoint.
+            owner = "forgejo";
-
+            group = "forgejo";
-              Must be readable by the forgejo system user.
+            restartUnits = [ "forgejo.service" ];
            '';
          };
-          secretFileForAuthelia = lib.mkOption {
+          sharedSecretForAuthelia = contracts.secret.mkOption {
-            type = lib.types.path;
+            description = "OIDC shared secret for Authelia.";
-            description = ''
+            mode = "0400";
-              File containing the secret for the OIDC endpoint, must be readable by the Authelia user.
+            owner = "authelia";
              Must be readable by the authelia system user.
            '';
          };
        };
      };
    };
-    adminPasswordFile = lib.mkOption {
+    adminPassword = contracts.secret.mkOption {
      type = lib.types.path;
      description = "File containing the Forgejo admin user password.";
-      example = "/run/secrets/forgejo/adminPassword";
+      mode = "0440";
      owner = "forgejo";
      group = "forgejo";
      restartUnits = [ "forgejo.service" ];
    };
-    databasePasswordFile = lib.mkOption {
+    databasePassword = contracts.secret.mkOption {
      type = lib.types.path;
      description = "File containing the Forgejo database password.";
-      example = "/run/secrets/forgejo/databasePassword";
+      mode = "0440";
      owner = "forgejo";
      group = "forgejo";
      restartUnits = [ "forgejo.service" ];
    };
    repositoryRoot = lib.mkOption {
@ -344,7 +342,7 @@ in
      services.forgejo.database = {
        type = "postgres";
-        passwordFile = cfg.databasePasswordFile;
+        passwordFile = cfg.databasePassword.result.path;
      };
    })
@ -380,7 +378,7 @@ in
            --host                ${cfg.ldap.host} \
            --port                ${toString cfg.ldap.port} \
            --bind-dn             uid=${cfg.ldap.adminName},ou=people,${cfg.ldap.dcdomain} \
-            --bind-password       $(tr -d '\n' < ${cfg.ldap.adminPasswordFile}) \
+            --bind-password       $(tr -d '\n' < ${cfg.ldap.adminPassword.result.path}) \
            --security-protocol   Unencrypted \
            --user-search-base    ou=people,${cfg.ldap.dcdomain} \
            --user-filter         '(&(memberof=cn=${cfg.ldap.userGroup},ou=groups,${cfg.ldap.dcdomain})(|(uid=%[1]s)(mail=%[1]s)))' \
@ -399,7 +397,7 @@ in
            --host                ${cfg.ldap.host} \
            --port                ${toString cfg.ldap.port} \
            --bind-dn             uid=${cfg.ldap.adminName},ou=people,${cfg.ldap.dcdomain} \
-            --bind-password       $(tr -d '\n' < ${cfg.ldap.adminPasswordFile}) \
+            --bind-password       $(tr -d '\n' < ${cfg.ldap.adminPassword.result.path}) \
            --security-protocol   Unencrypted \
            --user-search-base    ou=people,${cfg.ldap.dcdomain} \
            --user-filter         '(&(memberof=cn=${cfg.ldap.userGroup},ou=groups,${cfg.ldap.dcdomain})(|(uid=%[1]s)(mail=%[1]s)))' \
@ -456,7 +454,7 @@ in
            --name     ${provider} \
            --provider openidConnect \
            --key      forgejo \
-            --secret   $(tr -d '\n' < ${cfg.sso.secretFile}) \
+            --secret   $(tr -d '\n' < ${cfg.sso.sharedSecret.result.path}) \
            --auto-discover-url ${cfg.sso.endpoint}/.well-known/openid-configuration
        else
          echo Did not find any sso configuration, creating one with name ${provider}.
