Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openvpn: document how to import an external config #43676

Merged
merged 1 commit into from Jul 20, 2018
Merged

openvpn: document how to import an external config #43676

merged 1 commit into from Jul 20, 2018

Conversation

erikarvstedt
Copy link
Member

@erikarvstedt erikarvstedt commented Jul 17, 2018
edited

Rationale

  1. Increases ease of use when the config is already present as a file, which is a common case:
    configFile = ./foo.ovpn
    versus
    config = builtins.readFile ./foo.ovpn

  2. Practical for building mutable services that allow changing the config without rebuilding NixOS:
    configFile = "/etc/my-mutable.ovpn"

Things done

@erikarvstedt erikarvstedt force-pushed the openvpn-config-file branch 2 times, most recently from 5fb09b3 to 60f7345 Compare July 17, 2018 18:29
@srhb
Copy link
Contributor

srhb commented Jul 20, 2018

I don't think this is a good idea.

  1. The user could, and should specify config = "config /path/to/ovpn" as is.

  2. Interpolating configFile as a path will mean that it gets imported to the store, rather silently even, and render any secrets within world-readable on the system. (Provide options for storing secrets outside the Nix store #24288)

(2) could be fixed by liberally applying toString to ensure that this doesn't happen, but then we're back to essentially method (1) anyway. I think this could be better fixed by simply documenting the use of config = " config ..." as it's a common pattern anyway. What do you think?

@erikarvstedt
Copy link
Member Author

Thanks, Sarah, your points make absolute sense!
I created this PR after porting some some old custom vpn code and was so mentally fixated on my own implementation that I didn't notice (1).

I've created a commit that documents the use of config .... If it looks good to you, I'll squash the old obsolete commits.

@erikarvstedt erikarvstedt changed the title openvpn: add option 'configFile' openvpn: document how to import an external config Jul 20, 2018
@srhb
Copy link
Contributor

srhb commented Jul 20, 2018

@erikarvstedt Looks perfect to me, go ahead and squash, and thank you. :)

(Side note: Glad to see another Copenhagener here!)

@erikarvstedt
Copy link
Member Author

Done.

Thanks again, neighbour 😉

@srhb srhb merged commit 8c98c7f into NixOS:master Jul 20, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@erikarvstedt @srhb @GrahamcOfBorg