wordpress: replace the dbPassword option with dbPasswordFile

basvandijk · qknight · commit 977b320d5d27 · 2017-05-05T11:03:55.000+02:00
We shouldn't force users to store passwords in the world-readable Nix store.
diff --git a/nixos/modules/services/web-servers/apache-httpd/wordpress.nix b/nixos/modules/services/web-servers/apache-httpd/wordpress.nix
@@ -9,7 +9,7 @@ let
     <?php
     define('DB_NAME',     '${config.dbName}');
     define('DB_USER',     '${config.dbUser}');
-    define('DB_PASSWORD', '${config.dbPassword}');
+    define('DB_PASSWORD', file_get_contents('${config.dbPasswordFile}'));
     define('DB_HOST',     '${config.dbHost}');
     define('DB_CHARSET',  'utf8');
     $table_prefix  = '${config.tablePrefix}';
@@ -137,9 +137,34 @@ in
     };
     dbPassword = mkOption {
       default = "wordpress";
-      description = "The mysql password to the respective dbUser.";
+      description = ''
+        The mysql password to the respective dbUser.
+
+        Warning: this password is stored in the world-readable Nix store. It's
+        recommended to use the $dbPasswordFile option since that gives you control over
+        the security of the password. $dbPasswordFile also takes precedence over $dbPassword.
+      '';
       example = "wordpress";
     };
+    dbPasswordFile = mkOption {
+      type = types.str;
+      default = toString (pkgs.writeTextFile {
+        name = "wordpress-dbpassword";
+        text = config.dbPassword;
+      });
+      example = "/run/keys/wordpress-dbpassword";
+      description = ''
+        Path to a file that contains the mysql password to the respective dbUser.
+        The file should be readable by the user: config.services.httpd.user.
+
+        $dbPasswordFile takes precedence over the $dbPassword option.
+
+        This defaults to a file in the world-readable Nix store that contains the value
+        of the $dbPassword option. It's recommended to override this with a path not in
+        the Nix store. Tip: use nixops key management:
+        <link xlink:href='https://nixos.org/nixops/manual/#idm140737318306400'/>
+      '';
+    };
     tablePrefix = mkOption {
       default = "wp_";
       description = ''
@@ -251,7 +276,7 @@ in
         sleep 1
       done
       ${pkgs.mysql}/bin/mysql -e 'CREATE DATABASE ${config.dbName};'
-      ${pkgs.mysql}/bin/mysql -e 'GRANT ALL ON ${config.dbName}.* TO ${config.dbUser}@localhost IDENTIFIED BY "${config.dbPassword}";'
+      ${pkgs.mysql}/bin/mysql -e "GRANT ALL ON ${config.dbName}.* TO ${config.dbUser}@localhost IDENTIFIED BY \"$(cat ${config.dbPasswordFile})\";"
     else
       echo "Good, no need to do anything database related."
     fi
