Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/gitea: make more secrets persistent #108676

Merged
1 commit merged into from Jan 15, 2021
Merged

nixos/gitea: make more secrets persistent #108676

1 commit merged into from Jan 15, 2021

Conversation

clerie
Copy link
Member

@clerie clerie commented Jan 7, 2021
edited

Motivation for this change

Added JWT_SECRET and INTERNAL_TOKEN to be persistent, like SECRET_KEY and LFS_JWT_SECRET do. Also renamed some vars belonging to SECRET_KEY and LFS_JWT_SECRET to get a consistent naming scheme over all secrets.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@ghost ghost self-requested a review January 8, 2021 23:15
@clerie clerie force-pushed the master branch 2 times, most recently from dd6d4cf to 3f9579d Compare January 15, 2021 10:10
@clerie clerie changed the title nixos/gitea: make more secrets persistet nixos/gitea: make more secrets persistent Jan 15, 2021
@clerie
nixos/gitea: make more secrets persistent Added JWT_SECRET and INTERN…
3f9579d 
…AL_TOKEN to be persistent, like SECRET_KEY and LFS_JWT_SECRET do. Also renamed some vars belonging to SECRET_KEY and LFS_JWT_SECRET to get a consistent naming scheme over all secrets.
@ghost ghost merged commit 10eed48 into NixOS:master Jan 15, 2021
SuperSandro2000
SuperSandro2000 reviewed May 17, 2022
View reviewed changes
nixos/modules/services/misc/gitea.nix
@@ -349,7 +349,7 @@ in
{
DOMAIN = cfg.domain;
STATIC_ROOT_PATH = cfg.staticRootPath;
LFS_JWT_SECRET = "#jwtsecret#";
LFS_JWT_SECRET = "#lfsjwtsecret#";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this mean that if I don't change the secrets I would be using this well known secret? That sounds scary.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually not. Have a look at the preStart in the systemd unit (line 470).
For each secret there is a dedicated file. If the file does not exist, a new secret will be generated and saved in this file. Afterwards every "magic string" will be replaced with the value saved in that file.

So as long as you don't mess around with these files you should be fine.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, noticed that later, too but it is a bit complicated and can be easily miss understood.

This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SuperSandro2000 SuperSandro2000 SuperSandro2000 left review comments

Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 0 12. first-time contribution
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@clerie @SuperSandro2000 @Janik-Haag