@ -464,7 +462,7 @@ in
            --name     ${provider} \
            --provider openidConnect \
            --key      forgejo \
-            --secret   $(tr -d '\n' < ${cfg.sso.secretFile}) \
+            --secret   $(tr -d '\n' < ${cfg.sso.sharedSecret.result.path}) \
            --auto-discover-url ${cfg.sso.endpoint}/.well-known/openid-configuration
        fi
      '';
@ -475,7 +473,7 @@ in
        in {
          client_id = cfg.sso.clientID;
          client_name = "Forgejo";
-          client_secret.source = cfg.sso.secretFileForAuthelia;
+          client_secret.source = cfg.sso.sharedSecretForAuthelia.result.path;
          public = false;
          authorization_policy = cfg.sso.authorization_policy;
          redirect_uris = [ "https://${cfg.subdomain}.${cfg.domain}/user/oauth2/${provider}/callback" ];
@ -486,8 +484,8 @@ in
    (lib.mkIf cfg.enable {
      systemd.services.forgejo.preStart = ''
        admin="${lib.getExe config.services.forgejo.package} admin user"
-        $admin create --admin --email "root@localhost" --username meadmin --password "$(tr -d '\n' < ${cfg.adminPasswordFile})" || true
+        $admin create --admin --email "root@localhost" --username meadmin --password "$(tr -d '\n' < ${cfg.adminPassword.result.path})" || true
-        $admin change-password --username meadmin --password "$(tr -d '\n' < ${cfg.adminPasswordFile})" || true
+        $admin change-password --username meadmin --password "$(tr -d '\n' < ${cfg.adminPassword.result.path})" || true
 '';
    })
--- a/test/services/forgejo.nix
+++ b/test/services/forgejo.nix
@ -29,19 +29,27 @@ let
    ../../modules/services/forgejo.nix
  ];
-  basic = {
+  basic = { config, ... }: {
    shb.forgejo = {
      enable = true;
      inherit domain subdomain;
-      adminPasswordFile = pkgs.writeText "adminPasswordFile" adminPassword;
+      adminPassword.result.path = config.shb.hardcodedsecret.forgejoAdminPassword.path;
-      databasePasswordFile = pkgs.writeText "databasePassword" "databasePassword";
+      databasePassword.result.path = config.shb.hardcodedsecret.forgejoDatabasePassword.path;
    };
    # Needed for gitea-runner-local to be able to ping forgejo.
    networking.hosts = {
      "127.0.0.1" = [ "${subdomain}.${domain}" ];
    };
    shb.hardcodedsecret.forgejoAdminPassword = config.shb.forgejo.adminPassword.request // {
      content = adminPassword;
    };
    shb.hardcodedsecret.forgejoDatabasePassword = config.shb.forgejo.databasePassword.request // {
      content = "databasePassword";
    };
  };
  https = { config, ... }: {
@ -57,9 +65,13 @@ let
        host = "127.0.0.1";
        port = config.shb.ldap.ldapPort;
        dcdomain = config.shb.ldap.dcdomain;
-        adminPasswordFile = config.shb.ldap.ldapUserPassword.result.path;
+        adminPassword.result.path = config.shb.hardcodedsecret.forgejoLdapUserPassword.path;
      };
    };
    shb.hardcodedsecret.forgejoLdapUserPassword = config.shb.forgejo.ldap.adminPassword.request // {
      content = "ldapUserPassword";
    };
  };
  sso = { config, ... }: {
@ -67,10 +79,18 @@ let
      sso = {
        enable = true;
        endpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}";
-        secretFile = pkgs.writeText "ssoSecretFile" "ssoSecretFile";
+        sharedSecret.result.path = config.shb.hardcodedsecret.forgejoSSOPassword.path;
-        secretFileForAuthelia = pkgs.writeText "ssoSecretFile" "ssoSecretFile";
+        sharedSecretForAuthelia.result.path = config.shb.hardcodedsecret.forgejoSSOPasswordAuthelia.path;
      };
    };
    shb.hardcodedsecret.forgejoSSOPassword = config.shb.forgejo.sso.sharedSecret.request // {
      content = "ssoPassword";
    };
    shb.hardcodedsecret.forgejoSSOPasswordAuthelia = config.shb.forgejo.sso.sharedSecretForAuthelia.request // {
      content = "ssoPassword";
    };
  };
 in
 {