Passopolis password manager service #25907
Conversation
disassembler
force-pushed
the
passopolis-server
branch
from
5920ef4
to
251a555
Compare
|
|
||
| db_url = mkOption { | ||
| default = "jdbc:postgresql://localhost:5432/passopolis"; | ||
| description = "Database URL"; |
There was a problem hiding this comment.
Would not
type = types.str;
be applicable here?
nixos/modules/misc/ids.nix
Outdated
| @@ -294,6 +294,7 @@ | |||
| jackett = 276; | |||
| aria2 = 277; | |||
| clickhouse = 278; | |||
| passopolis = 279; | |||
There was a problem hiding this comment.
As it seems to not to persist data to disk, it does not require a fixed uid. If that's the case, just remove this line. The uid will be then allocated dynamically.
| }; | ||
|
|
||
| db_url = mkOption { | ||
| default = "jdbc:postgresql://localhost:5432/passopolis"; |
There was a problem hiding this comment.
If this url contains database passwords, it would be better if the url can be also stored outside of nix store in a file.
There was a problem hiding this comment.
From what I can tell, the app doesn't support authenticated database url's at this time. I'm not a java programmer, so I could be wrong. Where would you persist the credentials if it could potentially contain user/password?
There was a problem hiding this comment.
According to that url https://www.petefreitag.com/articles/jdbc_urls/ the underlying library can.
I would then look similar to this example: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/misc/gogs.nix#L116
There was a problem hiding this comment.
The only way according the the team developing it to set that db_url is as a runtime parameter (there's no app.properties or anything yet to store parameters), so if someone launches the app and has credentials in the db_url, anyone on the system can run a ps and see those credentials. Once a config system is added for the application, I completely agree that keeping the credentials out of the nix store is the better way to go or better yet encrypting in the store if RFC 0005 gets implemented.
| meta = { | ||
| homepage = "https://github.com/WeAreWizards/passopolis-server"; | ||
| description = "A well-designed, well-functioning and secure secret manager."; | ||
| license = stdenv.lib.licenses.gpl3; |
There was a problem hiding this comment.
Do you want to maintain this package?
There was a problem hiding this comment.
Yes I would. Should I squash the commit and force push so it's only one commit?
There was a problem hiding this comment.
I can squash that too when merging. Can you add yourself as maintainer then? https://github.com/nixos-users/wiki/wiki/Get-Involved#becoming-a-nixpkgs-maintainer
pkgs/servers/passopolis/default.nix
Outdated
| url = "https://github.com/WeAreWizards/passopolis-server"; | ||
| sha256 = "0ywmymbjcfsxv1p1j0l0lw9cb7f79h23ic1c4b5w5nb0k9f4zvfq"; | ||
| rev = "${version}"; | ||
| leaveDotGit = true; |
There was a problem hiding this comment.
Will the build fail, if it cannot use git to obtain its commit? Leaving .git can lead to not-reproducible artifacts.
There was a problem hiding this comment.
It won't fail, but it will put garbage in the build.properties file. When running the ant jar command, it generates a build.properties file with the build time, git commit and description.
pkgs/servers/passopolis/default.nix
Outdated
| let | ||
| version = "b827b3a6176e050deb729009676fad7e86e5393a"; | ||
| in antBuild { | ||
| name = "passopolis-${version}"; |
There was a problem hiding this comment.
We usually use passopolis-unstable-<year>-<month>-<day> here as it is more meaningful then a commit hash (where the date is the date of the commit).
disassembler
force-pushed
the
passopolis-server
branch
2 times, most recently
from
133c9a5
to
8b65875
Compare
|
|
||
| services.passopolis = { | ||
|
|
||
| enable = mkOption { |
| { stdenv, antBuild, fetchgit, git, python }: | ||
|
|
||
| let | ||
| version = "unstable-2016-05-07"; |
There was a problem hiding this comment.
I have suggested to add ùnstable because of https://nixos.org/nixpkgs/manual/#sec-package-naming
There was a problem hiding this comment.
If you have a better idea how things should be named, please also update the coding conventions. Otherwise it gets inconsistent across reviews.
disassembler
force-pushed
the
passopolis-server
branch
from
444f50c
to
24d6871
Compare
| config.services.postgresql.package | ||
| ]; | ||
| preStart = '' | ||
| mkdir -p ${cfg.statePath} | ||
| chown ${cfg.user} ${cfg.statePath} | ||
| if [ "${cfg.databaseHost}" = "127.0.0.1" ]; then | ||
| ${lib.optionalString cfg.enablePostgreSQLDatabase '' |
There was a problem hiding this comment.
this makes the intention of the user a little bit more explicit and convenient.
|
It still requires a database password with the default settings: This has to be provided in the database url: https://jdbc.postgresql.org/documentation/80/connect.html |
(does require a password)
|
I'm going to close this out. Hasn't been updated in 2 years. extension no longer builds for me as well. Going to start making the switch to keepassweb |
Motivation for this change
Adds passopolis password manager service
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandboxinnix.confon non-NixOS)
nix-shell -p nox --run "nox-review wip"./result/bin/)