Pinging @1000101 maintainer.

@dadada thanks a million for picking up on this, I'll give it a go in a couple of hours.

@aanderse might want to have a look at this, too!

@dadada Let me know when you're happy with the changes and I'll test it.

Thanks for taking an interest. What's your opinion on the way the users.php is created? If I understand correctly, this was previously read-only / part of the derivation? Was there some specific reason for this? Should we put a warning if usersFile is defined?

I made two more minor changes. efc9258c97355b4ea6e313c7ab9447d894dbcf34 adds a dokuwiki user that owns all the state directories and files.

07504a1 changes the behaviour of usersFile and aclFile. Since they might contain private information, the contents should not end up in the nix store. If the options are defined, those files are generated at the given paths if they don't already exist.

If acl is specified, the contents of it end up in the nix store, but I consider this to be a valid use-case and included a warning in the documentation.

I'll need to do a quick reword of the commit messages that change nixos/dokuwiki

@dadada Let me know when you're happy with the changes and I'll test it.

I'm happy, go ahead. :-)

@GrahamcOfBorg test dokuwiki

Thanks for taking an interest. What's your opinion on the way the users.php is created? If I understand correctly, this was previously read-only / part of the derivation? Was there some specific reason for this? Should we put a warning if usersFile is defined?

You mean users.auth.php (i.e. usersFile option)? It was actually not part of the derivation so that 1. credentials would not end up in nix store 2. it would be mutable (users could change their passwords).

Generally, I was trying to have as much options as I can immutable, with obvious ones mutable (https://github.com/NixOS/nixpkgs/pull/77830/files#r368233914 (resolved conversation) ).

You mean users.auth.php (i.e. usersFile option)? It was actually not part of the derivation so that 1. credentials would not end up in nix store 2. it would be mutable (users could change their passwords).

Ok, I might have misunderstood how types.path works. I was under the impression that the path will automatically be copied to the derivation / package, but this does not seem to be the case.

Generally, I was trying to have as much options as I can immutable, with obvious ones mutable (https://github.com/NixOS/nixpkgs/pull/77830/files#r368233914 (resolved conversation) ).

I made some changes so that the mutable files for usersFile and aclFile will not be automatically created unless specified, which should be identical to how these parameters behaved in your version.

You mean users.auth.php (i.e. usersFile option)? It was actually not part of the derivation so that 1. credentials would not end up in nix store 2. it would be mutable (users could change their passwords).

Ok, I might have misunderstood how types.path works. I was under the impression that the path will automatically be copied to the derivation / package, but this does not seem to be the case.

Generally, I was trying to have as much options as I can immutable, with obvious ones mutable (https://github.com/NixOS/nixpkgs/pull/77830/files#r368233914 (resolved conversation) ).

I made some changes so that the mutable files for usersFile and aclFile will not be automatically created unless specified, which should be identical to how these parameters behaved in your version.

Oh, I actually meant to say that I think your approach is correct (much better than mine, for that matter) as these files stay outside of /nix/store (in datadir) and they don't need to be created by hand. I'm sorry I didn't make myself clear!!! I think you're right the whole time, or am I missing something? :)))

Oh, I actually meant to say that I think your approach is correct (much better than mine, for that matter) as these files stay outside of /nix/store (in datadir) and they don't need to be created by hand. I'm sorry I didn't make myself clear!!! I think you're right the whole time, or am I missing something? :)))

Thanks, but there might be two aspects here:

1. private data is not stored in the nix store
2. the configuration is valid (the paths for usersFile and aclFile exist)

1. With your approach usersFile and aclFile already were outside of /nix/store if specified, so everything should be fine. Otherwise they would be immutable, so no private data would end up in the nix store. Unless you consider the contents of acl to be private, hence the added warning in the description.

2. Since usersFile and aclFile are both types.path, they are checked at configuratio time and if they don't exists, nixos-reconfigure fails, which is good. So no problem here either. The same would happen with the changes I made (still types.path).

I think the best would be to not create them, if usersFile or aclFile was not specified, but make them both types.str, so building the configuration does not fail, but the files are created if they don't exist at service startup.

I think the best would be to not create them, if usersFile or aclFile was not specified, but make them both types.str, so building the configuration does not fail, but the files are created if they don't exist at service startup.

On the other hand: If the file can't be created or has the wrong permissions, the service will fail at startup, which makes this kind-of dependent on the system and not 100% reproducible. I think the wireguard module does a similar thing with types.str and the private key.

I think the best would be to not create them, if usersFile or aclFile was not specified, but make them both types.str, so building the configuration does not fail, but the files are created if they don't exist at service startup.

On the other hand: If the file can't be created or has the wrong permissions, the service will fail at startup, which makes this kind-of dependent on the system and not 100% reproducible. I think the wireguard module does a similar thing with types.str and the private key.

Sure, but what about leaving default value of usersFile and aclFile set to datadir, i.e. /var/lib/dokuwiki/${name} ant not null (as you had in previous commits)? Would that hurt anything? I think it's quite neat that it kind of works right out of the box, but the user can still change it if needed.

I think the best would be to not create them, if usersFile or aclFile was not specified, but make them both types.str, so building the configuration does not fail, but the files are created if they don't exist at service startup.

On the other hand: If the file can't be created or has the wrong permissions, the service will fail at startup, which makes this kind-of dependent on the system and not 100% reproducible. I think the wireguard module does a similar thing with types.str and the private key.

Sure, but what about leaving default value of usersFile and aclFile set to datadir, i.e. /var/lib/dokuwiki/${name} ant not null (as you had in previous commits)? Would that hurt anything? I think it's quite neat that it kind of works right out of the box, but the user can still change it if needed.

I thought about it, but that would mean creating aclFile even if acl is used. So changes to aclFile would not affect anything. Same if aclUse is false, there would still be a usersFile.

I think the best would be to not create them, if usersFile or aclFile was not specified, but make them both types.str, so building the configuration does not fail, but the files are created if they don't exist at service startup.

On the other hand: If the file can't be created or has the wrong permissions, the service will fail at startup, which makes this kind-of dependent on the system and not 100% reproducible. I think the wireguard module does a similar thing with types.str and the private key.

Sure, but what about leaving default value of usersFile and aclFile set to datadir, i.e. /var/lib/dokuwiki/${name} ant not null (as you had in previous commits)? Would that hurt anything? I think it's quite neat that it kind of works right out of the box, but the user can still change it if needed.

I thought about it, but that would mean creating aclFile even if acl is used. So changes to aclFile would not affect anything. Same if aclUse is false, there would still be a usersFile.

Ok, let's leave it be, it's just a minor nitpicking anyway.

Now aclUse = true; should be enough to create users.auth.php and acl.auth.php in the default locations.

@GrahamcOfBorg test dokuwiki

Rebased changes onto master and squashed fixup commits.

Rebased changes onto master and squashed fixup commits.

Oh, and you managed to find a way to access config values, great job! I'll test and review it again.

@GrahamcOfBorg test dokuwiki

@mmahut could you please help us check and merge if everything's fine by you?